Jack-Sparr0w
Senior Member
An Update to setup so far:
neg-cache-size: 16m
val-bogus-ttl: 60
wait-limit-cookie: 10000
wait-limit: 1000
infra-cache-min-rtt: 1000
tcp-idle-timeout: 60000
infra-cache-max-rtt: 120000
max-reuse-tcp-queries: 200 use 300 with VPN
tcp-auth-query-timeout: 3000
pad-responses: yes
pad-responses-block-size: 468 can use 512 with 1500 mtu but (resource intensive)
pad-queries: yes
pad-queries-block-size: 128 can use 512 with 1500 mtu but (very resource intensive)
tls-use-sni: yes Use with VPN or DoT is best
http-max-streams: 100 use 300 with VPN
ip-ratelimit-slabs: 4
ip-ratelimit-size: 16m
ratelimit-slabs: 4
ratelimit-size: 16m
http-query-buffer-size: 16m
http-response-buffer-size: 16m
stream-wait-size: 16m
quic-size: 16m
max-global-quota: 200 is the default, use 300 when a VPN or upstream is used
delay-close: 10000
udp-connect: yes Don't use this if you are using Skynet (It breaks Functionality)
unknown-server-time-limit: 0 use: unbound-control dump_infra in putty without logging into amtm to get value (Example use 1000)
Very useful with any vpn such as NordVPN. helps to get all requests to unbound.
msg-buffer-size: 65552
so-sndbuf: 2
tcp-reuse-timeout: 60000
so-reuseport: yes (amazing feature)
num-queries-per-thread: 100
outgoing-range: 200
ip ratelimit 1000
so rcvbuf 2m
incoming num tcp 950 best for overhead 200 for lower end system
outgoing num tcp 200 best for overhead 75 for lower end system
cache max ttl 14400
# tiny memory cache
key-cache-size: 16m
msg-cache-size: 16m
rrset-cache-size: 32m
infra-cache-numhosts: 40000 AX-88u (aligns with this setup) AC86U- 20000 infra-cache-numhosts
val-sig-skew-min: 3600
val-sig-skew-max: 86400
cache-min-negative-ttl: 0
cache-max-negative-ttl: 3600
serve-expired-client-timeout: 1800 is the default, use 2900 if discard-timeout: 3000 is used to get more hits in the unbound cache
unbound iter-scrub-ns: 20
iter-scrub-cname: 11
max-sent-count: 32
target-fetch-policy: "3 2 1 0 0" is the default, "3 2 1 0 0 0" extends this policy to a maximum depth of five levels. could improve performance for complex DNS chains but also increases the number of queries sent. can also use "-1 -1 -1 -1 -1" or "-1 -1 -1 -1 -1 -1" (Bind 8) Should be combined with/ harden-referral-path: yes This can produce a better hit rate at the cost of performance. Open-Wrt and other routers by default use "2 1 0 0 0 0" helps with DNSSEC validation, query minimization, and performance. "2 1 0 0 0 0" is probably best one to use in a basic setup. Use "0 0 0 0 0 0" With VPN "0 0 0 0 0 0" is close to (Bind 9) as it aligns to best privacy and security. Most VPN providers DNS use (Bind 9). This disables opportunistic prefetching of name server further minimizing metadata leakage.
This setting means Unbound will only fetch the addresses of name servers (targets) on demand, rather than proactively querying them in advance. By minimizing these additional queries, the system reduces the volume of outbound DNS traffic, making it harder for external observers. While the default policy of "3 2 1 0 0 0" involves prefetching to improve latency, it can increase the number of queries, potentially creating more data points that could be correlated with user behavior. Therefore, setting all values to zero limits this potential information leakage, contributing to a more private DNS resolution process.
answer-cookie: yes - (cookie secret must be used)
cookie-secret: a5f6ef87030bd9a99edf17e835086ef9 as (Example) use hex key generator, use with (answer-cookie: yes)
Hex Key Generator- https://www.browserling.com/tools/random-hex
ip-ratelimit-cookie: 10000
val-max-restart: 5
val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
jostle-timeout: 200 is the default , Best to use- ( unbound-control dump_infra ) and change it to same number as rtt, most are set to jostle-timeout: 1000 is probably the best setting all around
serve-expired-reply-ttl: 30
root-key-sentinel: yes
trust-anchor-signaling: yes
http-max-streams: 100 use 300 with VPN
discard-timeout: 1900 default setting, use 3000 if jostle timeout is set to 1000 (Example: jostle-timeout: 1000, discard-timeout: 3000)
# no threads and no memory slabs for threads
num-threads: 4 # L&LDv1.03 (Orig 1) RT-AX88U For RT-AC86U use (2)
msg-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
rrset-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
infra-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
key-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
infra-keep-probing: yes
This is a default setting for pfSense, and many other vendors
infra-keep-probing: no with vpn is best privacy
"Look into it and see if it's good for your setup"
infra-host-ttl: 900 works well with infra-keep-probing: yes
infra-keep-probing: no with vpn is best privacy
infra-cache-numhosts: 20000 or 40000 ax 88u
discard-timeout: 1900 is default use 3000 if VPN or DoT is high latency with long timeout.
unwanted-reply-threshold: 5000000 leave to default on lower end system
use (vx) to edit unbound config file (stock settings are slow)
4 core cpu and 1 gig ram
If setting is not needed use:
Example:
hide-trustanchor: no
udp-connect: no
might have to whitelist ASN for Nord Server with this type of setup, to find ASN for given server, go to NordVPN website, copy ip at the top and paste it into search and look for AS number relater to that search. (Ex: AS141039) then use whitelist in Skynet
The setting infra-keep-probing: no is considered best for privacy when using a VPN. This is because infra-keep-probing: yes can potentially leak information about the network infrastructure, and disabling it enhances privacy, especially in conjunction with a VPN.
serve-original-ttl: yes use with vpn
ip-freebind: yes use with VPN or dynamic ISP example (Nord VPN, Spectrum cable internet) Both are dynamic services, with dynamic ip.
Best for VPN and TLS Renegotiation Time (reneg-sec 3600) better unbound hit rate for cache
cache-min-ttl: 3600
neg-cache-size: 16m
val-bogus-ttl: 60
wait-limit-cookie: 10000
wait-limit: 1000
infra-cache-min-rtt: 1000
tcp-idle-timeout: 60000
infra-cache-max-rtt: 120000
max-reuse-tcp-queries: 200 use 300 with VPN
tcp-auth-query-timeout: 3000
pad-responses: yes
pad-responses-block-size: 468 can use 512 with 1500 mtu but (resource intensive)
pad-queries: yes
pad-queries-block-size: 128 can use 512 with 1500 mtu but (very resource intensive)
tls-use-sni: yes Use with VPN or DoT is best
http-max-streams: 100 use 300 with VPN
ip-ratelimit-slabs: 4
ip-ratelimit-size: 16m
ratelimit-slabs: 4
ratelimit-size: 16m
http-query-buffer-size: 16m
http-response-buffer-size: 16m
stream-wait-size: 16m
quic-size: 16m
max-global-quota: 200 is the default, use 300 when a VPN or upstream is used
delay-close: 10000
udp-connect: yes Don't use this if you are using Skynet (It breaks Functionality)
unknown-server-time-limit: 0 use: unbound-control dump_infra in putty without logging into amtm to get value (Example use 1000)
Very useful with any vpn such as NordVPN. helps to get all requests to unbound.
msg-buffer-size: 65552
so-sndbuf: 2
tcp-reuse-timeout: 60000
so-reuseport: yes (amazing feature)
num-queries-per-thread: 100
outgoing-range: 200
ip ratelimit 1000
so rcvbuf 2m
incoming num tcp 950 best for overhead 200 for lower end system
outgoing num tcp 200 best for overhead 75 for lower end system
cache max ttl 14400
# tiny memory cache
key-cache-size: 16m
msg-cache-size: 16m
rrset-cache-size: 32m
infra-cache-numhosts: 40000 AX-88u (aligns with this setup) AC86U- 20000 infra-cache-numhosts
val-sig-skew-min: 3600
val-sig-skew-max: 86400
cache-min-negative-ttl: 0
cache-max-negative-ttl: 3600
serve-expired-client-timeout: 1800 is the default, use 2900 if discard-timeout: 3000 is used to get more hits in the unbound cache
unbound iter-scrub-ns: 20
iter-scrub-cname: 11
max-sent-count: 32
target-fetch-policy: "3 2 1 0 0" is the default, "3 2 1 0 0 0" extends this policy to a maximum depth of five levels. could improve performance for complex DNS chains but also increases the number of queries sent. can also use "-1 -1 -1 -1 -1" or "-1 -1 -1 -1 -1 -1" (Bind 8) Should be combined with/ harden-referral-path: yes This can produce a better hit rate at the cost of performance. Open-Wrt and other routers by default use "2 1 0 0 0 0" helps with DNSSEC validation, query minimization, and performance. "2 1 0 0 0 0" is probably best one to use in a basic setup. Use "0 0 0 0 0 0" With VPN "0 0 0 0 0 0" is close to (Bind 9) as it aligns to best privacy and security. Most VPN providers DNS use (Bind 9). This disables opportunistic prefetching of name server further minimizing metadata leakage.
This setting means Unbound will only fetch the addresses of name servers (targets) on demand, rather than proactively querying them in advance. By minimizing these additional queries, the system reduces the volume of outbound DNS traffic, making it harder for external observers. While the default policy of "3 2 1 0 0 0" involves prefetching to improve latency, it can increase the number of queries, potentially creating more data points that could be correlated with user behavior. Therefore, setting all values to zero limits this potential information leakage, contributing to a more private DNS resolution process.
answer-cookie: yes - (cookie secret must be used)
cookie-secret: a5f6ef87030bd9a99edf17e835086ef9 as (Example) use hex key generator, use with (answer-cookie: yes)
Hex Key Generator- https://www.browserling.com/tools/random-hex
ip-ratelimit-cookie: 10000
val-max-restart: 5
val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
jostle-timeout: 200 is the default , Best to use- ( unbound-control dump_infra ) and change it to same number as rtt, most are set to jostle-timeout: 1000 is probably the best setting all around
serve-expired-reply-ttl: 30
root-key-sentinel: yes
trust-anchor-signaling: yes
http-max-streams: 100 use 300 with VPN
discard-timeout: 1900 default setting, use 3000 if jostle timeout is set to 1000 (Example: jostle-timeout: 1000, discard-timeout: 3000)
# no threads and no memory slabs for threads
num-threads: 4 # L&LDv1.03 (Orig 1) RT-AX88U For RT-AC86U use (2)
msg-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
rrset-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
infra-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
key-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
infra-keep-probing: yes
This is a default setting for pfSense, and many other vendors
infra-keep-probing: no with vpn is best privacy
"Look into it and see if it's good for your setup"
infra-host-ttl: 900 works well with infra-keep-probing: yes
infra-keep-probing: no with vpn is best privacy
infra-cache-numhosts: 20000 or 40000 ax 88u
discard-timeout: 1900 is default use 3000 if VPN or DoT is high latency with long timeout.
unwanted-reply-threshold: 5000000 leave to default on lower end system
use (vx) to edit unbound config file (stock settings are slow)
4 core cpu and 1 gig ram
If setting is not needed use:
Example:
hide-trustanchor: no
udp-connect: no
might have to whitelist ASN for Nord Server with this type of setup, to find ASN for given server, go to NordVPN website, copy ip at the top and paste it into search and look for AS number relater to that search. (Ex: AS141039) then use whitelist in Skynet
The setting infra-keep-probing: no is considered best for privacy when using a VPN. This is because infra-keep-probing: yes can potentially leak information about the network infrastructure, and disabling it enhances privacy, especially in conjunction with a VPN.
serve-original-ttl: yes use with vpn
ip-freebind: yes use with VPN or dynamic ISP example (Nord VPN, Spectrum cable internet) Both are dynamic services, with dynamic ip.
Best for VPN and TLS Renegotiation Time (reneg-sec 3600) better unbound hit rate for cache
cache-min-ttl: 3600
Last edited:
