example.conf

# Listen and accept query from everyone on ipv4 and ipv6 and forward it to either Cloudflare or Google using TLS
server:
        verbosity: 1
        ## Specify the interface address to listen on:
        interface: 0.0.0.0
        interface: ::0
        interface-automatic: yes
        ## To listen on all interfaces use:
        #interface: 0.0.0.0
        do-ip4: yes
        do-ip6: yes
        do-udp: yes
        do-tcp: yes

        edns-buffer-size: 4096

        do-daemonize: yes
        access-control: 0.0.0.0/0 allow_snoop
        access-control: ::0/0 allow_snoop
        ## Other access control examples
        #access-control: 192.168.1.0/24 action
        ## 'action' should be replaced by any one of:
        #deny (drop message)
        #refuse (sends  a  DNS  rcode REFUSED error message back)
        #allow (recursive ok)
        #allow_snoop (recursive and nonrecursive ok).
        ## Minimum lifetime of cache entries in seconds.  Default is 0.
        #cache-min-ttl: 60
        ## Maximum lifetime of cached entries. Default is 86400 seconds (1  day).
        #cache-max-ttl: 172800
        ## enable to not answer id.server and hostname.bind queries.
        hide-identity: yes
        ## enable to not answer version.server and version.bind queries.
        hide-version: yes
        ## default is to use syslog, which will log to /var/log/messages.
        # root-hints: "/usr/local/etc/unbound/root.hints"
        auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
        tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

        use-syslog: no
        ## to log elsewhere, set 'use-syslog' to 'no' and set the log file location below:
        #logfile: /var/log/unbound

python:
remote-control:
        control-enable: no

## Stub zones are like forward zones (see below) but must only contain authority server (no recursive servers)
#stub-zone:
#        name: "my.test.com"
#		 stub-addr: 172.16.1.1
#		 stub-addr: 172.16.1.2
## Note for forward zones, the destination servers must be able to handle recursion to other DNS server
## Forward all *.example.com queries to the server at 192.168.1.1
#forward-zone:
#        name: "example.com"
#        forward-addr: 192.168.1.1
## Forward all other queries to the Verizon DNS servers

# INTERNET
forward-zone:
        name: "."
        forward-addr: 1.1.1.1@853#cloudflare-dns.com
        forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
        forward-addr: 1.0.0.1@853#cloudflare-dns.com
        forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
        forward-addr: 8.8.8.8@853#dns.google
        forward-addr: 2001:4860:4860::8888@853#dns.google
        forward-addr: 8.8.4.4@853#dns.google
        forward-addr: 2001:4860:4860::8844@853#dns.google
        forward-tls-upstream: yes