# This is an experiment for log watching which of the big three providers
# with some level of malicious domain filtering Unbound decides to use.
# Cloudflare, the American internet giant, data can be wondered at
# https://radar.cloudflare.com/dns while Quad9 is non-profit foundation and
# DNS4EU is European Union funded initiative for improving European
# Cybersecurity without the need for such big foreign corporations.

server:
	# Debian ca-certificates location
	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
	# Fedora
	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
	# Use system certificates no matter where they are
	tls-system-cert: yes
	# Quad9 says pointless performance impact on forwarders.
	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
	qname-minimisation: no

forward-zone:
	name: "."
	forward-tls-upstream: yes

	# Cloudflare malicious domain blocking
	forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
	forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com
	forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
	forward-addr: 1.0.0.2@853#security.cloudflare-dns.com

	# Quad9 malicious domain blocking with ECS
	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
	forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
	forward-addr: 9.9.9.11@853#dns11.quad9.net
	forward-addr: 9.9.9.11@8853#dns11.quad9.net
	forward-addr: 2620:fe::11@853#dns11.quad9.net
	forward-addr: 2620:fe::11@8853#dns11.quad9.net
	forward-addr: 149.112.112.11@853#dns11.quad9.net
	forward-addr: 149.112.112.11@8853#dns11.quad9.net

	# DNS4EU malicious domain blocking
	forward-addr: 2a13:1001::86:54:11:201@853#protective.joindns4.eu
	forward-addr: 2a13:1001::86:54:11:1@853#protective.joindns4.eu
	forward-addr: 86.54.11.201@853#protective.joindns4.eu
	forward-addr: 86.54.11.1@853#protective.joindns4.eu

# vim: filetype=unbound.conf