Open main menu

In short:

  • Haproxy TCP/HTTP logs are disabled. No IP addresses are collected.
  • Unbound debug logs are enabled (verbosity: 1).
  • Query amounts coming specifically from the DNS-over-TLS server aren’t counted.
  • Website/DNS-over-HTTPS gateway’s NGINX logs are disabled.

To elaborate on Unbound’s verbosity, if you have it installed, you can run man unbound.conf, search verbosity and read it yourself. More human-readably . . .

  • Level 0 only outputs errors
  • Level 1 gives high-level operational information (debug logs)
  • Level 2 gives detailed debug logs
  • Level 3 shows the admin what queries are going through Unbound
  • Level 4 gives lower-level algorithm information
  • Level 5 logs client information

There’s no warranty, no uptime assurance, etc. so I recommend using multiple resolvers; that also improves privacy because the DNS queries are spread across multiple providers.

You can see Unbound's configuration file on Gitea. That's what I'm using in production.