unbound: add dot-cloudflare.conf

It will not affect web browsers which are using DoH for ECH eliminating most of breakage and I am just curious on will anything outside of web browser suffer that.

etc/opt/chromium/policies/managed/doh-disabled.json

@@ -0,0 +1,3 @@
+{
+  "DnsOverHttpsMode": "off"
+}

etc/opt/chromium/policies/managed/doh-google.json

@@ -0,0 +1,4 @@
+{
+  "DnsOverHttpsMode": "automatic",
+  "DnsOverHttpsTemplates": "https://dns.google/dns-query"
+}

etc/unbound/unbound.conf.d/cache.conf

@@ -10,11 +10,13 @@ server:
 	rrset-cache-size: 50m
 	# nxdomain cache, default 1m
 	neg-cache-size: 10m
-	# Cache results for 15 minutes even if they had a shorter TTL. Cloudflare
-	# zone export used to have 1 second, and I have also been seeing 1
-	# minute in the wild, I think 5 mins shouldn't break anything, but bigger
-	# might.
-	cache-min-ttl: 900
+	# Increases TTL of all queries to 900 seconds (5 minutes) if upstream has
+	# a lower one. I have been using this since August 2019 without issues.
+	#cache-min-ttl: 900
+	# https://blog.apnic.net/2019/11/12/stop-using-ridiculously-low-dns-ttls/
+	# dares setting the minimum cache to something between 40 minute and 60,
+	# so how about 50 minutes? However it predates RFC 8767.
+	cache-min-ttl: 3000
 	# Update cache for popular items before they expire. ~10 % traffic
 	# increase according to `man unbound.conf`
 	prefetch: yes
@@ -23,6 +25,16 @@ server:
 	# Allow expired results to be served if they are in cache. The cache will
 	# get updated the next time.
 	serve-expired: yes
+	# Serve expired data up to one day (RFC 8767)
+	serve-expired-ttl: 86400
+	# If serving expired data to client, explicitly give it TTL 30 seconds
+	serve-expired-reply-ttl: 30
+	# Serve expired data to client if there is no answer in 1.8 seconds as per
+	# common timeout 2 seconds according to the RFC 8767
+	#serve-expired-client-timeout: 1800
+	# However my /etc/resolv.conf timeout is 1 second since all my nameservers
+	# are localhost, so let's wait 0.8 seconds instead.
+	serve-expired-client-timeout: 800
 	# DNSSEC errors for valid and expired records
 	ede: yes
 	ede-serve-expired: yes

etc/unbound/unbound.conf.d/dot-cloudflare.conf

@@ -0,0 +1,34 @@
+server:
+	# Debian ca-certificates location
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	# ctrl.blog says this is the Fedora location
+	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
+
+forward-zone:
+	name: "."
+	forward-tls-upstream: yes
+
+	# Default / unfiltered
+	#forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
+	#forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
+	#forward-addr: 1.1.1.1@853#cloudflare-dns.com
+	#forward-addr: 1.0.0.1@853#cloudflare-dns.com
+
+	# Malware blocking
+	forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
+	forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com
+	forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
+	forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
+
+	# Malware and adult content blocking
+	#forward-addr: 2606:4700:4700::1113@853#family.cloudflare-dns.com
+	#forward-addr: 2606:4700:4700::1003@853#family.cloudflare-dns.com
+	#forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
+	#forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
+
+# vim: filetype=unbound.conf