Gary_Dexter
Senior Member
If setup correctly, Unbound will also update the cache in the background via the prefetch setting
Unbound low cache hit rate
- Thread starter John DeLuca
- Start date
Twiglets
Senior Member
There needs to be a 'Rabbit hole' warning at this point !!! ...
["Danger !!! ... Will Robinson"
]
There are so many things in Unbound that you can 'play with & tweak'.
The problem is understanding the changes and whether they are useful/worth it !!!
What is useful for me, may not be useful for others !!!
I have 'played' with unbound a lot ... amongst others.
I do tend to change things because I can and 'tweaking things is Fun' !!!
My motto is "If it ain't Broken ... Tweak it again, just for the Hell of it !!!"
(I have very understanding users, at home, where I do my greatestdamage work 
)
["Danger !!! ... Will Robinson"
]There are so many things in Unbound that you can 'play with & tweak'.
The problem is understanding the changes and whether they are useful/worth it !!!
What is useful for me, may not be useful for others !!!
I have 'played' with unbound a lot ... amongst others.
I do tend to change things because I can and 'tweaking things is Fun' !!!
My motto is "If it ain't Broken ... Tweak it again, just for the Hell of it !!!"
(I have very understanding users, at home, where I do my greatest
)
sfx2000
Part of the Furniture
IIRC - unbound has a tunable parameter for the TTL limits and cache...
cache-min-ttl: (value in seconds)
The default is 0 (zero) which is what the domain owner has intended...
Twiglets
Senior Member
Yes.
If you look at the dnsmasq Man page it is described as "A lightweight DHCP and caching DNS server".
See dnsmasq Man page
[The '-c' or '--cache-size=' option sets the cache size. There is a default value of 150.]
Twiglets
Senior Member
For clarity, (From the docs @ https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html# ):
The 'cache-min-ttl: 0' setting does not mean 0 seconds.
It means do not override the ttl [time-to-live = expiry time in the cache] as set in the dns record by the domain owner.
0 mean 'disabled' for this option in the unbound.conf.
Non-Zero settings mean xxx seconds minimum for the ttl, overriding the ttl on the DNS record.
The ttl is usually set by the domain owner to balance the rate of requests coming in vs a reasonable timeout to allow for the DNS record changing and requiring requesters to update their data.
P.S.
I did warn you ... this is the entrance to the 'Rabbit hole' !!!
P.P.S.
sfx2000 I DID understand you said this BUT it may have not been clear to others !!!!
Last edited:
Viktor Jaep
Part of the Furniture
In the end, we all just come back to vanilla, because tweaking is always breaking things. lol
Last edited:
Twiglets
Senior Member
sfx2000
Part of the Furniture
Indeed - but some are going to do it anyways...
Gary_Dexter
Senior Member
This is my config - albeit on a RPi - but it works flawlessly
# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
server:
# Do not daemonize, to allow proper systemd service control and status estimation.
do-daemonize: no
# A single thread is pretty sufficient for home or small office instances.
num-threads: 4
# Logging: For the sake of privacy and performance, keep logging at a minimum!
# - Verbosity 2 and up practically contains query and reply logs.
verbosity: 0
log-queries: no
log-replies: no
# - If required, uncomment to log to a file, else logs are available via "journalctl -u unbound".
#logfile: "/var/log/unbound.log"
# Set interface to "0.0.0.0" to make Unbound listen on all network interfaces.
# Set it to "127.0.0.1" to listen on requests from the same machine only, useful in combination with Pi-hole.
interface: 127.0.0.1
# Default DNS port is "53". When used with Pi-hole, set this to e.g. "5335", since "5353" is used by mDNS already.
port: 5335
# Control IP ranges which should be able to use this Unbound instance.
# The DietPi defaults permit access from official local network IP ranges only, hence requests from www are denied.
access-control: 0.0.0.0/0 refuse
access-control: 10.0.0.0/8 allow
access-control: 127.0.0.1/8 allow
access-control: 172.16.0.0/12 allow
access-control: 192.168.0.0/16 allow
access-control: ::/0 refuse
access-control: ::1/128 allow
access-control: fd00::/8 allow
access-control: fe80::/10 allow
# Private IP ranges, which shall never be returned or forwarded as public DNS response.
# NB: 127.0.0.1/8 is sometimes used by adblock lists, hence DietPi by default allows those as response.
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
# Define protocols for connections to and from Unbound.
# NB: Disabling IPv6 does not disable IPv6 IP resolving, which depends on the clients request.
do-udp: yes
do-tcp: yes
do-ip4: yes
do-ip6: no
# Ratelimiting
ratelimit: 1000
ratelimit-size: 8m
ratelimit-slabs: 8
ratelimit-factor: 10
ip-ratelimit: 100
ip-ratelimit-size: 8m
ip-ratelimit-slabs: 8
ip-ratelimit-factor: 10
jostle-timeout: 1000
# Defend against and print warning when reaching unwanted reply limit.
unwanted-reply-threshold: 10000
# Set EDNS reassembly buffer size to match new upstream default, as of DNS Flag Day 2020 recommendation.
edns-buffer-size: 1232
# Maximum UDP response size (not applied to TCP response).
# Suggested values are 512 to 4096. Default is 1232. 65536 disables it.
max-udp-size: 1232
# Increase incoming and outgoing query buffer size to cover traffic peaks.
so-rcvbuf: 4m
so-sndbuf: 4m
# Hardening
harden-glue: yes
harden-dnssec-stripped: yes
harden-algo-downgrade: yes
harden-large-queries: yes
harden-short-bufsize: yes
harden-below-nxdomain: yes
harden-referral-path: yes
aggressive-nsec: yes
deny-any: yes
# Privacy
use-caps-for-id: yes # Spoof protection by randomising capitalisation
rrset-roundrobin: yes
qname-minimisation: yes
minimal-responses: yes
hide-identity: yes
identity: "Server" # Purposefully a dummy identity name
hide-version: yes
# Caching
cache-min-ttl: 3600
cache-max-ttl: 86400
serve-expired: yes
serve-expired-ttl: 86400
serve-expired-ttl-reset: yes
serve-expired-reply-ttl: 30
# serve-expired-client-timeout: 1800
prefetch: yes
prefetch-key: yes
msg-cache-size: 128m
rrset-cache-size: 256m
key-cache-size: 8m
neg-cache-size: 8m
# the number of slabs to use for cache and must be a power of 2 times the
# number of num-threads set above. more slabs reduce lock contention, but
# fragment memory usage.
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# Faster UDP with multithreading (only on Linux).
so-reuseport: yes
# Should additional section of secure message also be kept clean of unsecure
# data. Useful to shield the users of this validator from potential bogus
# data in the additional section. All unsigned data in the additional section
# is removed from secure messages.
val-clean-additional: yes
# Disable subnetcache to circumvent warnings
# related to prefetch and serve-expired
# when ECS is compiled with Unbound.
module-config: "validator iterator"
# Enable extended statistics.
extended-statistics: yes
statistics-interval: 0
# Use libevent
outgoing-range: 8192
num-queries-per-thread: 4096
# fast-server-permil: <number>
# Specify how many times out of 1000 to pick from the set of fastest
# servers. 0 turns the feature off. A value of 900 would pick from
# the fastest servers 90 percent of the time, and would perform nor-
# mal exploration of random servers for the remaining time. When
# prefetch is enabled (or serve-expired), such prefetches are not
# sped up, because there is no one waiting for it, and it presents a
# good moment to perform server exploration. The fast-server-num op-
# tion can be used to specify the size of the fastest servers set.
# The default for fast-server-permil is 0.
fast-server-permil: 750
# fast-server-num: <number>
# Set the number of servers that should be used for fast server se-
# lection. Only use the fastest specified number of servers with the
# fast-server-permil option, that turns this on or off. The default
# is to use the fastest 3 servers.
fast-server-num: 3
# target-fetch-policy: <"list of numbers">
# Set the target fetch policy used by unbound to determine if it
# should fetch nameserver target addresses opportunistically. The
# policy is described per dependency depth.
# The number of values determines the maximum dependency depth
# that unbound will pursue in answering a query. A value of -1
# means to fetch all targets opportunistically for that dependency
# depth. A value of 0 means to fetch on demand only. A positive
# value fetches that many targets opportunistically.
# Enclose the list between quotes ("") and put spaces between num-
# bers. The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0
# 0" gives behaviour closer to that of BIND 9, while setting "-1
# -1 -1 -1 -1" gives behaviour rumoured to be closer to that of
# BIND 8.
target-fetch-policy: "0 0 0 0 0"
# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
server:
# Do not daemonize, to allow proper systemd service control and status estimation.
do-daemonize: no
# A single thread is pretty sufficient for home or small office instances.
num-threads: 4
# Logging: For the sake of privacy and performance, keep logging at a minimum!
# - Verbosity 2 and up practically contains query and reply logs.
verbosity: 0
log-queries: no
log-replies: no
# - If required, uncomment to log to a file, else logs are available via "journalctl -u unbound".
#logfile: "/var/log/unbound.log"
# Set interface to "0.0.0.0" to make Unbound listen on all network interfaces.
# Set it to "127.0.0.1" to listen on requests from the same machine only, useful in combination with Pi-hole.
interface: 127.0.0.1
# Default DNS port is "53". When used with Pi-hole, set this to e.g. "5335", since "5353" is used by mDNS already.
port: 5335
# Control IP ranges which should be able to use this Unbound instance.
# The DietPi defaults permit access from official local network IP ranges only, hence requests from www are denied.
access-control: 0.0.0.0/0 refuse
access-control: 10.0.0.0/8 allow
access-control: 127.0.0.1/8 allow
access-control: 172.16.0.0/12 allow
access-control: 192.168.0.0/16 allow
access-control: ::/0 refuse
access-control: ::1/128 allow
access-control: fd00::/8 allow
access-control: fe80::/10 allow
# Private IP ranges, which shall never be returned or forwarded as public DNS response.
# NB: 127.0.0.1/8 is sometimes used by adblock lists, hence DietPi by default allows those as response.
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
# Define protocols for connections to and from Unbound.
# NB: Disabling IPv6 does not disable IPv6 IP resolving, which depends on the clients request.
do-udp: yes
do-tcp: yes
do-ip4: yes
do-ip6: no
# Ratelimiting
ratelimit: 1000
ratelimit-size: 8m
ratelimit-slabs: 8
ratelimit-factor: 10
ip-ratelimit: 100
ip-ratelimit-size: 8m
ip-ratelimit-slabs: 8
ip-ratelimit-factor: 10
jostle-timeout: 1000
# Defend against and print warning when reaching unwanted reply limit.
unwanted-reply-threshold: 10000
# Set EDNS reassembly buffer size to match new upstream default, as of DNS Flag Day 2020 recommendation.
edns-buffer-size: 1232
# Maximum UDP response size (not applied to TCP response).
# Suggested values are 512 to 4096. Default is 1232. 65536 disables it.
max-udp-size: 1232
# Increase incoming and outgoing query buffer size to cover traffic peaks.
so-rcvbuf: 4m
so-sndbuf: 4m
# Hardening
harden-glue: yes
harden-dnssec-stripped: yes
harden-algo-downgrade: yes
harden-large-queries: yes
harden-short-bufsize: yes
harden-below-nxdomain: yes
harden-referral-path: yes
aggressive-nsec: yes
deny-any: yes
# Privacy
use-caps-for-id: yes # Spoof protection by randomising capitalisation
rrset-roundrobin: yes
qname-minimisation: yes
minimal-responses: yes
hide-identity: yes
identity: "Server" # Purposefully a dummy identity name
hide-version: yes
# Caching
cache-min-ttl: 3600
cache-max-ttl: 86400
serve-expired: yes
serve-expired-ttl: 86400
serve-expired-ttl-reset: yes
serve-expired-reply-ttl: 30
# serve-expired-client-timeout: 1800
prefetch: yes
prefetch-key: yes
msg-cache-size: 128m
rrset-cache-size: 256m
key-cache-size: 8m
neg-cache-size: 8m
# the number of slabs to use for cache and must be a power of 2 times the
# number of num-threads set above. more slabs reduce lock contention, but
# fragment memory usage.
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# Faster UDP with multithreading (only on Linux).
so-reuseport: yes
# Should additional section of secure message also be kept clean of unsecure
# data. Useful to shield the users of this validator from potential bogus
# data in the additional section. All unsigned data in the additional section
# is removed from secure messages.
val-clean-additional: yes
# Disable subnetcache to circumvent warnings
# related to prefetch and serve-expired
# when ECS is compiled with Unbound.
module-config: "validator iterator"
# Enable extended statistics.
extended-statistics: yes
statistics-interval: 0
# Use libevent
outgoing-range: 8192
num-queries-per-thread: 4096
# fast-server-permil: <number>
# Specify how many times out of 1000 to pick from the set of fastest
# servers. 0 turns the feature off. A value of 900 would pick from
# the fastest servers 90 percent of the time, and would perform nor-
# mal exploration of random servers for the remaining time. When
# prefetch is enabled (or serve-expired), such prefetches are not
# sped up, because there is no one waiting for it, and it presents a
# good moment to perform server exploration. The fast-server-num op-
# tion can be used to specify the size of the fastest servers set.
# The default for fast-server-permil is 0.
fast-server-permil: 750
# fast-server-num: <number>
# Set the number of servers that should be used for fast server se-
# lection. Only use the fastest specified number of servers with the
# fast-server-permil option, that turns this on or off. The default
# is to use the fastest 3 servers.
fast-server-num: 3
# target-fetch-policy: <"list of numbers">
# Set the target fetch policy used by unbound to determine if it
# should fetch nameserver target addresses opportunistically. The
# policy is described per dependency depth.
# The number of values determines the maximum dependency depth
# that unbound will pursue in answering a query. A value of -1
# means to fetch all targets opportunistically for that dependency
# depth. A value of 0 means to fetch on demand only. A positive
# value fetches that many targets opportunistically.
# Enclose the list between quotes ("") and put spaces between num-
# bers. The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0
# 0" gives behaviour closer to that of BIND 9, while setting "-1
# -1 -1 -1 -1" gives behaviour rumoured to be closer to that of
# BIND 8.
target-fetch-policy: "0 0 0 0 0"
SomeWhereOverTheRainBow
Part of the Furniture
what is your output for unbound -V ?
Viktor Jaep
Part of the Furniture
Not sure why you guys dig a hole when >99% cache hit rate with constant performance is on the surface and doesn't require any 3rd party firmware, Entware, 3rd party scripts, USB sticks or additional hardware. Some are doing it for sports, I guess.
SomeWhereOverTheRainBow
Part of the Furniture
Some like to over complicate things with hacky workarounds in hot pursuit of that edge case. Or they are just waiting for you to hand out the sports medalsNot sure why you guys dig a hole when >99% cache hit rate with constant performance is on the surface and doesn't require any 3rd party firmware, Entware, 3rd party scripts, USB sticks or additional hardware. Some are doing it for sports, I guess.
.Tuning unbound cache (or any cache) is often a case of diminishing returns. Once you're:
- hitting >99%,
- seeing consistent latency,
- avoiding eviction storms or slab rebalancing issues.
Some individuals will just never be satisfied until they squeeze every last drop of performance --- just ask @Viktor Jaep before your choose which pill to take.
Viktor Jaep
Part of the Furniture
Some like to over complicate things with hacky workarounds in hot pursuit of that edge case. Or they are just waiting for you to hand out the sports medals
Tuning unbound cache (or any cache) is often a case of diminishing returns. Once you're:
- hitting >99%,
- seeing consistent latency,
- avoiding eviction storms or slab rebalancing issues.
Some individuals will just never be satisfied until they squeeze every last drop of performance --- just ask @Viktor Jaep before your choose which pill to take.
Gary_Dexter
Senior Member
Running the version available form Debian APT repository so only version 1.17.1 - will be upgrading to the latest release soon though.
dietpi@dietpi:~$ sudo unbound -V
Version 1.17.1
Configure line: --build=aarch64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/aarch64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --with-pythonmodule --with-pyunbound --enable-subnet --enable-dnstap --enable-systemd --with-libnghttp2 --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --disable-rpath --with-pidfile=/run/unbound.pid --with-libevent --enable-tfo-client --with-rootkey-file=/usr/share/dns/root.key --disable-flto --enable-tfo-server
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.17 1 Jul 2025
Linked modules: dns64 python subnetcache respip validator iterator
TCP Fastopen feature available
BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected] or https://github.com/NLnetLabs/unbound/issues
Tech9
Part of the Furniture
Running own resolver has little to do with performance. Serving expired records is chasing a number with potential negative side effects. A variation of common speed test troubleshooting resulting in no noticeable improvements in user experience. May only make it worse.
SomeWhereOverTheRainBow
Part of the Furniture
Twiglets
Senior Member
I hope you are not mixing the Red and the Blue pills ...
[Mr Anderson!!!!]Similar threads
Similar threads
Similar threads
-
-
-
-
Unbound After upgrading to firmware version 3006 that Unbound's hit rate has decreased?
- Started by aru
- Replies: 20
-
Unbound Setup Unbound to work with Diversion and ASUS DDNS
- Started by sentinelvdx
- Replies: 3
-
Does this look right for Nord VPN Unbound setup, the extra address worked
- Started by Jack-Sparr0w
- Replies: 22
-
-
Is it possible to add more addresses in unbound dns firewall?
- Started by Jack-Sparr0w
- Replies: 7
-
Unbound Redirect Internet traffic through tunnel best setting for unbound dns and vpn
- Started by Jack-Sparr0w
- Replies: 3
Latest threads
-
-
-
IPv6 Routing Rules Not Working to Redirect Local Devices Via Wireguard VPN Clients
- Started by wildland_hondo
- Replies: 0
-
Asus Router App connection problem on iOS device- Started by joebloogs
- Replies: 11
-
Transferring settings from old router to new router is it possible? Router suggestions?
- Started by JOE.G
- Replies: 5
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!