Unbound Unbound Tuning for gaming

[Jack-Sparr0w]

use-caps-for-id no Avoid NordVPN DNS query handling issues if unbound dns is pushed in vpn then set to yes
harden-referral-path no Improves DNS referral security no is best for vpn and cache hits (also is experimental not to much support)
harden-algo-downgrade yes Avoids DNSSEC algorithm enforcement no issues on cache hits no if vpn dns is pushed
harden-large-queries yes Protects against amplification attacks
harden-short-bufsize yes Defends against buffer overflow attacks
val-clean-additional yes Cleans unnecessary DNS response data
harden-dnssec-stripped no VPN DNS strips DNSSEC, so disable to prevent failures yes if unbound is pushed and no vpn dns push
qname-minimisation-strict no Enhances privacy; fallback to no if resolution issues no is probably best for cache hits with vpn, most VPN providers do not support strict mode so its best set to no leave qname-minimisation on if your not forwarding to dot/doh or dns
harden-unverified-glue yes Validates glue records to prevent cache poisoning
hide-http-user-agent no breaks Skynet and diversion functions

Piehole Forum this was seen

 

[Rajjco]

Can unbound beat 1ms avg resolving time ?
The biggest benefit for gaming you'd get is by enabling caching.

 

[ColinTaylor]

Can unbound beat 1ms avg resolving time ?
The biggest benefit for gaming you'd get is by enabling caching.

The speed of DNS lookups is irrelevant for gaming. So it doesn't matter how quick it is. This was explained to the OP at the beginning of this thread (although he didn't seem to understand).

 

[Jack-Sparr0w]

stability is higher, not as much stutter

 

[jacklul]

stability is higher, not as much stutter

Can you provide some data on this?
I would love to see some comparisons and benchmarks

 

[Viktor Jaep]

Stutter has nothing to do with DNS. That's all about latency issues there.

 

[ColinTaylor]

Stutter has nothing to do with DNS. That's all about latency issues there.

And the biggest cause of that is... using a VPN.

 

[Jack-Sparr0w]

#########################################
# integration IPV6
#
do-ip6: no
private-address: ::/0 # v1.11 Martineau Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
# do-ip6: no
# edns-buffer-size: 1232 # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/u...r-unbound-recursive-dns-server.61669/page-151
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 respip validator iterator" # v1.08 v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96 # v1.03 v1.01

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
ip-ratelimit-slabs: 4
ratelimit-slabs: 4

# tiny memory cache
extended-statistics: yes # v1.06 Martineau for @juched GUI TAB
key-cache-size: 32m
msg-cache-size: 50m
rrset-cache-size: 100m
ip-ratelimit-size: 16m
ratelimit-size: 16m
http-query-buffer-size: 32m
http-response-buffer-size: 32m
stream-wait-size: 32m
quic-size: 32m
cache-max-ttl: 14400 # v1.08 Martineau
cache-min-ttl: 0 # v1.08 Martineau
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 86400 # v1.12 as per @juched
serve-expired-ttl-reset: yes # v1.13 as per @jumpsmm7 Set the TTL of expired records to the serve-expired-ttl value after a failed attempt to retrieve the record from upstream.
incoming-num-tcp: 950
outgoing-num-tcp: 200
num-queries-per-thread: 100
outgoing-range: 200
ip-ratelimit: 3000 # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472 # v1.01 as per @dave14305 minimal config
max-udp-size: 3072 # v1.13 as per @jumpsmm7 mitigate DDOS threats when using dnssec, reduce potential for fragmentation.
#outgoing-port-avoid: 0-32767 # v1.13 as per @jumpsmm7 avoid grabbing udp ports commonly used / only for users with UDP port availability problems
#outgoing-port-permit: 32768-65535 # v1.13 as per @jumpsmm7 ports to permit / Not necessary if port-avoid is not used. limits port randomization.
jostle-timeout: 1000
sock-queue-timeout: 3
infra-cache-numhosts: 40000
discard-timeout: 3000
unwanted-reply-threshold: 5000000
infra-keep-probing: no
infra-host-ttl: 900
so-reuseport: yes
tcp-reuse-timeout: 60000
msg-buffer-size: 65552
max-global-quota: 300
delay-close: 10000
http-max-streams: 300
tls-use-sni: yes
pad-responses: yes
pad-responses-block-size: 468
pad-queries: yes
pad-queries-block-size: 128
val-bogus-ttl: 180
wait-limit-cookie: 30000
wait-limit: 3000
infra-cache-min-rtt: 1000
infra-cache-max-rtt: 180000
tcp-idle-timeout: 60000
max-reuse-tcp-queries: 300
tcp-auth-query-timeout: 3000
unknown-server-time-limit: 1000
neg-cache-size: 32m
val-sig-skew-min: 3600
val-sig-skew-max: 86400
cache-min-negative-ttl: 0
cache-max-negative-ttl: 3600
serve-expired-client-timeout: 2900
iter-scrub-ns: 20
iter-scrub-cname: 11
max-sent-count: 32
answer-cookie: yes
target-fetch-policy: "0 0 0 0 0 0"
cookie-secret: "de26012a125d2b6ef535d751a943c698"
ip-ratelimit-cookie: 30000
val-max-restart: 5
val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
serve-expired-reply-ttl: 180
outbound-msg-retry: 5
serve-original-ttl: yes
max-query-restarts: 11
ip-freebind: yes
zonemd-permissive-mode: yes

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 2m # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

#so-sndbuf: 2m

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes
use-caps-for-id: yes
harden-referral-path: no
harden-algo-downgrade: yes
harden-large-queries: yes
harden-short-bufsize: yes
val-clean-additional: yes
harden-dnssec-stripped: yes
qname-minimisation-strict: no
harden-unverified-glue: yes
hide-http-user-agent: no

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
trust-anchor-signaling: yes
root-key-sentinel: yes

-Best New Values-

 

[Viktor Jaep]

-Best New Values-

Based on what? Do you have any baseline stats vs. your settings or any other metrics to show that these config changes actually make a difference? I believe a while back I posted my stats, and asked you to reciprocate, but you never did.

 

[bibikalka]

@Jack-Sparr0w

You truly are an unorthodox thinker, please don't lose your passion for tinkering with Unbound, and keep reporting back!

For me, I'll stick the more boring established settings for now. I am a bit of the scientific method kind of guy ...

 

[Twiglets]

@Jack-Sparr0w

You truly are an unorthodox thinker, please don't lose your passion for tinkering with Unbound, and keep reporting back!

For me, I'll stick the more boring established settings for now. I am a bit of the scientific method kind of guy ...

As you are a 'scientific method guy' you will appreciate that without some metrics (Before/After) to demonstrate what is changed/improved all these postings are meaningless as there is no way to understand/measure the gain.

I have suggested that more information on the what is changed/improved is needed to aid anyone who might want to use these adaptions.

I am not saying that they do not work BUT have no way of knowing what metrics have changed because of using these NEW configs.
I don't know what to measure to prove any gain !!!

 

[Tech9]

I don't know what to measure to prove any gain !!!

In my opinion what is eventually measurable is perhaps subject discussed in different forums and completely unrelated to networking and gaming.

 

[Viktor Jaep]

In my opinion what is eventually measurable is perhaps subject discussed in different forums and completely unrelated to networking and gaming.

You are absolutely correct. Unbound simply is a DNS resolver. It has zero application on game performance. It establishes what the IP is to the gaming server that you need to connect to, and your game does the rest. It has no bearing on how the game performs, or how high you can get your frag rate. Let's figure out what the best practices are for Unbound tuning (if any) that make sense, and are MEASURABLE.

 

[Twiglets]

In my opinion what is eventually measurable is perhaps subject discussed in different forums and completely unrelated to networking and gaming.

Now Now ... play nicely !!!

 

[Tech9]

Let's figure out what the best practices are for Unbound (if any) tuning that make sense, and are MEASURABLE.

Agree. Attempts to do so failed. What we have so far is hobbyunbounding... similar to hobbydogging phenomenon where people walk invisible dogs. It may have some benefits to the person practicing it only.

 

[Ripshod]

Wow! This is still happening?

 

[Twiglets]

Wow! This is still happening?

No ... it is a 'figbox of your imagination' ... bought on by too much popcorn !!!

 

[jacklul]

You are absolutely correct. Unbound simply is a DNS resolver. It has zero application on game performance. It establishes what the IP is to the gaming server that you need to connect to, and your game does the rest. It has no bearing on how the game performs, or how high you can get your frag rate. Let's figure out what the best practices are for Unbound tuning (if any) that make sense, and are MEASURABLE.

You will gain a few frames in the latest Monster Hunter because developers decided that checking for DLC access every frame is a good idea.
Finally - a game where Unbound tuning makes sense.

 

[ColinTaylor]

You will gain a few frames in the latest Monster Hunter because developers decided that checking for DLC access every frame is a good idea.
Finally - a game where Unbound tuning makes sense.

But only when you're in the base camp , not the rest of the game. But being serious for a moment, the FPS hit is down to the additional network load, of which DNS is likely to be negligible.

 

[Twiglets]

But only when you're in the base camp , not the rest of the game. But being serious for a moment, the FPS hit is down to the additional network load, of which DNS is likely to be negligible.

Getting into 'Butterfly effect' territory now !!!