# This is a merging of dot-dns0.conf & dot-quad9.conf with weight on DNS0
# IPv4 and when using IPv6, Quad9 Secure with ECS. IPv6 private ECS is
# horribly inaccurate and I have minor leaning towards having ECS enabled.
# Private ECS is a compromise between privacy and local destinations.
#
# Both are filtering DNS servers, so this brings risk of something being
# blocked by only one of them. However both are non-profits and have servers
# in Finland.

server:
	# Debian ca-certificates location
	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
	# Fedora
	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
	# Use system certificates no matter where they are
	tls-system-cert: yes
	# Quad9 says pointless performance impact on forwarders.
	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
	qname-minimisation: no
	# Private ECS is more accurate with IPv4 than IPv6.
	prefer-ip4: yes
	prefer-ip6: no

forward-zone:
	name: "."
	forward-tls-upstream: yes
## DNS0.eu IPv4 Default
	forward-addr: 193.110.81.0@853#dns0.eu
	forward-addr: 185.253.5.0@853#dns0.eu
## Quad9 IPv6 Secure + ECS
	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
	forward-addr: 2620:fe::11@853#dns11.quad9.net

# vim: filetype=unbound.conf