Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Deleted member 62525]

I have added additional host definition to sites and re-run gen_adblock.sh. Unfortunately it processed only the 1st line.
Here is the example I used.

hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/data/yoyo.org/hosts

 

[juched]

I have added additional host definition to sites and re-run gen_adblock.sh. Unfortunately it processed only the 1st line.
Here is the example I used.

hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/data/yoyo.org/hosts

What is the output? How do you know it didn’t do both?

Why include the second? That file is already merged into the first.

 

[SomeWhereOverTheRainBow]

I have added additional host definition to sites and re-run gen_adblock.sh. Unfortunately it processed only the 1st line.
Here is the example I used.

hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/data/yoyo.org/hosts

yea I had this issue... Me sticks with diversion plus unbound.

 

[rgnldo]

Only Adblock/Unbound. Here it works fine.

Spoiler: LOG's ad/unbound

sh /jffs/scripts/unbound/gen_adblock.sh
Removing possible temporary files...
Get hosts list ...
################################################################################################################################################## 100.0%
################################################################################################################################################## 100.0%
################################################################################################################################################## 100.0%
Get domains list ...
################################################################################################################################################## 100.0%
################################################################################################################################################## 100.0%
Combining User Custom block host...
69447 domains compiled
Edit User Custon list of allowed domains...
Removing duplicate formatting from the domain list...
Generating Unbound adlist.....
65922 suspicious and blocked domains
Removing temporary files...
Run gen_unbound...
Removing unbound.conf files..
Removing log's files...
Restarting services...
 Shutting down unbound...              done.
 Starting unbound...              done.
 Shutting down haveged...              done.
 Starting haveged...              done.
 Shutting down suricata...              done.
 Starting suricata...              done.
 Shutting down clamav...              done.
 Starting clamav...              done.
Checking status services...
 Checking haveged...              alive.
 Checking unbound...              alive.
 Checking suricata...              alive.
 Checking clamav...              alive.
Checking unbound.conf...
unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf

What is the output? How do you know it didn’t do both?
Why include the second? That file is already merged into the first.

I made some adjustments and cleaning. With support 127.0.0.1. It became more objective and efficient. Study and adapt.

Spoiler: gen_adblock_v2.sh

tempoutlist="/opt/var/lib/unbound/adblock/adlist.tmp"
outlist='/opt/var/lib/unbound/adblock/tmp.host'
finalist='/opt/var/lib/unbound/adblock/tmp.finalhost'
permlist='/opt/var/lib/unbound/adblock/permlist'
adlist='/opt/var/lib/unbound/adblock/adservers'
blockhost='/opt/var/lib/unbound/adblock/blockhost'



echo "Get hosts list ..."
curl --progress-bar $hosts | awk  -F'[\\\\|\\\\^| \t]+' -v RS='\r|\n' '{if (($0 ~ /^\|\|.*\^$/ || $1 ~ /^0.0.0.0|127.0.0.1/) && $2 ~ /.*\.[a-z].*/)  printf "%s\n",tolower($2) }' | uniq | sort -f >> $tempoutlist

echo "Get domains list ..."
curl --progress-bar $domains >> $tempoutlist


echo "Combining User Custom block host..."
cat $blockhost >> $tempoutlist
numberOfAdsBlocked=$(cat $tempoutlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked domains compiled"


echo "Edit User Custon list of allowed domains..."
awk 'NR==FNR{a[$0];next} !($0 in a) {print $NF}' $permlist $tempoutlist > $outlist


echo "Removing duplicate formatting from the domain list..."
cat $outlist | tr A-Z a-z | sort -u  > $finalist


echo "Generating Unbound adlist....."
awk '{print "local-zone: \""$1"\" always_nxdomain"}' $finalist > $adlist
numberOfAdsBlocked=$(cat $adlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"

 

[rgnldo]

hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/data/yoyo.org/hosts

It is the same list. Only one domain is used.

 

[Deleted member 62525]

What is the output? How do you know it didn’t do both?

Why include the second? That file is already merged into the first.

It was just for testing. As for verification, you can see during the execution of gen_adblock.sh what is downloaded and later you can verify checking the stats file to see the count.

 

[^Tripper^]

2 dumb questions;

1) I've disabled logging but that setting does not survive a reboot. Is this expected behavior and is there a way to keep the selected setting persistent?

2) After enabling @juched webUI, the "sgui" option does not appear in UM (Unbound Manager). Again, expected behavior? If it is, may I suggest leaving the "sgui" option available so that updates are simpler?

Thank you!

 

[martinr]

....
...may I suggest leaving the "sgui" option available so that updates are simpler?

Thank you!

Or perhaps having sgui listed as a script in amtm?

 

[juched]

2 dumb questions;

1) I've disabled logging but that setting does not survive a reboot. Is this expected behavior and is there a way to keep the selected setting persistent?

2) After enabling @juched webUI, the "sgui" option does not appear in UM (Unbound Manager). Again, expected behavior? If it is, may I suggest leaving the "sgui" option available so that updates are simpler?

Thank you!

[mention]Martineau [/mention] is best to answer these. For me logging stays disabled. You may want to try doing the I command again and answering the questions and for the last one allow it to replace your conf file and then see if the logging issue stays.

About the sgui command, you should always be able to just type it and it will redownload and install again even if the command isn’t shown on the screen. Easy way to update.

 

[^Tripper^]

Or perhaps having sgui listed as a script in amtm?

Indeed. That would be a great addition and I’ll admit, I’ve been spoilt by amtm; it generally makes things absurdly simple.

 

[^Tripper^]

[mention]Martineau [/mention] is best to answer these. For me logging stays disabled. You may want to try doing the I command again and answering the questions and for the last one allow it to replace your conf file and then see if the logging issue stays.

I’ve tried that a couple of times and it still turns back on. Hmmm. Guess it’s just me then. Can’t investigate much more at the moment lest the wife kills me for messing around with “a working internet” while she’s home. Will troubleshoot later and see if I can narrow this down.
Thank you.

 

[martinr]

Indeed. That would be a great addition and I’ll admit, I’ve been spoilt by amtm; it generally makes things absurdly simple.

Me too!

 

[martinr]

I’ve tried that a couple of times and it still turns back on. Hmmm. Guess it’s just me then. Can’t investigate much more at the moment lest the wife kills me for messing around with “a working internet” while she’s home. Will troubleshoot later and see if I can narrow this down.
Thank you.

Time they all realised It’s OUR router and it’s at our discretion that they’re allowed to browse the Internet.

 

[Martineau]

2 dumb questions

1) I've disabled logging but that setting does not survive a reboot. Is this expected behavior and is there a way to keep the selected setting persistent?

Given the documented performance hit, logging should be OFF by default in 'unbound.conf', and the 'lo' ENABLE logging command is dynamic/temporary, which means a 'rs' or REBOOT should revert logging to OFF.
P.S. You can check 'unbound.conf' after a REBOOT using the 'v' command and examine the logging section and the three physical logging directives should be commented out.

2) After enabling @juched webUI, the "sgui" option does not appear in UM (Unbound Manager). Again, expected behavior? If it is, may I suggest leaving the "sgui" option available so that updates are simpler?

I wanted to have the context menu reflect the current state of the available/installed features, and having added the frivolous 'sgui' URL, this alone should be enough to indicate that there is no point for the 'sgui - Install' option to be displayed to confuse users.
NOTE: I was going to re-add 'sgui uninstall' only when '3 - Advanced Tools' was displayed, but got bored i.e. why would you ever want to remove the excellent GUI statistics chart display?

Anyway, as has been mentioned in several posts, most if not all of the commands (even if not shown in the menu's) are normally always available, so in the case of @juched's script, I don't track its .md5, so would rely on @juched posting the availability of a new release and to inform users to simply issue 'sgui' to manually retrieve/install the new version.

 

[Milan]

i am getting this error when trying to enable unbound:

 

[L&LD]

@Milan what command did you issue immediately above what your screenshot shows?

 

[Martineau]

i am getting this error when trying to enable unbound:
View attachment 21858

Can you backup the corrupt 'unbound.conf'

e  = Exit Script

A:Option ==> vb

 Active 'unbound.conf' backed up to '/opt/share/unbound/configs/2020mmdd-hhmmss_unbound.conf'

then reset 'unbound.conf'

e  = Exit Script

A:Option ==> rl reset

If you upload the corrupt file to say Pastebin or post in the thread I will try and understand/identify how/why the file is corrupt.

 

[Milan]

here it is

# rgnldo Github Version=v1.07 Martineau update (Date Loaded by unbound_manager Wed Mar 11 18:23:35 CET 2020)
# v1.07 Martineau - Add     'control-use-cert:' "Fast Menu" template
# v1.06 Martineau - Add     'extended-statistics:' template
# v1.05 Martineau - Add     'DNS-Over-TLS support' & 'so-rcvbuf:' templates
#                   Remove  'prefetch:' & 'prefetch-key:' duplicates - Thanks @Safemode
# v1.04 Martineau - Change  'ip-ratelimit:'
# v1.03 Martineau - Remove  'dns64-prefix:' and 'module-config: "dns64 ..."' from auto ENABLE if IPv6 detected
# v1.02 Martineau - Add     '#use-syslog:' '#log-local-actions:' '#log-tag-queryreply:' Option placeholders
# v1.01 Martineau - Add     'auth-zone:', 'edns-buffer-size:' log-time-ascii: 'log-servfail:' IPv6 'dns64-prefix:' and 'module-config: "dns64 ..."'
#                   Change  'interface: 0.0.0.0' to 'interface: 127.0.0.1@53535'
#                   Add     If IPv6 detected, auto ENABLE 'dns64-prefix:' and modify to include 'module-config: "dns64 ..."'
server:
# port to answer queries from
port: 53535

#########################################
# integration LOG's
#
verbosity: 1                               # v1.02 '1' is adequate to prove unbound is processing domains
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
log-tag-queryreply: yes                    # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
log-queries: yes
log-replies: yes
#use-syslog: yes                            # v1.02 @Martineau Let scribe/syslog-ng handle the log as it gets erased daily if Ad Block enabled :-(
#log-local-actions: yes                     # v1.02 @Martineau
log-servfail: yes                           # v1.01 as per @dave14305 minimal config
#########################################

do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes

# don't be picky about interfaces but consider your firewall
#interface: 0.0.0.0
interface: 127.0.0.1@53535                  # v1.01 as per @dave14305 minimal config

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/16 allow
access-control: 192.168.0.0/24 allow

# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16

#########################################
# integration IPV6
#
# do-ip6: yes
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 validator iterator"      # v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96                     # v1.03 v1.01

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"     # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2

# tiny memory cache
#extended-statistics: yes                        # v1.06 Martineau for @juched GUI TAB
key-cache-size: 8m
msg-cache-size: 8m
rrset-cache-size: 16m
cache-max-ttl: 21600
cache-min-ttl: 5
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 3600
incoming-num-tcp: 600
outgoing-num-tcp: 100
ip-ratelimit: 0                                  # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472                           # v1.01 as per @dave14305 minimal config

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 1m                                   # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
module-config: "validator iterator"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"

#########################################
# Adblock blacklist
#include: /opt/var/lib/unbound/adblock/adservers
#include: /opt/var/lib/unbound/adblock/firefox_DOH
#########################################

remote-control:
control-enable: yes
#control-use-cert: no                            # v1.07 Martineau "Fast Menu"
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

## v1.05 Martineau
forward-zone:                                                        # DNS-Over-TLS support
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 2620:fe::9@853#dns.quad9.net
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

########################################
forward-zone:
   name: "."
   forward-addr: 127.0.1.1@53
#   forward-addr: 0::1@5453 # integration IPV6
#########################################

# v1.01 Added the following
auth-zone:
       name: "."
       url: "https://www.internic.net/domain/root.zone"
       fallback-enabled: yes
       for-downstream: no
       for-upstream: yes
       zonefile: root.zone

 

[Martineau]

here it is

# rgnldo Github Version=v1.07 Martineau update (Date Loaded by unbound_manager Wed Mar 11 18:23:35 CET 2020)
# v1.07 Martineau - Add     'control-use-cert:' "Fast Menu" template
# v1.06 Martineau - Add     'extended-statistics:' template
# v1.05 Martineau - Add     'DNS-Over-TLS support' & 'so-rcvbuf:' templates
#                   Remove  'prefetch:' & 'prefetch-key:' duplicates - Thanks @Safemode
# v1.04 Martineau - Change  'ip-ratelimit:'
# v1.03 Martineau - Remove  'dns64-prefix:' and 'module-config: "dns64 ..."' from auto ENABLE if IPv6 detected
# v1.02 Martineau - Add     '#use-syslog:' '#log-local-actions:' '#log-tag-queryreply:' Option placeholders
# v1.01 Martineau - Add     'auth-zone:', 'edns-buffer-size:' log-time-ascii: 'log-servfail:' IPv6 'dns64-prefix:' and 'module-config: "dns64 ..."'
#                   Change  'interface: 0.0.0.0' to 'interface: 127.0.0.1@53535'
#                   Add     If IPv6 detected, auto ENABLE 'dns64-prefix:' and modify to include 'module-config: "dns64 ..."'
server:
# port to answer queries from
port: 53535

#########################################
# integration LOG's
#
verbosity: 1                               # v1.02 '1' is adequate to prove unbound is processing domains
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
log-tag-queryreply: yes                    # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
log-queries: yes
log-replies: yes
#use-syslog: yes                            # v1.02 @Martineau Let scribe/syslog-ng handle the log as it gets erased daily if Ad Block enabled :-(
#log-local-actions: yes                     # v1.02 @Martineau
log-servfail: yes                           # v1.01 as per @dave14305 minimal config
#########################################

do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes

# don't be picky about interfaces but consider your firewall
#interface: 0.0.0.0
interface: 127.0.0.1@53535                  # v1.01 as per @dave14305 minimal config

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/16 allow
access-control: 192.168.0.0/24 allow

# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16

#########################################
# integration IPV6
#
# do-ip6: yes
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 validator iterator"      # v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96                     # v1.03 v1.01

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"     # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2

# tiny memory cache
#extended-statistics: yes                        # v1.06 Martineau for @juched GUI TAB
key-cache-size: 8m
msg-cache-size: 8m
rrset-cache-size: 16m
cache-max-ttl: 21600
cache-min-ttl: 5
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 3600
incoming-num-tcp: 600
outgoing-num-tcp: 100
ip-ratelimit: 0                                  # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472                           # v1.01 as per @dave14305 minimal config

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 1m                                   # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
module-config: "validator iterator"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"

#########################################
# Adblock blacklist
#include: /opt/var/lib/unbound/adblock/adservers
#include: /opt/var/lib/unbound/adblock/firefox_DOH
#########################################

remote-control:
control-enable: yes
#control-use-cert: no                            # v1.07 Martineau "Fast Menu"
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

## v1.05 Martineau
forward-zone:                                                        # DNS-Over-TLS support
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 2620:fe::9@853#dns.quad9.net
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

########################################
forward-zone:
   name: "."
   forward-addr: 127.0.1.1@53
#   forward-addr: 0::1@5453 # integration IPV6
#########################################

# v1.01 Added the following
auth-zone:
       name: "."
       url: "https://www.internic.net/domain/root.zone"
       fallback-enabled: yes
       for-downstream: no
       for-upstream: yes
       zonefile: root.zone

So did you attempt to configure unbound DoT?

e  = Exit Script

A:Option ==> DoT

Do you want to ENABLE DoT with unbound?

    Warning: This will DISABLE being able to be your own trusted Recursive DNS Resolver

So, do you STILL want to ENABLE DoT with unbound?

    Reply 'y' or press [Enter]  to skip

 

[SuperDuke]

here it is

# rgnldo Github Version=v1.07 Martineau update (Date Loaded by unbound_manager Wed Mar 11 18:23:35 CET 2020)
# v1.07 Martineau - Add     'control-use-cert:' "Fast Menu" template
# v1.06 Martineau - Add     'extended-statistics:' template
# v1.05 Martineau - Add     'DNS-Over-TLS support' & 'so-rcvbuf:' templates
#                   Remove  'prefetch:' & 'prefetch-key:' duplicates - Thanks @Safemode
# v1.04 Martineau - Change  'ip-ratelimit:'
# v1.03 Martineau - Remove  'dns64-prefix:' and 'module-config: "dns64 ..."' from auto ENABLE if IPv6 detected
# v1.02 Martineau - Add     '#use-syslog:' '#log-local-actions:' '#log-tag-queryreply:' Option placeholders
# v1.01 Martineau - Add     'auth-zone:', 'edns-buffer-size:' log-time-ascii: 'log-servfail:' IPv6 'dns64-prefix:' and 'module-config: "dns64 ..."'
#                   Change  'interface: 0.0.0.0' to 'interface: 127.0.0.1@53535'
#                   Add     If IPv6 detected, auto ENABLE 'dns64-prefix:' and modify to include 'module-config: "dns64 ..."'
server:
# port to answer queries from
port: 53535

#########################################
# integration LOG's
#
verbosity: 1                               # v1.02 '1' is adequate to prove unbound is processing domains
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
log-tag-queryreply: yes                    # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
log-queries: yes
log-replies: yes
#use-syslog: yes                            # v1.02 @Martineau Let scribe/syslog-ng handle the log as it gets erased daily if Ad Block enabled :-(
#log-local-actions: yes                     # v1.02 @Martineau
log-servfail: yes                           # v1.01 as per @dave14305 minimal config
#########################################

do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes

# don't be picky about interfaces but consider your firewall
#interface: 0.0.0.0
interface: 127.0.0.1@53535                  # v1.01 as per @dave14305 minimal config

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/16 allow
access-control: 192.168.0.0/24 allow

# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16

#########################################
# integration IPV6
#
# do-ip6: yes
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 validator iterator"      # v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96                     # v1.03 v1.01

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"     # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2

# tiny memory cache
#extended-statistics: yes                        # v1.06 Martineau for @juched GUI TAB
key-cache-size: 8m
msg-cache-size: 8m
rrset-cache-size: 16m
cache-max-ttl: 21600
cache-min-ttl: 5
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 3600
incoming-num-tcp: 600
outgoing-num-tcp: 100
ip-ratelimit: 0                                  # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472                           # v1.01 as per @dave14305 minimal config

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 1m                                   # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
module-config: "validator iterator"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"

#########################################
# Adblock blacklist
#include: /opt/var/lib/unbound/adblock/adservers
#include: /opt/var/lib/unbound/adblock/firefox_DOH
#########################################

remote-control:
control-enable: yes
#control-use-cert: no                            # v1.07 Martineau "Fast Menu"
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

## v1.05 Martineau
forward-zone:                                                        # DNS-Over-TLS support
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 2620:fe::9@853#dns.quad9.net
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

########################################
forward-zone:
   name: "."
   forward-addr: 127.0.1.1@53
#   forward-addr: 0::1@5453 # integration IPV6
#########################################

# v1.01 Added the following
auth-zone:
       name: "."
       url: "https://www.internic.net/domain/root.zone"
       fallback-enabled: yes
       for-downstream: no
       for-upstream: yes
       zonefile: root.zone

Far from my expertise level, and maybe it is just a formatting, cut n' paste issue, but wouldn't all of those '@' symbols under the DoT section wreak some havoc??