57 lines
1.4 KiB
Plaintext
57 lines
1.4 KiB
Plaintext
server:
|
|
# Listener (Pi-hole runs in host mode and queries localhost:5335)
|
|
interface: 127.0.0.1@5335
|
|
access-control: 127.0.0.1/32 allow
|
|
access-control: ::1 allow
|
|
|
|
# Protocols
|
|
do-ip4: yes
|
|
do-ip6: yes
|
|
do-udp: yes
|
|
do-tcp: yes
|
|
|
|
# Threads: match physical cores (not hyperthreads)
|
|
num-threads: 2
|
|
so-reuseport: yes
|
|
|
|
# Concurrency tuning
|
|
outgoing-range: 1024
|
|
incoming-num-tcp: 32
|
|
outgoing-num-tcp: 64
|
|
num-queries-per-thread: 4096
|
|
|
|
# Cache sizing (right-sized for ~200k Q/day, 4 GiB VM)
|
|
msg-cache-size: 128m
|
|
rrset-cache-size: 256m
|
|
infra-cache-numhosts: 10000
|
|
|
|
# TTL and prefetch to avoid cold-cache spikes
|
|
cache-min-ttl: 300
|
|
cache-max-ttl: 86400
|
|
prefetch: yes
|
|
prefetch-key: yes
|
|
serve-expired: yes # optional but smooths client behavior on slow upstreams
|
|
|
|
# Network socket buffers for bursts
|
|
so-rcvbuf: 16m
|
|
so-sndbuf: 16m
|
|
|
|
# DNSSEC (keep enabled)
|
|
root-hints: "/var/lib/unbound/root.hints"
|
|
auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
|
|
|
# Hardening (lightweight)
|
|
harden-glue: yes
|
|
harden-dnssec-stripped: yes
|
|
harden-referral-path: yes
|
|
harden-algo-downgrade: yes
|
|
use-caps-for-id: yes
|
|
unwanted-reply-threshold: 10000
|
|
|
|
# Logging / verbosity (low in production)
|
|
verbosity: 1
|
|
logfile: "" # empty = syslog (or leave unset to avoid disk logs)
|
|
log-queries: no
|
|
log-replies: no
|
|
log-servfail: yes
|