server:
    # Listen on all interfaces (inside container)
    interface: 0.0.0.0
    port: 53

    # Allow queries from Docker networks
    access-control: 10.0.0.0/8 allow
    access-control: 172.16.0.0/12 allow
    access-control: 192.168.0.0/16 allow
    access-control: 127.0.0.0/8 allow

    # Performance tuning for high-volume lookups
    num-threads: 4
    msg-cache-slabs: 8
    rrset-cache-slabs: 8
    infra-cache-slabs: 8
    key-cache-slabs: 8

    # Cache sizes (MB) - generous for domain crawling
    msg-cache-size: 128m
    rrset-cache-size: 256m
    key-cache-size: 32m
    neg-cache-size: 64m

    # Cache TTL settings
    cache-min-ttl: 300
    cache-max-ttl: 86400
    cache-max-negative-ttl: 300

    # Prefetch popular entries before expiry
    prefetch: yes
    prefetch-key: yes

    # Serve stale data while refreshing
    serve-expired: yes
    serve-expired-ttl: 86400

    # Connection handling
    so-reuseport: yes
    outgoing-range: 8192
    num-queries-per-thread: 4096

    # Logging (minimal for performance)
    verbosity: 1
    log-queries: no
    log-replies: no

    # Security
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: yes

    # Don't use system resolv.conf
    do-not-query-localhost: no

# Upstream DNS servers (forwarding mode for speed)
forward-zone:
    name: "."
    forward-tls-upstream: yes

    # Cloudflare DNS (fast, reliable)
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com

    # Google DNS (fallback)
    forward-addr: 8.8.8.8@853#dns.google
    forward-addr: 8.8.4.4@853#dns.google