server:
  # Listener (Pi-hole runs in host mode and queries localhost:5335)
  interface: 127.0.0.1@5335
  access-control: 127.0.0.1/32 allow
  access-control: ::1 allow

  # Protocols
  do-ip4: yes
  do-ip6: yes
  do-udp: yes
  do-tcp: yes

  # Threads: match physical cores (not hyperthreads)
  num-threads: 2
  so-reuseport: yes

  # Concurrency tuning
  outgoing-range: 1024
  incoming-num-tcp: 32
  outgoing-num-tcp: 64
  num-queries-per-thread: 4096

  # Cache sizing (right-sized for ~200k Q/day, 4 GiB VM)
  msg-cache-size: 128m
  rrset-cache-size: 256m
  infra-cache-numhosts: 10000

  # TTL and prefetch to avoid cold-cache spikes
  cache-min-ttl: 300
  cache-max-ttl: 86400
  prefetch: yes
  prefetch-key: yes
  serve-expired: yes        # optional but smooths client behavior on slow upstreams

  # Network socket buffers for bursts
  so-rcvbuf: 16m
  so-sndbuf: 16m

  # DNSSEC (keep enabled)
  root-hints: "/var/lib/unbound/root.hints"
  auto-trust-anchor-file: "/var/lib/unbound/root.key"

  # Hardening (lightweight)
  harden-glue: yes
  harden-dnssec-stripped: yes
  harden-referral-path: yes
  harden-algo-downgrade: yes
  use-caps-for-id: yes
  unwanted-reply-threshold: 10000

  # Logging / verbosity (low in production)
  verbosity: 1
  logfile: ""        # empty = syslog (or leave unset to avoid disk logs)
  log-queries: no
  log-replies: no
  log-servfail: yes