# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
    server:
    # location of the trust anchor file that enables DNSSEC
    auto-trust-anchor-file: "/root.key"
    # send minimal amount of information to upstream servers to enhance privacy
    qname-minimisation: yes
    # the interface that is used to connect to the network (this will listen to all interfaces)
    interface: 0.0.0.0
    # interface: ::0
    private-address: 192.168.0.0/16
    private-address: 100.64.0.0/10

    # addresses from the IP range that are allowed to connect to the resolver
    access-control: 192.168.88.0/24 allow
    # explicitly allow localhost access
    access-control: 127.0.0.0/8 allow
    # allow Tailnet
    access-control: 100.64.0.0/10 allow
    # uncomment the following line to allow Tailnet IPv6
    # access-control: fd7a:115c:a1e0::/48 allow

    access-control-view: 192.168.88.0/24 lan
    access-control-view: 100.64.0.0/10 tailnet
    
    do-ip4: yes
    do-ip6: no
    do-udp: yes
    do-tcp: yes

view:
  name: "lan"
  view-first: yes
  local-zone: "example.com." transparent
  local-data: "nextcloud.example.com. A 192.168.88.231"
  local-data: "photo.example.com. A 192.168.88.231"
  local-data: "gitea.example.com. A 192.168.88.231"
  local-data: "portainer.example.com. A 192.168.88.231"
  local-data: "vaultwarden.example.com. A 192.168.88.231"

view:
  name: "tailnet"
  view-first: yes
  local-zone: "example.com." transparent
  local-data: "nextcloud.example.com. A 100.81.165.11"
  local-data: "photo.example.com. A 100.81.165.11"
  local-data: "gitea.example.com. A 100.81.165.11"
  local-data: "portainer.example.com. A 100.81.165.11"
  local-data: "vaultwarden.example.com. A 100.81.165.11"

remote-control:
  control-enable: yes
  control-interface: /run/unbound.ctl


