I've got for files for unbound.
/etc/unbound/unbound.conf, content:
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/qname-minimisation.conf, content:
server:
# Send minimum amount of information to upstream servers to enhance
# privacy. Only sends minimum required labels of the QNAME and sets
# QTYPE to NS when possible.
# See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
# details.
# https://ripe72.ripe.net/presentations/120-unbound_qnamemin_ripe72.pdf
# test: drill txt qnamemintest.internet.nl
# result: "HOORAY - QNAME minimisation is enabled on your resolver :)!"
qname-minimisation: yes
harden-below-nxdomain: yes
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf, content:
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/etc/unbound/root.key"
/etc/unbound/unbound.conf.d/unbound.conf, content:
## See wiki: https://github.com/pi-hole/pi-hole/...
#
server:
logfile: /unbound.log
log-time-ascii: yes
verbosity: 1
interface: 127.10.10.2@5552
interface: fdaa:bbcc:ddee:2::5552@5552
#port: 5552
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: yes
# Use this only when you downloaded the list of primary root servers!
root-hints: "/root.hints"
# enable to not answer id.server and hostname.bind queries.
# hide-identity: yes
# enable to not answer version.server and version.bind queries.
# hide-version: yes
# Trust glue only if it is within the servers authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
# and other denials, using information from previous NXDOMAINs answers.
aggressive-nsec: yes
# Use Capitalization randomization
# This is an experimental resilience method which uses upper and lower case letters in the question hostname to obtain randomness. Two names with the same spelling but different case should be treated as identical.
# Attackers hoping to poison a DNS cache must guess the mixed-case encoding of the query. This increases the difficulty of such an attack significantly
use-caps-for-id: no
# TTL bounds for cache
cache-min-ttl: 3600
cache-max-ttl: 86400
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines
num-threads: 1
# Ensure kernel buffer is large enough to not loose messages in traffix spikes
so-rcvbuf: 1m
# Number of bytes size to advertise as the EDNS reassembly buffer size.
# This is the value put into datagrams over UDP towards peers.
# The actual buffer size is determined by msg-buffer-size(both for TCP and UDP).
# Do not set higher than that value.
# Default is 4096 which is RFC recommended.
# If you have fragmentation reassembly problems,
# usually seen as timeouts, then a value of 1472 can fix it.
# Setting to 512 bypasses even the most stringent path MTU problems,
# but is seen as extreme, since the amount of TCP fallback generated is
# excessive (probably also for this resolver, consider tuning the outgoing tcp number).
edns-buffer-size: 1472
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
# Access Control
access-control: fdaa:bbcc:ddee:2::5552/128 allow
# Remote control config section.
remote-control:
control-enable: yes
# Copy of the root for local usage
auth-zone:
name: "."
master: i.root-servers.net
master: f.root-servers.net
master: j.root-servers.net
master: k.root-servers.net
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: "/root.zone"
As you can see, I no longer use pihole-FTL for DNSSEC (to many problems), both unbound and knot-resolver are capable of doing this.