Multiple additions and fixes #5

- Multi stage build
- Download and checks Unbound Root anchors
- Download and build malicious hostnames block list for Unbound
- Healthcheck only based on the current IP being different from the initial IP
- IPv6 related completely removed
- Multiple checks at launch with $?
- Launch openvpn as root (can't change user)
- Unbound configured with DNS SEC for DNS over TLS

unbound.conf

@@ -1,18 +1,45 @@
 server:
+  # See https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/
+  # logging
   verbosity: 0
-  use-syslog: yes
-  qname-minimisation: yes
-  do-tcp: yes
+  val-log-level: 2
+  use-syslog: no
+  
+  # performance
+  num-threads: 1
   prefetch: yes
+  prefetch-key: yes
+  key-cache-size: 16m
+  key-cache-slabs: 4
+  msg-cache-size: 4m
+  msg-cache-slabs: 4
+  rrset-cache-size: 4m
+  rrset-cache-slabs: 4
+  cache-min-ttl: 3600
+  cache-max-ttl: 9000
+  
+  # privacy
   rrset-roundrobin: yes
-  use-caps-for-id: yes
+  hide-identity: yes
+  hide-version: yes
+  
+  # security
+  root-hints: "/etc/unbound/root.hints"
+  trust-anchor-file: "/etc/unbound/root.key"
+  harden-below-nxdomain: yes
+  harden-referral-path: yes
+  harden-algo-downgrade: yes
+  # set above to no if there is any problem
+  
+  # network
   do-ip4: yes
   do-ip6: no
   interface: 127.0.0.1
-  hide-identity: yes
-  hide-version: yes
+
+  # other files
+  include: "/etc/unbound/blocks-malicious.conf"
 forward-zone:
   name: "."
   forward-addr: 1.1.1.1@853#cloudflare-dns.com
   forward-addr: 1.0.0.1@853#cloudflare-dns.com
-  forward-ssl-upstream: yes
+  forward-tls-upstream: yes