unbound.conf

server:
        interface: 10.20.30.1
        interface: 127.0.0.1
        verbosity: 1
        port: 53
        do-ip4: yes
        do-ip6: no
        do-udp: yes
        do-tcp: yes
        access-control: 127.0.0.0/8 allow
        access-control: 10.20.30.0/24 allow
        chroot: "/var/unbound"
        username: "unbound"
        directory: "/var/unbound"
        logfile: ""
        use-syslog: yes
        log-time-ascii: no
        log-queries: yes
        pidfile: "/var/run/local_unbound.pid"
        # root-hints: "/var/unbound/root.hints" # Use forwarders instead
        hide-identity: yes
        hide-version: yes
        identity: ""
        version: ""
        harden-glue: yes
        harden-dnssec-stripped: yes
        use-caps-for-id: yes
        cache-min-ttl: 3600
        cache-max-ttl: 86400
        prefetch: yes
        num-threads: 1

        private-address: 10.0.0.0/8
        private-address: 172.16.0.0/12
        private-address: 192.168.0.0/16
        private-domain: "intra.yourdomain.nl"
        unwanted-reply-threshold: 10000
        do-not-query-localhost: no
        val-clean-additional: yes

        local-zone: "0.0.10.in-addr.arpa." nodefault


stub-zone:
        name: "intra.yourdomain.nl"
        stub-addr: 127.0.0.1@53530

stub-zone:
        name: "30.20.10.in-addr.arpa."
        stub-addr: 127.0.0.1@53530

forward-zone:
        name: "."
        forward-addr: 1.2.3.4
        forward-addr: 5.6.7.8

Updated: August 21, 2018