@ibims der unbound horcht nur an 127.0.0.1:5335: ❯ cat /etc/unbound/unbound.conf.d/pi-hole.conf
server:
# Logging
logfile: "/var/lib/unbound/unbound.log"
log-time-ascii: yes # optional: lesbare Zeitstempel
verbosity: 1 # 0=kritisch, 1=normal, 2-4=mehr Details
# Nur lokal lauschen
interface: 127.0.0.1
interface: ::1
port: 5335
verbosity: 1
# Zugriffe erlauben
access-control: 127.0.0.0/8 allow
access-control: ::1 allow
# Rekursiver Resolver deaktiviert (wir nutzen Forwarding)
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
# DNSSEC aktivieren
# auto-trust-anchor-file: "/var/lib/unbound/root.key"
harden-dnssec-stripped: yes
val-clean-additional: yes
# Sicherheit & Privacy
hide-identity: yes
hide-version: yes
qname-minimisation: yes
aggressive-nsec: yes
# Performance
prefetch: yes
cache-min-ttl: 0
cache-max-ttl: 86400
# Root-Hints deaktiviert, damit Forwarding erzwungen wird
# root-hints: "/usr/share/dns/root.hints"
# Für DNS-over-TLS notwendig
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
# --- DoT Forwarder unfiltered ---
forward-zone:
name: "."
forward-tls-upstream: yes
# dnsforge
forward-addr: 138.199.149.249@853#blank.dnsforge.de
forward-addr: 2a01:4f8:c17:77df::2@853#blank.dnsforge.de
# UncensoredDNS
forward-addr: 91.239.100.100@853#unicast.censurfridns.dk
forward-addr: 2a01:3a0:53:53::@853#unicast.censurfridns.dk
# dns.sb
forward-addr: 185.222.222.222@853#dot.sb
forward-addr: 2a09::@853#dot.sbDen trägt man im pihole als einzigen Forwarder ein:Fertig