blob: 13221930971665dcc5ca00e371e994504ac72a7c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
{
services.unbound = {
enable = true;
_blocklists = {
enable = true;
blocklists = {
hageziNSFW = [
"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/nsfw.txt"
"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/nsfw.txt"
"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/nsfw.txt"
];
hageziPro = [
"https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"
"https://gitlab.com/hagezi/mirror/-/raw/main/dns-blocklists/rpz/pro.txt"
"https://codeberg.org/hagezi/mirror2/raw/branch/main/dns-blocklists/rpz/pro.txt"
];
};
};
settings = {
server = {
# Listen on all interfaces (or specify specific IPs)
interface = [ "0.0.0.0" "::0" ];
# Allow queries from local networks
access-control = [
"127.0.0.0/8 allow"
"192.168.0.0/16 allow"
"10.0.0.0/8 allow"
"172.16.0.0/12 allow"
];
## Enable DNSSEC validation
#auto-trust-anchor-file: "/var/unbound/root.key"
# Harden against out-of-zone data
harden-referral-path = true;
harden-dnssec-stripped = true;
# Privacy options
qname-minimisation = true;
# Cache settings
cache-min-ttl = 300;
cache-max-ttl = 86400;
# Hide version
hide-identity = true;
hide-version = true;
# Based on recommended settings in https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound
harden-glue = true;
use-caps-for-id = false;
prefetch = true;
edns-buffer-size = 1232;
};
# Forward unknown to public resolver via DoT
forward-zone = [
{
name = ".";
forward-addr = [
"9.9.9.9#dns.quad9.net"
"149.112.112.112#dns.quad9.net"
];
forward-tls-upstream = true; # Encrypted DNS
}
];
remote-control.control-enable = true;
};
};
}
|
