server: 
        module-config: "validator iterator"

        #module-config: "dns64 validator iterator"
        #dns64-prefix: 64:ff9b::/96

        interface: 0.0.0.0
        interface: ::0
        interface-automatic: yes
        access-control: 0.0.0.0/0 allow
        access-control: ::0/0 allow
        # Daemon manages keeping this file up to date
        root-hints: "/etc/unbound/root.hints"
        do-udp: yes
        #logfile: /var/log/unbound.log
        #log-queries: yes
        #log-servfail: yes

        #example to allow private records to come from public sources
        #private-domain: "plex.direct"

# Forward netflix to a local bind instance that doesn't return AAAA records (for tunnelbroker)
#forward-zone:
   #name: "netflix.com"
   #forward-addr: 127.0.0.1@10053

# Forward AD domain to DCs
#forward-zone:
#  name: "ad.domain.com"
#   forward-addr: 10.10.8.2
#   forward-addr: 10.10.8.3

# Needed for DNS-over-TLS, path may be different for non-Debian
server:
        tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

# Forward all requests to CloudFlare DoT. Commenting all this out forces local resolving with root.hints
forward-zone:
    name: "."
    forward-ssl-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
    #forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
    #forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com