# Google, Quad9 insecure and 443 accepting resolvers. Mainly ECS.

server:
	# Debian ca-certificates location
	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
	# Fedora
	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
	# Use system certificates no matter where they are
	tls-system-cert: yes
	# Quad9 says pointless performance impact on forwarders.
	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
	qname-minimisation: no

forward-zone:
	name: "."
	forward-tls-upstream: yes

	# Google Public DNS. ECS.
	forward-addr: 2001:4860:4860::8844@853#dns.google
	forward-addr: 2001:4860:4860::8888@853#dns.google
	forward-addr: 8.8.4.4@853#dns.google
	forward-addr: 8.8.8.8@853#dns.google

	# Google DNS64
	#forward-addr: 2001:4860:4860::6464@853#dns64.dns.google
	#forward-addr: 2001:4860:4860::64@853#dns64.dns.google

	## Quad9 No Threat Blocking + ECS
	forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
	forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net
	forward-addr: 9.9.9.12@853#dns12.quad9.net
	forward-addr: 9.9.9.12@8853#dns12.quad9.net
	forward-addr: 2620:fe::12@853#dns12.quad9.net
	forward-addr: 2620:fe::12@8853#dns12.quad9.net
	forward-addr: 149.112.112.12@853#dns12.quad9.net
	forward-addr: 149.112.112.12@8853#dns12.quad9.net

	# https://appliedprivacy.net/services/dns/ - Vienna, Austria, no ECS
	forward-addr: 2a02:1b8:10:234::2@443#dot1.applied-privacy.net
	forward-addr: 146.255.56.98@443#dot1.applied-privacy.net

# vim: filetype=unbound.conf