#
# /usr/local/etc/unbound/unbound.conf
# See unbound.conf(5)
#
# References
# ----------
# [1] Unbound setting up a secure local DNS server
#     https://superuser.com/a/1123357/731908
# [2] Unbound DNS Server Tutorial
#     https://calomel.org/unbound_dns.html
# [3] How to enable DNSSEC
#     https://www.unbound.net/documentation/howto_anchor.html
# [4] List of Public DNS Servers
#     https://wiki.ipfire.org/dns/public-servers
#
#
# Aaron LI
#

# NOTE:
# Configure `unbound` to be a recursive DNS resolver with local cache,
# instead of forwarding the queries to an upstream DNS resolver (e.g.,
# DNS.WATCH, Google Public DNS), in order to work well with the DNSBL
# services (e.g., spamhaus.org) used by Postfix.

server:
    # Specify the interfaces to answer queries from by ip-address.
    # The default is to listen to localhost (127.0.0.1 and ::1).
    # Specify 0.0.0.0 and ::0 to bind to all available interfaces.
    # The listen interfaces are not changed on reload, only on restart.
    interface: 127.0.0.1
    interface: ::1

    # Control which clients are allowed to make (recursive) queries
    # to this server.  Specify classless netblocks with /size and action.
    # By default everything is refused, except for localhost.
    #
    # Actions:
    #   * deny (drop message)
    #   * refuse (polite error reply)
    #   * allow (recursive ok)
    #   * allow_snoop (recursive and nonrecursive ok), e.g., "dig +trace"
    #   * deny_non_local (drop queries unless can be answered from local-data)
    #   * refuse_non_local (like deny_non_local but polite error reply)
    #
    access-control: 127.0.0.0/8 allow_snoop
    access-control: ::1         allow_snoop

    # Chroot to the given directory.  Set to "" to disable chroot.
    #chroot: "/usr/local/etc/unbound"
    chroot: ""

    # Enable or disable whether IPv4 queries are answered or issued.
    do-ip4: yes

    # Enable or disable whether IPv6 queries are answered or issued.
    do-ip6: yes

    # Enable or disable whether UDP queries are answered or issued.
    do-udp: yes

    # Enable or disable whether TCP queries are answered or issued.
    do-tcp: yes

    # Enable to not answer id.server and hostname.bind queries.
    hide-identity: yes

    # Enable to not answer version.server and version.bind queries.
    hide-version: yes

    # Enable to not answer trustanchor.unbound queries.
    hide-trustanchor: yes

    # Harden against out of zone RRsets, to avoid spoofing attempts.
    harden-glue: yes

    # Harden against receiving dnssec-stripped data.  If you turn it
    # off, failing to validate dnskey data for a trustanchor will
    # trigger insecure mode for that zone (like without a trustanchor).
    # Default on, which insists on dnssec data for trust-anchored zones.
    harden-dnssec-stripped: yes

    # Sent minimum amount of information to upstream servers to enhance
    # privacy.  Only sent minimum required labels of the QNAME and set
    # QTYPE to NS when possible.
    qname-minimisation: yes

    # Use 0x20-encoded random bits in the query to foil spoof attempts.
    # This feature is an experimental implementation of draft dns-0x20.
    use-caps-for-id: yes

    # File to read root hints from.  Default is using the builtin hints
    # for the IN class, which may become outdated, so it is good practice
    # to use a root-hints file.
    # get one from https://www.internic.net/domain/named.cache
    root-hints: "/usr/local/etc/unbound/root.hints"

    # File with trusted keys used to perform DNSSEC validation, and Unbound
    # must be able to read and write it, to keep it up to date with the
    # latest key(s).
    #
    # NOTE: `unbound-anchor` tool provides an initial anchor from bultin
    #       values, but for real trust you should check this thoroughly!
    auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"

    # Verbosity level of the validator to log failed validations.
    # Default: 0 (i.e., off).  1: A line per failed user query.
    # 2: With reason and bad IP.
    val-log-level: 1

    # Verbosity level: 0 (least verbose) -> 5 (very verbose).
    # Default: 1 (operational info).
    verbosity: 1

    # Print statistics to the log (for every thread) every N seconds.
    # Default: 0 (i.e., disabled)
    statistics-interval: 7200

    # Log messages to syslog(3) with the LOG_DAEMON facility.
    # NOTE: need to also configure syslog when chroot'ed!
    use-syslog: yes
    #
    # Log messages to the specified file.
    #use-syslog: no
    #logfile: "/usr/local/etc/unbound/unbound.log"

# Remote control config section.
#
remote-control:
    # Enable remote control with unbound-control(8) here.
    control-enable: yes

    # Interfaces listened to for remote control.
    control-interface: 127.0.0.1
    control-interface: ::1

    # Server and unbound-control key and certificate files.
    # Set up the keys and certificates with unbound-control-setup.
    control-use-cert: yes
    server-key-file: "/usr/local/etc/unbound/unbound_server.key"
    server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
    control-key-file: "/usr/local/etc/unbound/unbound_control.key"
    control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"


# WARNING:
# It is a *bad* idea to use a public or shared DNS resolver (e.g., Google
# Public DNS, ISP's DNS) to query DNS-based Blocklists (DNSBLs, e.g.,
# spamhaus.org, spamcop.net; see also https://www.dnsbl.info/), because
# most if not all DNSBL providers apply a *rate limit* (or white/black list)
# based on the DNS resolver that is used to query their service!
#
# Credits:
# * Mailcow - Why unbound?
#   https://mailcow.github.io/mailcow-dockerized-docs/u_e-why_unbound/
# * Spamhaus - FAQ
#   https://www.spamhaus.org/faq/section/DNSBL%20Usage#261
#
#forward-zone:
#    # Forward all requested queries not fulfilled by this server to the root
#    # root domain (`.`).
#    #
#    # NOTE: Use DNSSEC-supported DNS servers from
#    #       https://wiki.ipfire.org/dns/public-servers
#    #
#    name: "."
#    forward-addr: 84.200.69.80                # DNS.WATCH (DE), primary
#    forward-addr: 2001:1608:10:25::1c04:b12f  # DNS.WATCH (DE), primary
#    forward-addr: 84.200.70.40                # DNS.WATCH (DE), secondary
#    forward-addr: 2001:1608:10:25::9249:d69b  # DNS.WATCH (DE), secondary
#    forward-addr: 8.8.8.8  # Google Public DNS (Anycast), primary
#    forward-addr: 8.8.4.4  # Google Public DNS (Anycast), secondary