timothymiller · December 6, 2019 16:18 · Dec 6, 2019
diff --git a/pi-hole.conf b/pi-hole.conf
@@ -0,0 +1,193 @@
+server:
+###########################################################################
+# LOGGING
+###########################################################################
+# Do not print log lines to inform about local zone actions
+log-local-actions: no
+# Do not print one line per query to the log
+log-queries: no
+# Do not print one line per reply to the log
+log-replies: no
+# Do not print log lines that say why queries return SERVFAIL to clients
+log-servfail: no
+# Further limit logging
+logfile: /dev/null
+# Only log errors
+verbosity: 0
+
+# Respond to DNS requests on all interfaces
+interface: 0.0.0.0
+port: 5353
+do-ip4: yes
+do-udp: yes
+do-tcp: yes
+
+# May be set to yes if you have IPv6 connectivity
+do-ip6: yes
+
+# Use this only when you downloaded the list of primary root servers!
+# root-hints: "/var/lib/unbound/root.hints"
+
+access-control: 0.0.0.0/0 allow
+
+# Trust glue only if it is within the servers authority
+harden-glue: yes
+
+# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
+harden-dnssec-stripped: yes
+
+# Ignore very large queries.
+harden-large-queries: yes
+# Perform additional queries for infrastructure data to harden the referral
+# path. Validates the replies if trust anchors are configured and the zones
+# are signed. This enforces DNSSEC validation on nameserver NS sets and the
+# nameserver addresses that are encountered on the referral path to the 
+# answer. Experimental option.
+harden-referral-path: yes
+# BIND 8
+target-fetch-policy: "-1 -1 -1 -1 -1"
+# Ignore very small EDNS buffer sizes from queries.
+harden-short-bufsize: yes
+# Refuse id.server and hostname.bind queries
+hide-identity: yes
+
+# Harden against algorithm downgrade when multiple algorithms are
+# advertised in the DS record.
+harden-algo-downgrade: yes
+# RFC 8020. returns nxdomain to queries for a name below another name that
+# is already known to be nxdomain.
+harden-below-nxdomain: yes
+
+# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
+# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
+use-caps-for-id: no
+
+# RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other
+# denials, using information from previous NXDO-MAINs answers. In other
+# words, use cached NSEC records to generate negative answers within a
+# range and positive answers from wildcards. This increases performance,
+# decreases latency and resource utilization on both authoritative and
+# recursive servers, and increases privacy. Also, it may help increase
+# resilience to certain DoS attacks in some circumstances.
+aggressive-nsec: yes
+# Extra delay for timeouted UDP ports before they are closed, in msec.
+# This prevents very delayed answer packets from the upstream (recursive)
+# servers from bouncing against closed ports and setting off all sort of
+# close-port counters, with eg. 1500 msec. When timeouts happen you need
+# extra sockets, it checks the ID and remote IP of packets, and unwanted
+# packets are added to the unwanted packet counter.
+delay-close: 10000
+
+# Add localhost to the do-not-query-address list.
+do-not-query-localhost: no
+# Number  of  bytes size of the aggressive negative cache.
+neg-cache-size: 4M
+# Send minimum amount of information to upstream servers to enhance
+# privacy (best privacy).
+qname-minimisation: yes
+
+# Help protect users that rely on this validator for authentication from
+# potentially bad data in the additional section. Instruct the validator to
+# remove data from the additional section of secure messages that are not
+# signed properly. Messages that are insecure, bogus, indeterminate or
+# unchecked are not affected.
+val-clean-additional: yes
+
+# Reduce EDNS reassembly buffer size.
+# Suggested by the unbound man page to reduce fragmentation reassembly problems
+edns-buffer-size: 1472
+
+# Perform prefetching of close to expired message cache entries
+# This only applies to domains that have been frequently queried
+prefetch: yes
+
+# This attempts to reduce latency by serving the outdated record before
+# updating it instead of the other way around. Alternative is to increase
+# cache-min-ttl to e.g. 3600.
+cache-min-ttl: 0
+cache-max-ttl: 86400
+# Fetch the DNSKEYs earlier in the validation process, when a DS record is
+# encountered. This lowers the latency of requests at the expense of little
+# more CPU usage.
+prefetch-key: yes
+# Have unbound attempt to serve old responses from cache with a TTL of 0 in
+# the response without waiting for the actual resolution to finish. The
+# actual resolution answer ends up in the cache later on.
+serve-expired: yes
+# Open dedicated listening sockets for incoming queries for each thread and
+# try to set the SO_REUSEPORT socket option on each socket. May distribute
+# incoming queries to threads more evenly.
+so-reuseport: yes
+
+# serve-expired-ttl: 3600 # 0 or not set means unlimited
+
+# Use about 2x more for rrset cache, total memory use is about 2-2.5x
+# total cache size. Current setting is way overkill for a small network.
+# Judging from my used cache size you can get away with 8/16 and still
+# have lots of room, but I've got the ram and I'm not using it on anything else.
+# Default is 4m/4m
+msg-cache-size: 128m
+rrset-cache-size: 256m
+
+# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
+num-threads: 4
+
+# Ensure kernel buffer is large enough to not lose messages in traffic spikes
+so-rcvbuf: 2m
+
+# Ensure privacy of local IP ranges
+private-address: 192.168.0.0/16
+private-address: 169.254.0.0/16
+private-address: 172.16.0.0/12
+private-address: 10.0.0.0/8
+private-address: fd00::/8
+private-address: fe80::/10
+
+
+# Additional cache options (must be power of 2)
+key-cache-size: 8m
+key-cache-slabs: 8
+
+# Enable ratelimiting of queries (per second) sent to nameserver for
+# performing recursion. More queries are turned away with an error
+# (servfail). This stops recursive floods (e.g., random query names), but
+# not spoofed reflection floods. Cached responses are not rate limited by
+# this setting. Experimental option.
+ratelimit: 1000
+# Use this certificate bundle for authenticating connections made to
+# outside peers (e.g., auth-zone urls, DNS over TLS connections).
+tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+# Set the total number of unwanted replies to eep track of in every thread.
+# When it reaches the threshold, a defensive action of clearing the rrset
+# and message caches is taken, hopefully flushing away any poison.
+# Unbound suggests a value of 10 million.
+unwanted-reply-threshold: 10000
+
+# Rotates RRSet order in response (the pseudo-random number is taken from
+# the query ID, for speed and thread safety).
+rrset-roundrobin: yes
+val-clean-additional: yes
+
+forward-zone:
+        # Forward all queries (except those in cache and local zone) to
+        # upstream recursive servers
+        name: "."
+        # Queries to this forward zone use TLS
+        forward-tls-upstream: yes
+	forward-no-cache: no
+        # https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
+
+	# Cloudflare
+        forward-addr: 1.1.1.1@853#cloudflare-dns.com
+        forward-addr: 1.0.0.1@853#cloudflare-dns.com
+        forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
+        forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
+
+	# Clean Browsing
+	forward-addr: 185.228.168.9@853#security-filter-dns.cleanbrowsing.org
+	forward-addr: 185.228.169.9@853#security-filter-dns.cleanbrowsing.org
+	forward-addr: 2a0d:2a00:1::2@853#security-filter-dns.cleanbrowsing.org
+	forward-addr: 2a0d:2a00:2::2@853#security-filter-dns.cleanbrowsing.org
+
+remote-control:
+    control-enable: no