## Unbound config file
server:
        directory: /usr/local/etc/unbound
        chroot: /usr/local/etc/unbound
	num-threads: 4
    # Zone file
	include: /usr/local/etc/unbound/energized-ultimate.blacklist
    # List of valid clients 
	include: /usr/local/etc/unbound/users.conf
    # Verbosity to zero - we don't log
	verbosity: 0
	use-syslog: no
    # Specify interfaces
	interface: 0.0.0.0
	interface: ::0
    # Our root hints file
	root-hints: /usr/local/etc/unbound/root.hints

    # Hide/block identity and version
	hide-identity: yes
	hide-version: yes
    # Trust glue only if it is within the servers authority.
	harden-glue: yes
    # Require DNSSEC data for trust-anchored zones
	harden-dnssec-stripped: yes
    # Use 0x20-encoded random bits in the query to help prevent spoofs
	use-caps-for-id: yes
    # Specify caching TTLs
	cache-min-ttl: 72000
	cache-max-ttl: 86400
    # Perform prefetching of close to expired message cache entries.
	prefetch: yes

    # Do not allow localhost to use the forwarder
	do-not-query-localhost: yes
    # TLS Cert Bundle
    tls-cert-bundle: /usr/local/share/certs/ca-root-nss.crt
    
    # Specify servers for forwarding to
	forward-zone:
		name:"."
		forward-tls-upstream: yes		
		forward-addr: 45.90.28.0@853#<your-id>>.dns1.nextdns.io

remote-control:
	control-enable: yes
	control-use-cert: no