server:
    interface: 0.0.0.0
    interface: ::0

    access-control: 127.0.0.0/8 allow
    access-control: ::1 allow
    access-control: 172.20.25.1/32 allow
    access-control: 172.20.25.2/32 allow
    access-control: 172.20.25.3/32 allow
    access-control: 172.20.25.0/24 refuse_non_local

    extended-statistics: yes

    hide-identity: yes
    hide-version: yes

    tls-upstream: yes
    tls-cert-bundle: {{ tls_bundle }}

    chroot: ""

    unblock-lan-zones: yes

remote-control:
    control-enable: yes
    control-interface: /var/run/unbound.sock

forward-zone:
    name: "."
    forward-addr: 172.20.20.10@853#dns.home.foo.sh
    forward-addr: 172.20.20.11@853#dns.home.foo.sh
    forward-addr: 172.20.20.12@853#dns.home.foo.sh

{% for zone in unbound_zones %}
auth-zone:
    name: "{{ zone }}"
    zonefile: "{{ unbound_zonedir }}/{{ zone }}"
{% endfor %}