added options

sujiba · Oct 7, 2023 · 662fa0a · 662fa0a
1 parent 5ab96ff
commit 662fa0a
Showing 1 changed file with 20 additions and 2 deletions.
diff --git a/docker-build/unbound-pihole.conf b/docker-build/unbound-pihole.conf
@@ -1,4 +1,6 @@
 server:
+    # https://manpages.debian.org/bullseye/unbound/unbound.conf.5.en.html
+    # 
     # If no logfile is specified, syslog is used
     # logfile: "/var/log/unbound/unbound.log"
     verbosity: 0
@@ -9,7 +11,7 @@ server:
     do-udp: yes
     do-tcp: yes
 
-    # May be set to yes if you have IPv6 connectivity
+    # Maybe set to yes if you have IPv6 connectivity
     do-ip6: no
 
     # You want to leave this to no unless you have *native* IPv6. With 6to4 and
@@ -51,7 +53,13 @@ server:
     # This only applies to domains that have been frequently queried
     prefetch: yes
 
-    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
+    # Fetch the DNSKEYs earlier in the validation process, when a DS record is encountered. 
+    # This lowers the latency of requests. It does use a little more CPU.
+    prefetch-key: yes
+
+    # One thread should be sufficient, can be increased on beefy machines. 
+    # In reality for most users running on small networks or on a single machine, 
+    # it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
     num-threads: 1
 
     # Ensure kernel buffer is large enough to not lose messages in traffic spikes
@@ -61,6 +69,16 @@ server:
     msg-cache-size: 128m
     rrset-cache-size: 256m
 
+    # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN 
+    # and other denials, using information from previous NXDOMAINs answers.
+    # It helps to reduce the query rate towards targets that get a very high nonexistent name lookup rate.
+    aggressive-nsec: yes
+
+    # If enabled id.server and hostname.bind queries are refused.
+    hide-identity: yes
+    #If enabled version.server and version.bind queries are refused.
+    hide-version: yes
+
     # Ensure privacy of local IP ranges
     private-address: 192.168.0.0/16
     private-address: 169.254.0.0/16