server:
      # the working directory.
      directory: "/etc/unbound"

      # run as the unbound user
      username: unbound

      verbosity: 0      # uncomment and increase to get more logging.
      # logfile: "/var/log/unbound.log" # won't work due to apparmor
      # use-syslog: no

      # By default listen only to localhost
      #interface: ::1
      #interface: 127.0.0.1
      port: 53

      # Only allow localhost to use this Unbound instance.
      access-control: 127.0.0.1/8 allow
      access-control: ::1/128 allow

      # Private IP ranges, which shall never be returned or forwarded as public DNS response.
      private-address: 10.0.0.0/8
      private-address: 172.16.0.0/12
      private-address: 192.168.0.0/16
      private-address: 169.254.0.0/16
      private-address: fd00::/8
      private-address: fe80::/10

      # Functionality
      do-ip4: yes
      do-ip6: yes
      do-udp: yes
      do-tcp: yes

      # Performance
      num-threads: 2
      cache-min-ttl: 300
      cache-max-ttl: 86400
      serve-expired: yes
      neg-cache-size: 4M
      msg-cache-size: 50m
      rrset-cache-size: 100m

      so-reuseport: yes
      so-rcvbuf: 4m
      so-sndbuf: 4m

      # Privacy / hardening
      # hide server info from clients
      hide-identity: yes
      hide-version: yes
      harden-glue: yes
      harden-dnssec-stripped: yes
      harden-algo-downgrade: yes
      harden-large-queries: yes
      harden-short-bufsize: yes

      rrset-roundrobin: yes
      minimal-responses: yes
      identity: "Server" 

      # Include possible white/blacklists
      include: /etc/unbound/lists.d/*.conf

remote-control:
      control-enable: yes
      control-port: 953