2 files changed, 47 insertions, 0 deletions

diff --git a/terminaldweller.com/doh/unbound/doh.conf b/terminaldweller.com/doh/unbound/doh.conf
new file mode 100644
index 0000000..4e6e291
--- /dev/null
+++ b/terminaldweller.com/doh/unbound/doh.conf
@@ -0,0 +1,43 @@
+server:
+	interface: 0.0.0.0@443
+	tls-service-key: /etc/letsencrypt/archive/doh.terminaldweller.com/privkey1.pem
+	tls-service-pem: /etc/letsencrypt/archive/doh.terminaldweller.com/fullchain1.pem
+	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	https-port: 443
+	tls-port: 443
+	do-ip4: yes
+	do-ip6: yes
+	do-udp: yes
+	do-tcp: yes
+	prefer-ip6: no
+# auto-trust-anchor-file: "/var/lib/unbound/root.key"
+	qname-minimisation: yes
+	harden-glue: yes
+	harden-dnssec-stripped: yes
+	use-caps-for-id: no
+	edns-buffer-size: 1232
+	prefetch: yes
+	so-rcvbuf: 1m
+
+	private-address: 127.0.0.0/8
+	private-address: 192.168.0.0/16
+	private-address: 169.254.0.0/16
+	private-address: 172.16.0.0/12
+	private-address: 10.0.0.0/8
+	private-address: fd00::/8
+	private-address: fe80::/10
+
+	access-control: 0.0.0.0/0 allow_snoop
+
+forward-zone:
+	name: "."
+	forward-tls-upstream: yes
+	forward-addr: 9.9.9.9@853#dns.quad9.net
+	forward-addr: 149.112.112.112@853#dns.quad9.net
+	forward-addr: 1.1.1.1@853#cloudflare-dns.com
+	forward-addr: 1.0.0.1@853#cloudflare-dns.com
+
+	forward-addr: 2620:fe::fe@853#dns.quad9.net
+	forward-addr: 2620:fe::9@853#dns.quad9.net
+	forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
+	forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
diff --git a/terminaldweller.com/doh/unbound/root-auto-trust-anchor-file.conf b/terminaldweller.com/doh/unbound/root-auto-trust-anchor-file.conf
new file mode 100644
index 0000000..433eff9
--- /dev/null
+++ b/terminaldweller.com/doh/unbound/root-auto-trust-anchor-file.conf
@@ -0,0 +1,4 @@
+server:
+    # The following line will configure unbound to perform cryptographic
+    # DNSSEC validation using the root trust anchor.
+    auto-trust-anchor-file: "/var/lib/unbound/root.key"