server: # Provide unencrypted DNS services on port 53. interface: 127.0.0.1@53 interface: ::1@53 port: 53 # Provide TLS protected dns services on port 853. # **NOTE: This is generally not needed for local use. tls-service-key: "/etc/pki/tls/private/privkey.pem" tls-service-pem: "/etc/pki/tls/certs/fullchain.pem" interface: 127.0.0.1@853 interface: ::1@853 tls-port: 853 # Support both IPv6 and TCP. do-ip4: yes do-ip6: yes do-udp: yes do-tcp: yes # Only allow access from localhost. access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: ::0/0 refuse access-control: ::1 allow # Enable DNSSEC. auto-trust-anchor-file: "/var/lib/unbound/root.key" # Certificate authorities needed to authenticate upstream servers. tls-cert-bundle: "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" forward-zone: name: "." forward-tls-upstream: yes # Cloudflare DNS. forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com forward-addr: 1.1.1.1@853#cloudflare-dns.com forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com forward-addr: 1.0.0.1@853#cloudflare-dns.com # NordVPN. forward-addr: 103.86.96.100@853#dns1.nordvpn.com forward-addr: 103.86.99.100@853#dns2.nordvpn.com # Quad9. forward-addr: 2620:fe::fe@853#dns.quad9.net forward-addr: 9.9.9.9@853#dns.quad9.net forward-addr: 2620:fe::9@853#dns.quad9.net forward-addr: 149.112.112.112@853#dns.quad9.net