# Unbound configuration for Alpine container
# Optimized for recursive DNS resolution with DNSSEC

server:
    # Basic settings
    verbosity: 1
    num-threads: 2
    
    # Interface binding
    interface: 0.0.0.0
    port: 5335
    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes
    
    # Access control - allow all private networks
    access-control: 127.0.0.0/8 allow
    access-control: 10.0.0.0/8 allow
    access-control: 172.16.0.0/12 allow
    access-control: 192.168.0.0/16 allow
    access-control: ::1/128 allow
    access-control: fd00::/8 allow
    
    # Root hints for DNSSEC
    root-hints: /etc/unbound/root.hints
    
    # Trust anchor for DNSSEC validation
    auto-trust-anchor-file: /var/lib/unbound/root.key
    
    # Hide identity and version
    hide-identity: yes
    hide-version: yes
    
    # Harden settings
    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-referral-path: yes
    use-caps-for-id: yes
    
    # Prefetch settings for performance
    prefetch: yes
    prefetch-key: yes
    
    # Cache settings
    cache-min-ttl: 3600
    cache-max-ttl: 86400
    msg-cache-size: 50m
    rrset-cache-size: 100m
    key-cache-size: 50m
    neg-cache-size: 10m
    
    # Privacy settings
    qname-minimisation: yes
    aggressive-nsec: yes
    
    # Logging
    logfile: ""
    log-queries: no
    log-replies: no
    log-local-actions: no
    log-servfail: yes
    
    # User/group (Alpine uses 'unbound' user)
    username: "unbound"
    directory: "/etc/unbound"
    chroot: ""
    
    # PID file
    pidfile: "/var/run/unbound.pid"

# Remote control (disabled for security)
remote-control:
    control-enable: no