server:
    interface: 127.0.0.1@48
    interface: ::1@48
    access-control: 127.0.0.1 allow
    access-control: ::1 allow
    #access-control: 0.0.0.0/0 allow
    #access-control: ::/0 allow
    prefer-ip6: yes
    delay-close: 1500
    do-ip4: yes
    do-ip6: yes
    do-tcp: yes
    do-udp: yes
    do-not-query-localhost: no
    verbosity: 0
    log-time-ascii: no
    log-servfail: no
    client-subnet-always-forward: yes
    aggressive-nsec: yes
    harden-dnssec-stripped: yes # if 'no', disable dnssec
    harden-short-bufsize: yes
    harden-large-queries: yes
    harden-glue: yes
    harden-below-nxdomain: yes
    harden-referral-path: yes
    use-caps-for-id: yes
    qname-minimisation: yes
    qname-minimisation-strict: no #some domain might be failed to request
    so-reuseport: yes
    minimal-responses: yes
    deny-any: yes

    rrset-roundrobin: yes
    prefetch: yes
    prefetch-key: yes

    serve-expired: yes
    serve-expired-ttl: 86400 # max 1 day
    #serve-expired-ttl-reset: no
    hide-identity: yes
    hide-version: yes
    hide-trustanchor: yes
    edns-tcp-keepalive: yes
    #edns-tcp-keepalive-timeout: 12000 # 2min
    #tcp-idle-timeout: 30000 # 30 sec

    num-threads: 1
    msg-cache-slabs: 1
    rrset-cache-slabs: 1
    key-cache-slabs: 1
    infra-cache-slabs: 1

    msg-cache-size: 54m # default 4m
    rrset-cache-size: 108m # rrset=msg*2 # default 4m
    key-cache-size: 54m # default 4m
    neg-cache-size: 27m # default 1m
    infra-cache-numhosts: 50000
    # dnscrypt-shared-secret-cache-size: 13m # default 4m
    # dnscrypt-nonce-cache-size: 13m # default 4m

    outgoing-range: 4096
    incoming-num-tcp: 100
    outgoing-num-tcp: 100
    neg-cache-size: 25m

    unwanted-reply-threshold: 10000000
    cache-min-ttl: 90
    cache-max-ttl: 900
    infra-host-ttl: 3600
    val-bogus-ttl: 120
    cache-max-negative-ttl: 10 # Time to live maximum for negative responses, these have a SOA in the authority section that is limited in time.  Default is 3600. This applies to nxdomain and nodata answers.
    infra-cache-numhosts: 50000

    auto-trust-anchor-file: "/var/lib/unbound/root.key"

    # Refence: https://github.com/publicarray/dns-resolver-infra/blob/master/unbound/unbound.conf

    local-zone: example. static
    local-zone: local. static
    local-zone: i2p. static
    local-zone: home. static
    local-zone: zghjccbob3n0. static
    local-zone: dhcp. static
    local-zone: lan. static
    local-zone: localdomain. static
    local-zone: ip. static
    local-zone: internal. static
    local-zone: openstacklocal. static
    local-zone: dlink. static
    local-zone: gateway. static
    local-zone: corp. static
    local-zone: workgroup. static
    local-zone: belkin. static
    local-zone: davolink. static
    local-zone: z. static
    local-zone: domain. static
    local-zone: virtualmin. static

    private-address: 0.0.0.0/8 # Should not be on the Internet (only valid as source address)
    private-address: 10.0.0.0/8 # Private networks
    private-address: 127.0.0.0/8 # Loopback, spam-blocklists (RBL) (https://www.dnsbl.info/) e.g. "dig +short 0.0.0.0.zen.spamhaus.org" will stop working (https://www.spamhaus.org/zen/, https://www.spamhaus.org/faq/section/DNSBL%20Usage#202)
    private-address: 169.254.0.0/16 # link-local (networks without DHCP)
    private-address: 172.16.0.0/12 # Private networks
    private-address: 192.168.0.0/16 # Private networks
    private-address: 255.255.255.255/32 # Broadcast destination
    ## IPv6
    private-address: ::/128 # Unspecified addresses (only valid as source address)
    private-address: ::1/128 # Loopback
    private-address: 2001:db8::/32 # Documentation addresses used for documentation purposes such as user manuals, RFCs, etc. (RFC3849)
    # private-address: ::ffff:0:0/96 # IPv4-mapped IPv6 addresses (depreciated and should not be on the public internet) (blocks potentially valid addresses / gives wrong result from DNS Benchmark)
    private-address: fe80::/10 # IP address autoconfiguration (link-local unicast, Private network)
    private-address: fc00::/7 # Unique Local Addresses (Private network)
    # private-address: fec0::/10 # Depreciated site networks
    # private-address: 2002::/16 # 6to4 (deprecated)
    # private-address: 64:ff9b::/96 # 6to4 "Well-Known" Prefix
    # private-address: 2001::/32 # Teredo
    private-address: 2001:10::/28 # ORCHID
    # private-address: ff00::/8 # Multicast
    ## Selected IPv4 mapped addresses from IPv4 above (fixes potentially wrong result from DNS Benchmark if blocking all of ::ffff:0:0/96)
    private-address: ::ffff:0.0.0.0/120 # Private IPv4-mapped addresses
    private-address: ::ffff:10.0.0.0/120 # Private IPv4-mapped addresses
    private-address: ::ffff:127.0.0.1/120 # Loopback IPv4-mapped addresses, spam-blocklists (RBL)
    private-address: ::ffff:169.254.0.0/112 # Link-local IPv4-mapped addresses
    private-address: ::ffff:172.16.0.0/116 # Private IPv4-mapped addresses
    private-address: ::ffff:192.168.0.0/112 # Private IPv4-mapped addresses
    private-address: ::ffff:255.255.255.255/128 # Broadcast IPv4-mapped addresses