server:
  interface: 0.0.0.0
  port: 5335

  access-control: 172.30.0.0/24 allow
  access-control: 10.0.0.0/8 allow
  access-control: 172.16.0.0/12 allow
  access-control: 192.168.0.0/16 allow

  # True recursion (NO forwarders)
  root-hints: "/etc/unbound/root.hints"

  # DNSSEC (needs writable location)
  auto-trust-anchor-file: "/var/lib/unbound/root.key"
  harden-dnssec-stripped: yes
  val-permissive-mode: no

  # Hardening / privacy
  hide-identity: yes
  hide-version: yes
  qname-minimisation: yes
  harden-glue: yes
  harden-below-nxdomain: yes
  do-not-query-localhost: yes
  minimal-responses: yes

  # Network
  do-ip4: yes
  do-udp: yes
  do-tcp: yes
  do-ip6: no

  # This warning is harmless, but you can silence it:
  so-sndbuf: 0
  so-rcvbuf: 0