Unbound Tuning for gaming and VPN bind 2.0 (2026)

[Jack-Sparr0w]

#########################################
# integration IPV6
#
do-ip6: no
private-address: ::/0                                 # v1.11 Martineau Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
# do-ip6: no
# edns-buffer-size: 1232                           # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/unbound_manager-manager-installer-utility-for-unbound-recursive-dns-server.61669/page-151
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 respip validator iterator"      # v1.08 v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96                            # v1.03 v1.01

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"  # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
ip-ratelimit-slabs: 4
ratelimit-slabs: 4

# tiny memory cache
extended-statistics: yes                        # v1.06 Martineau for @juched GUI TAB
key-cache-size: 32m
msg-cache-size: 50m
rrset-cache-size: 100m
ip-ratelimit-size: 16m
ratelimit-size: 16m
http-query-buffer-size: 32m
http-response-buffer-size: 32m
stream-wait-size: 32m
quic-size: 32m
cache-max-ttl: 14400                            # v1.08 Martineau
cache-min-ttl: 3600                             # v1.08 Martineau
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 86400                         # v1.12 as per @juched
serve-expired-ttl-reset: yes                     # v1.13 as per @jumpsmm7 Set the TTL of expired records to the serve-expired-ttl value after a failed attempt to retrieve the record from upstream.
incoming-num-tcp: 950
outgoing-num-tcp: 200
num-queries-per-thread: 100
outgoing-range: 200
ip-ratelimit: 3000                               # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472                           # v1.01 as per @dave14305 minimal config
max-udp-size: 3072                               # v1.13 as per @jumpsmm7 mitigate DDOS threats when using dnssec, reduce potential for fragmentation.
#outgoing-port-avoid: 0-32767                    # v1.13 as per @jumpsmm7 avoid grabbing udp ports commonly used / only for users with UDP port availability problems
#outgoing-port-permit: 32768-65535               # v1.13 as per @jumpsmm7 ports to permit / Not necessary if port-avoid is not used. limits port randomization.
jostle-timeout: 1000
sock-queue-timeout: 3
infra-cache-numhosts: 40000
discard-timeout: 3000
unwanted-reply-threshold: 5000000
infra-keep-probing: no
infra-host-ttl: 180
so-reuseport: yes
tcp-reuse-timeout: 60000
msg-buffer-size: 65552
max-global-quota: 300
delay-close: 10000
http-max-streams: 300
tls-use-sni: yes
pad-responses: yes
pad-responses-block-size: 468
pad-queries: yes
pad-queries-block-size: 128
val-bogus-ttl: 180
wait-limit-cookie: 30000
wait-limit: 3000
infra-cache-min-rtt: 1000
infra-cache-max-rtt: 120000
tcp-idle-timeout: 60000
max-reuse-tcp-queries: 300
tcp-auth-query-timeout: 3000
unknown-server-time-limit: 1000
neg-cache-size: 32m
val-sig-skew-min: 3600
val-sig-skew-max: 86400
cache-min-negative-ttl: 180
cache-max-negative-ttl: 3600
serve-expired-client-timeout: 2900
iter-scrub-ns: 20
iter-scrub-cname: 11
max-sent-count: 32
answer-cookie: yes
target-fetch-policy: "0 0 0 0 0 0"
cookie-secret: "de26012a125d2b6ef535d751a943c698"
ip-ratelimit-cookie: 30000
val-max-restart: 5
val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
serve-expired-reply-ttl: 3600
outbound-msg-retry: 5
serve-original-ttl: yes
max-query-restarts: 11
ip-freebind: yes
zonemd-permissive-mode: yes

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 2m                                   # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

#so-sndbuf: 2m

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes
use-caps-for-id: yes
harden-referral-path: no
harden-algo-downgrade: yes
harden-large-queries: yes
harden-short-bufsize: yes
val-clean-additional: yes
harden-dnssec-stripped: yes
qname-minimisation-strict: no
harden-unverified-glue: yes
hide-http-user-agent: no

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
trust-anchor-signaling: yes
root-key-sentinel: yes

 

[Jack-Sparr0w]

VPN Config


remote-cert-tls server
remote-random
nobind
resolv-retry infinite
persist-key
persist-tun
auth-nocache
tls-version-min 1.2
tls-version-max 1.3
tls-ciphersuites TLS_AES_256_GCM_SHA384
tls-cert-profile preferred
data-ciphers AES-256-GCM
tls-groups X25519
verify-x509-name CN=ca1482.nordvpn.com
reneg-sec 3600
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 60
ping-restart 180
ping-timer-rem
explicit-exit-notify 0
pull
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
pull-filter ignore "redirect-gateway ipv6"
block-ipv6
fast-io
mute-replay-warnings

#log /tmp/vpn.log


verify-x509-name CN=ca1482.nordvpn.com replace 1482 with yor own number

 

[Jack-Sparr0w]

accept dns put to no in open vpn

 

[Twiglets]

There is no explanation of what these files do, in terms of the changes from the original files.
There are a large number of changes or omissions from the original files.
(Some omissions mean default values that are not apparent unless you understand ALL the possible settings & their interactions)

Anyone using these files is going to be using them as a 'blackbox' because there is no explanation of what they do and what improvement they give.
I have looked at the changes, very briefly, and it would take some time to understand the changes in functionality from the original setup.

I have also made changes BUT would be reluctant to encourage anyone else to copy my changes without them understanding what they are doing, which means getting very low level in the minutiae of the individual settings in the .conf file.

Please don't take this as a criticism, just a reminder that you may need to explain what is being done in more detail.
Not everyone has spent time 'swimming' in the delights of unbound config parameters (I have and think it is 'fun' !!!)

 

[Tech9]

reminder that you may need to explain what

This is going to be a problem.

 

[Twiglets]

This is going to be a problem.

Problem or opportunity ???

 

[Tech9]

Right... 2025 edition of this thread ended up with no explanation. Let's call it opportunity.

 

[Viktor Jaep]

Right... 2025 edition of this thread ended up with no explanation. Let's call it opportunity.

Nobody better tell @dave14305 about this thread. Then it becomes a problem.

 

[dave14305]

Nobody better tell @dave14305 about this thread. Then it becomes a problem.

Can’t fix crazy.

 

[Jack-Sparr0w]

#########################################
# integration IPV6
#
do-ip6: no
private-address: ::/0 # v1.11 Martineau Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
# do-ip6: no
# edns-buffer-size: 1232 # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/u...r-unbound-recursive-dns-server.61669/page-151
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 respip validator iterator" # v1.08 v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96 # v1.03 v1.01

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
ip-ratelimit-slabs: 4
ratelimit-slabs: 4

# tiny memory cache
extended-statistics: yes # v1.06 Martineau for @juched GUI TAB
key-cache-size: 32m
msg-cache-size: 50m
rrset-cache-size: 100m
ip-ratelimit-size: 16m
ratelimit-size: 16m
http-query-buffer-size: 32m
http-response-buffer-size: 32m
stream-wait-size: 32m
quic-size: 32m
cache-max-ttl: 14400 # v1.08 Martineau
cache-min-ttl: 0 # v1.08 Martineau
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 86400 # v1.12 as per @juched
serve-expired-ttl-reset: yes # v1.13 as per @jumpsmm7 Set the TTL of expired records to the serve-expired-ttl value after a failed attempt to retrieve the record from upstream.
incoming-num-tcp: 950
outgoing-num-tcp: 200
num-queries-per-thread: 100
outgoing-range: 200
ip-ratelimit: 3000 # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472 # v1.01 as per @dave14305 minimal config
max-udp-size: 3072 # v1.13 as per @jumpsmm7 mitigate DDOS threats when using dnssec, reduce potential for fragmentation.
#outgoing-port-avoid: 0-32767 # v1.13 as per @jumpsmm7 avoid grabbing udp ports commonly used / only for users with UDP port availability problems
#outgoing-port-permit: 32768-65535 # v1.13 as per @jumpsmm7 ports to permit / Not necessary if port-avoid is not used. limits port randomization.
jostle-timeout: 1000
sock-queue-timeout: 3
infra-cache-numhosts: 40000
discard-timeout: 3000
unwanted-reply-threshold: 5000000
infra-keep-probing: no
infra-host-ttl: 900
so-reuseport: yes
tcp-reuse-timeout: 60000
msg-buffer-size: 65552
max-global-quota: 300
delay-close: 10000
http-max-streams: 300
tls-use-sni: yes
pad-responses: yes
pad-responses-block-size: 468
pad-queries: yes
pad-queries-block-size: 128
val-bogus-ttl: 180
wait-limit-cookie: 30000
wait-limit: 3000
infra-cache-min-rtt: 1000
infra-cache-max-rtt: 180000
tcp-idle-timeout: 60000
max-reuse-tcp-queries: 300
tcp-auth-query-timeout: 3000
unknown-server-time-limit: 1000
neg-cache-size: 32m
val-sig-skew-min: 3600
val-sig-skew-max: 86400
cache-min-negative-ttl: 0
cache-max-negative-ttl: 3600
serve-expired-client-timeout: 2900
iter-scrub-ns: 20
iter-scrub-cname: 11
max-sent-count: 32
answer-cookie: yes
target-fetch-policy: "0 0 0 0 0 0"
cookie-secret: "de26012a125d2b6ef535d751a943c698"
ip-ratelimit-cookie: 30000
val-max-restart: 5
val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
serve-expired-reply-ttl: 180
outbound-msg-retry: 5
serve-original-ttl: yes
max-query-restarts: 11
ip-freebind: yes
zonemd-permissive-mode: yes

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 2m # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

#so-sndbuf: 2m

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes
use-caps-for-id: yes
harden-referral-path: no
harden-algo-downgrade: yes
harden-large-queries: yes
harden-short-bufsize: yes
val-clean-additional: yes
harden-dnssec-stripped: yes
qname-minimisation-strict: no
harden-unverified-glue: yes
hide-http-user-agent: no

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
trust-anchor-signaling: yes
root-key-sentinel: yes

Better values for overhead

 

[dave14305]

edns-buffer-size: 1472 # v1.01 as per @dave14305 minimal config

This value is obsolete and should be removed.

2020

DNS flag day

www.dnsflagday.net

 

[Jack-Sparr0w]

#########################################
# integration IPV6
#
do-ip6: no
private-address: ::/0 # v1.11 Martineau Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
# do-ip6: no
# edns-buffer-size: 1232 # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/u...r-unbound-recursive-dns-server.61669/page-151
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 respip validator iterator" # v1.08 v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96 # v1.03 v1.01

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
ip-ratelimit-slabs: 4
ratelimit-slabs: 4

# tiny memory cache
extended-statistics: yes # v1.06 Martineau for @juched GUI TAB
key-cache-size: 4m
msg-cache-size: 4m
rrset-cache-size: 4m
ip-ratelimit-size: 4m
ratelimit-size: 4m
http-query-buffer-size: 4m
http-response-buffer-size: 4m
stream-wait-size: 4m
quic-size: 8m
cache-max-ttl: 14400 # v1.08 Martineau
cache-min-ttl: 0 # v1.08 Martineau
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 86400 # v1.12 as per @juched
serve-expired-ttl-reset: yes # v1.13 as per @jumpsmm7 Set the TTL of expired records to the serve-expired-ttl value after a failed attempt to retrieve the record from upstream.
incoming-num-tcp: 950
outgoing-num-tcp: 200
num-queries-per-thread: 100
outgoing-range: 200
ip-ratelimit: 3000 # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472 # v1.01 as per @dave14305 minimal config
max-udp-size: 3072 # v1.13 as per @jumpsmm7 mitigate DDOS threats when using dnssec, reduce potential for fragmentation.
#outgoing-port-avoid: 0-32767 # v1.13 as per @jumpsmm7 avoid grabbing udp ports commonly used / only for users with UDP port availability problems
#outgoing-port-permit: 32768-65535 # v1.13 as per @jumpsmm7 ports to permit / Not necessary if port-avoid is not used. limits port randomization.
jostle-timeout: 1000
sock-queue-timeout: 5
infra-cache-numhosts: 40000
discard-timeout: 3000
unwanted-reply-threshold: 5000000
infra-keep-probing: no
infra-host-ttl: 900
so-reuseport: yes
tcp-reuse-timeout: 60000
msg-buffer-size: 65552
max-global-quota: 300
delay-close: 10000
http-max-streams: 300
tls-use-sni: yes
pad-responses: yes
pad-responses-block-size: 468
pad-queries: yes
pad-queries-block-size: 128
val-bogus-ttl: 180
wait-limit-cookie: 30000
wait-limit: 3000
infra-cache-min-rtt: 1000
infra-cache-max-rtt: 180000
tcp-idle-timeout: 60000
max-reuse-tcp-queries: 300
tcp-auth-query-timeout: 3000
unknown-server-time-limit: 1000
neg-cache-size: 1m
val-sig-skew-min: 3600
val-sig-skew-max: 86400
cache-min-negative-ttl: 0
cache-max-negative-ttl: 3600
serve-expired-client-timeout: 2900
iter-scrub-ns: 20
iter-scrub-cname: 11
max-sent-count: 32
answer-cookie: yes
target-fetch-policy: "0 0 0 0 0 0"
cookie-secret: "de26012a125d2b6ef535d751a943c698"
ip-ratelimit-cookie: 30000
val-max-restart: 5
val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
serve-expired-reply-ttl: 180
outbound-msg-retry: 5
serve-original-ttl: yes
max-query-restarts: 11
ip-freebind: yes
zonemd-permissive-mode: yes
ip-ratelimit-factor: 30

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 2m # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

#so-sndbuf: 2m

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes
use-caps-for-id: yes
harden-referral-path: no
harden-algo-downgrade: noi
harden-large-queries: yes
harden-short-bufsize: yes
val-clean-additional: yes
harden-dnssec-stripped: yes
qname-minimisation-strict: no
harden-unverified-glue: yes
hide-http-user-agent: no

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
trust-anchor-signaling: yes
root-key-sentinel: yes


Lowered cache values as they were set to high in my config

• Hit ratio stays high (80-95%) for home traffic patterns.
• No memory pressure — avoids OOM kills during peak usage.

unbound.conf(5) — Unbound 1.24.2 documentation​

unbound.docs.nlnetlabs.nl

this is official guide if you have any questions as I am pretty busy these days

Copy and paste if you like the setup (1 gig ram 4 core router setup)

 

[Jack-Sparr0w]

edns-buffer-size: 1472 is for ipv4 in config file. Under ipv6 section you use # edns-buffer-size: 1232 # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/u...r-unbound-recursive-dns-server.61669/page-151 that value is needed if you block ipv6 (edns-buffer-size: 1472) both values in config file are used when needed

 

[Jack-Sparr0w]

I remember when buddy first wrote this program for this system on asus. he was dead on in choosing values. those values are the golden ratio. had so many issues in the past when it was first introduced. But trust me the config is right on his end for sure.

 

[Jack-Sparr0w]

Most vales are changed to respect Authoritative DNS servers set the Time to Live (TTL). Best used with Dynamic IP from wan or VPN. If you have this type of setup these values might interest you.

 

[Jack-Sparr0w]

use (unbound-control dump_infra) command and match values to your rtt

rtt 1000 when unbound-control dump_infra is used in putty root. tune from that value

 

[Jack-Sparr0w]

#so-rcvbuf: 2m # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

#so-sndbuf: 2m is the max due to rem core default of router