Unbound + DNSCrypt configuration

dnscrypt-proxy

DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALIP2=127.0.0.2
DNSCRYPT_LOCALPORT=9053
DNSCRYPT_RESOLVERPORT=443
DNSCRYPT_USER=nobody
DNSCRYPT_PROVIDER_NAME=2.dnscrypt-cert.resolver2.dnscrypt.eu
DNSCRYPT_PROVIDER_NAME2=2.dnscrypt-cert.resolver1.dnscrypt.eu
DNSCRYPT_PROVIDER_KEY=3748:5585:E3B9:D088:FD25:AD36:B037:01F5:520C:D648:9E9A:DD52:1457:4955:9F0A:9955
DNSCRYPT_PROVIDER_KEY2=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66
DNSCRYPT_RESOLVERIP=77.66.84.233
DNSCRYPT_RESOLVERIP2=176.56.237.171

forward.conf

local-zone: "home." static

local-data: "raspberry.home.	IN	A	192.168.0.253"
local-data: "router.home.	IN 	A	192.168.0.254"

reverse.conf

local-data-ptr: "192.168.0.253	raspberry.home."
local-data-ptr: "192.168.0.254	router.home."

unbound.conf

server:

    # Core cpu count
    num-threads: 2  

    # DNSSEC features
    
    # Updated via : unbound-anchor -v -a /etc/unbound/root.key
    auto-trust-anchor-file: "/etc/unbound/root.key"
    module-config: "validator iterator"
    # Downloaded via : wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/unbound/etc/root.hints
    root-hints: "/etc/unbound/root.hints"

    interface:  0.0.0.0
    port:       53      # port to answer queries from
    do-ip4:     yes     # Enable IPv4, "yes" or "no".
    do-ip6:     no      # Enable IPv6, "yes" or "no".
    do-udp:     yes     # Enable UDP, "yes" or "no".
    do-tcp:     yes

    # Hide unbound information
    hide-identity: yes
    hide-version: yes
    
    # If yes, Unbound rotates RRSet order in response. This is almost
    # same as Thijs Kinkhorst's implementation except that random number
    # source is query-id.
    rrset-roundrobin: yes
    
    # Time to live minimum for  RRsets  and  messages  in  the  cache.
    cache-min-ttl: 60
    
    # If yes, Unbound doesn't insert authority/additional sections into
    # response message when those sections are not required [1]. This is
    # similar to BIND9's minimal-responses or Google Public DNS
    # behavior.
    minimal-responses: no
    
    # Use  0x20-encoded  random  bits  in  the  query  to  foil  spoof
    # attempts.   This  perturbs  the lowercase and uppercase of query
    # names sent to authority servers and checks if  the  reply  still
    # has  the  correct casing.  Disabled by default.  This feature is
    # an experimental implementation of draft dns-0x20.
    use-caps-for-id: yes
    
    # If yes, message cache elements are prefetched before they expire
    # to  keep  the  cache  up to date.
    prefetch: yes
    
    # If  yes,  fetch  the  DNSKEYs earlier in the validation process,
    # when a DS record is encountered.
    prefetch-key: yes

    # ACL
    access-control: 127.0.0.0/8 allow
    access-control: 192.168.0.0/24 allow
    access-control: 0.0.0.0/0 refuse

    # Enforce privacy 
    private-address: 192.168.0.0/24

    # Local zone definition
    private-domain: "home."
    include: /etc/unbound/forward.conf
    include: /etc/unbound/reverse.conf

    # You need this as no for dnscrypt-proxy to work
    do-not-query-localhost: no
    
# Disable remote control
remote-control:
    control-enable: no

# Forward all queries to specified servers
forward-zone:
    name: "."
    # CryptDNS
    # forward-addr: 127.0.0.1@9053
    # OpenDNS
    forward-addr: 208.67.222.222
    forward-addr: 208.67.220.220