# $OpenBSD: unbound.conf,v 1.8 2018/03/29 20:40:22 florian Exp $

server:
	interface: 127.0.0.1@5353	# listen on alternative port
	interface: ::1@5353

	access-control: 0.0.0.0/0 allow
	access-control: 127.0.0.0/8 allow
	access-control: ::0/0 refuse
	access-control: ::1 allow

	hide-identity: yes
	hide-version: yes

	auto-trust-anchor-file: "/var/unbound/db/root.key"
{% for zone in dns_zones %}
    domain-insecure: "{{ zone.name }}"
{% endfor %}

remote-control:
	control-enable: yes
	control-use-cert: no
	control-interface: /var/run/unbound.sock


{% for zone in dns_zones %}
stub-zone:
    name: "{{ zone.name }}"
    stub-addr: "{{ dns_server_public_ip }}"
{% endfor %}

stub-zone:
    name: "10.in-addr.arpa"
    stub-addr: "{{ dns_server_public_ip }}"
stub-zone:
    name: "168.192.in-addr.arpa"
    stub-addr: "{{ dns_server_public_ip }}"

forward-zone:
	name: "."				# use for ALL queries
	forward-addr: 74.82.42.42		# he.net
	forward-addr: 2001:470:20::2		# he.net v6
	forward-addr: 8.8.8.8			# google.com
	forward-addr: 2001:4860:4860::8888	# google.com v6
	forward-addr: 208.67.222.222		# opendns.com
	forward-first: yes			# try direct if forwarder fails