tier_2_unbound

This simple config excerpt should be used as a basis for a Tier 2 Unbound installation: 

server:
    access-control: 0.0.0.0/0 allow
    hide-identity: yes
    hide-trustanchor: yes
    hide-version: yes
    interface: x.x.x.x
    minimal-responses: yes
    log-queries: no
    root-hints: "/usr/local/etc/unbound/opennic.cache"
    
    # ratelimiting examples
    ip-ratelimit-factor: 0
    ip-ratelimit: 20
    ratelimit-below-domain: gov 30
    ratelimit: 100

    # See https://nlnetlabs.nl/documentation/unbound/howto-optimise/
    num-threads: 1
    infra-cache-slabs: 1
    key-cache-slabs: 1
    msg-cache-slabs: 1
    rrset-cache-slabs: 1
    key-cache-size: 8m # default 4m
    msg-cache-size: 8m # default 4m
    neg-cache-size: 8m # default 1m
    rrset-cache-size: 16m # rrset=msg*2 # default 4m
    outgoing-range: 8192
    num-queries-per-thread: 4096 # outgoing-range/2

    local-zone: example. static
    local-zone: local. static
    local-zone: i2p. static
    local-zone: home. static
    local-zone: zghjccbob3n0. static
    local-zone: dhcp. static
    local-zone: lan. static
    # etc...

The above is by no means complete as there are many other options available. The important part for OpenNIC is the reference to the root-hints file which can be populated like this: 

/usr/local/bin/dig . NS @168.119.153.26 > /usr/local/etc/unbound/opennic.cache

and should look something like this: 

; <<>> DiG 9.20.16 <<>> . NS @168.119.153.26
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 849
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 8
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;.				IN	NS

;; ANSWER SECTION:
.			86400	IN	NS	ns8.opennic.glue.
.			86400	IN	NS	ns4.opennic.glue.
.			86400	IN	NS	ns2.opennic.glue.
.			86400	IN	NS	ns6.opennic.glue.

;; ADDITIONAL SECTION:
ns8.opennic.glue.	7200	IN	A	178.63.116.152
ns6.opennic.glue.	7200	IN	A	45.79.189.158
ns4.opennic.glue.	7200	IN	A	116.203.104.203
ns2.opennic.glue.	7200	IN	A	161.97.219.84
ns8.opennic.glue.	7200	IN	AAAA	2a01:4f8:141:4281::999
ns4.opennic.glue.	7200	IN	AAAA	2a01:4f8:c2c:da9c::1
ns2.opennic.glue.	7200	IN	AAAA	2001:470:4212:10:0:100:53:10

;; Query time: 303 msec
;; SERVER: 168.119.153.26#53(168.119.153.26) (UDP)
;; WHEN: Mon Jan 05 15:01:30 -03 2026
;; MSG SIZE  rcvd: 287
  • /wiki/data/pages/tier_2_unbound.txt
  • Last modified: 10 days ago
  • by luana