Unbound Tuning for gaming and VPN bind 2.0 (2026)

[Jack-Sparr0w]

#########################################
# integration IPV6
#
do-ip6: no
private-address: ::/0                                 # v1.11 Martineau Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
# do-ip6: no
# edns-buffer-size: 1232                           # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/unbound_manager-manager-installer-utility-for-unbound-recursive-dns-server.61669/page-151
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 respip validator iterator"      # v1.08 v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96                            # v1.03 v1.01

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"  # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
ip-ratelimit-slabs: 4
ratelimit-slabs: 4

# tiny memory cache
extended-statistics: yes                        # v1.06 Martineau for @juched GUI TAB
key-cache-size: 32m
msg-cache-size: 50m
rrset-cache-size: 100m
ip-ratelimit-size: 16m
ratelimit-size: 16m
http-query-buffer-size: 32m
http-response-buffer-size: 32m
stream-wait-size: 32m
quic-size: 32m
cache-max-ttl: 14400                            # v1.08 Martineau
cache-min-ttl: 3600                             # v1.08 Martineau
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 86400                         # v1.12 as per @juched
serve-expired-ttl-reset: yes                     # v1.13 as per @jumpsmm7 Set the TTL of expired records to the serve-expired-ttl value after a failed attempt to retrieve the record from upstream.
incoming-num-tcp: 950
outgoing-num-tcp: 200
num-queries-per-thread: 100
outgoing-range: 200
ip-ratelimit: 3000                               # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472                           # v1.01 as per @dave14305 minimal config
max-udp-size: 3072                               # v1.13 as per @jumpsmm7 mitigate DDOS threats when using dnssec, reduce potential for fragmentation.
#outgoing-port-avoid: 0-32767                    # v1.13 as per @jumpsmm7 avoid grabbing udp ports commonly used / only for users with UDP port availability problems
#outgoing-port-permit: 32768-65535               # v1.13 as per @jumpsmm7 ports to permit / Not necessary if port-avoid is not used. limits port randomization.
jostle-timeout: 1000
sock-queue-timeout: 3
infra-cache-numhosts: 40000
discard-timeout: 3000
unwanted-reply-threshold: 5000000
infra-keep-probing: no
infra-host-ttl: 180
so-reuseport: yes
tcp-reuse-timeout: 60000
msg-buffer-size: 65552
max-global-quota: 300
delay-close: 10000
http-max-streams: 300
tls-use-sni: yes
pad-responses: yes
pad-responses-block-size: 468
pad-queries: yes
pad-queries-block-size: 128
val-bogus-ttl: 180
wait-limit-cookie: 30000
wait-limit: 3000
infra-cache-min-rtt: 1000
infra-cache-max-rtt: 120000
tcp-idle-timeout: 60000
max-reuse-tcp-queries: 300
tcp-auth-query-timeout: 3000
unknown-server-time-limit: 1000
neg-cache-size: 32m
val-sig-skew-min: 3600
val-sig-skew-max: 86400
cache-min-negative-ttl: 180
cache-max-negative-ttl: 3600
serve-expired-client-timeout: 2900
iter-scrub-ns: 20
iter-scrub-cname: 11
max-sent-count: 32
answer-cookie: yes
target-fetch-policy: "0 0 0 0 0 0"
cookie-secret: "de26012a125d2b6ef535d751a943c698"
ip-ratelimit-cookie: 30000
val-max-restart: 5
val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
serve-expired-reply-ttl: 3600
outbound-msg-retry: 5
serve-original-ttl: yes
max-query-restarts: 11
ip-freebind: yes
zonemd-permissive-mode: yes

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 2m                                   # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

#so-sndbuf: 2m

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes
use-caps-for-id: yes
harden-referral-path: no
harden-algo-downgrade: yes
harden-large-queries: yes
harden-short-bufsize: yes
val-clean-additional: yes
harden-dnssec-stripped: yes
qname-minimisation-strict: no
harden-unverified-glue: yes
hide-http-user-agent: no

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
trust-anchor-signaling: yes
root-key-sentinel: yes

 

[Jack-Sparr0w]

VPN Config


remote-cert-tls server
remote-random
nobind
resolv-retry infinite
persist-key
persist-tun
auth-nocache
tls-version-min 1.2
tls-version-max 1.3
tls-ciphersuites TLS_AES_256_GCM_SHA384
tls-cert-profile preferred
data-ciphers AES-256-GCM
tls-groups X25519
verify-x509-name CN=ca1482.nordvpn.com
reneg-sec 3600
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 60
ping-restart 180
ping-timer-rem
explicit-exit-notify 0
pull
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
pull-filter ignore "redirect-gateway ipv6"
block-ipv6
fast-io
mute-replay-warnings

#log /tmp/vpn.log


verify-x509-name CN=ca1482.nordvpn.com replace 1482 with yor own number

 

[Jack-Sparr0w]

accept dns put to no in open vpn