# Unbound configuration file on windows.
# See example.conf for more settings and syntax

server:
	# verbosity level 0-4 of logging
	verbosity: 0

	# if you want to log to a file use
	# logfile: "C:\unbound.log"

	# on Windows, this setting makes reports go into the Application log
	# found in ControlPanels - System tasks - Logs 
	use-syslog: yes
	log-time-ascii: yes
	num-threads: 4
	cache-max-ttl: 14400
	cache-min-ttl: 900
	cache-max-negative-ttl: 60
	infra-host-ttl: 60
#	root-hints: "C:\Program Files\Unbound\named.root"

	do-ip6: no

	tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt"
	tcp-upstream: yes

	# Harden against very small EDNS buffer sizes. 
	harden-short-bufsize: yes

	# Harden against unseemly large queries.
	harden-large-queries: yes

	# Harden against out of zone rrsets, to avoid spoofing attempts. 
	harden-glue: yes

	# Harden against queries that fall under dnssec-signed nxdomain names.
	# Default is no
	harden-below-nxdomain: yes
	# 1.5.7 feature. Yes recommended.
	qname-minimisation: yes

	low-rtt: 50
	low-rtt-pct: 900

	unwanted-reply-threshold: 10000000
	do-not-query-localhost: no
	prefetch: yes
	prefetch-key: yes
	rrset-roundrobin: yes
	minimal-responses: yes

# true to disable DNSSEC lameness check in iterator.
# disable-dnssec-lame-check: no

module-config: "validator iterator"
#val-permissive-mode: no

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow_snoop
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: ::ffff:127.0.0.1 allow

#include: "C:\Program Files\Unbound\unbound_local" 
include: "C:\Program Files\Unbound\unbound_ad_servers" 

# Remote control config section. 
remote-control:
	# Enable remote control with unbound-control(8) here.
	# set up the keys and certificates with unbound-control-setup.
	control-enable: yes
        control-use-cert: no

forward-zone:
  name: "."
#  forward-addr: 208.67.222.222@53
#  forward-addr: 208.67.220.220@53
  forward-addr: 1.1.1.1@853#cloudflare-dns.com
  forward-addr: 1.0.0.1@853#cloudflare-dns.com
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 149.112.112.112@853#dns.quad9.net
  forward-tls-upstream: yes

# OpenDNS is NOT DNSSEC enabled
server: auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"
#server: dlv-anchor-file: "C:\Program Files\Unbound\dlv.isc.org.key"
#