# Unbound DNS configuration for Nebula overlay network
# Deployed by Ansible - do not edit manually

server:
    # Network settings - bind to Nebula interface only
    interface: 127.0.0.1
    interface: {{ hostvars['dns']['nebula_ip'] }}
    port: 53
    do-ip4: yes
    do-ip6: no
    do-udp: yes
    do-tcp: yes

    # Access control - Nebula network only
    access-control: 127.0.0.0/8 allow
    access-control: 10.10.10.0/24 allow
    access-control: 0.0.0.0/0 refuse

    # Performance tuning
    num-threads: 2
    msg-cache-size: 16m
    rrset-cache-size: 32m
    cache-min-ttl: 300
    cache-max-ttl: 86400

    # Privacy
    hide-identity: yes
    hide-version: yes

    # Security hardening
    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-referral-path: yes
    use-caps-for-id: yes

    # Rate limiting
    ip-ratelimit: 100

    # Logging
    verbosity: 1
    logfile: ""
    use-syslog: yes

    # Include local zone definitions
    include: /etc/unbound/local-zones.conf

# Forward external queries to public DNS
# Cloudflare primary (faster - we're behind their proxy)
# Google fallback
forward-zone:
    name: "."
    forward-addr: 1.1.1.1
    forward-addr: 1.0.0.1
    forward-addr: 8.8.8.8
    forward-addr: 8.8.4.4