Unbound Unbound Tuning for gaming

[Jack-Sparr0w]

#########################################
# integration IPV6
#
do-ip6: no
private-address: ::/0 # v1.11 Martineau Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
# do-ip6: no
# edns-buffer-size: 1232 # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/u...r-unbound-recursive-dns-server.61669/page-151
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 respip validator iterator" # v1.08 v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96 # v1.03 v1.01

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
ip-ratelimit-slabs: 4
ratelimit-slabs: 4

# tiny memory cache
extended-statistics: yes # v1.06 Martineau for @juched GUI TAB
key-cache-size: 4m
msg-cache-size: 4m
rrset-cache-size: 4m
ip-ratelimit-size: 4m
ratelimit-size: 4m
http-query-buffer-size: 4m
http-response-buffer-size: 4m
stream-wait-size: 4m
quic-size: 8m
cache-max-ttl: 14400 # v1.08 Martineau
cache-min-ttl: 0 # v1.08 Martineau
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 86400 # v1.12 as per @juched
serve-expired-ttl-reset: yes # v1.13 as per @jumpsmm7 Set the TTL of expired records to the serve-expired-ttl value after a failed attempt to retrieve the record from upstream.
incoming-num-tcp: 950
outgoing-num-tcp: 200
num-queries-per-thread: 100
outgoing-range: 200
ip-ratelimit: 3000 # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472 # v1.01 as per @dave14305 minimal config
max-udp-size: 3072 # v1.13 as per @jumpsmm7 mitigate DDOS threats when using dnssec, reduce potential for fragmentation.
#outgoing-port-avoid: 0-32767 # v1.13 as per @jumpsmm7 avoid grabbing udp ports commonly used / only for users with UDP port availability problems
#outgoing-port-permit: 32768-65535 # v1.13 as per @jumpsmm7 ports to permit / Not necessary if port-avoid is not used. limits port randomization.
jostle-timeout: 1000
sock-queue-timeout: 5
infra-cache-numhosts: 40000
discard-timeout: 3000
unwanted-reply-threshold: 5000000
infra-keep-probing: no
infra-host-ttl: 900
so-reuseport: yes
tcp-reuse-timeout: 60000
msg-buffer-size: 65552
max-global-quota: 300
delay-close: 10000
http-max-streams: 300
tls-use-sni: yes
pad-responses: yes
pad-responses-block-size: 468
pad-queries: yes
pad-queries-block-size: 128
val-bogus-ttl: 180
wait-limit-cookie: 30000
wait-limit: 3000
infra-cache-min-rtt: 200
infra-cache-max-rtt: 120000
tcp-idle-timeout: 60000
max-reuse-tcp-queries: 300
tcp-auth-query-timeout: 3000
unknown-server-time-limit: 1400
neg-cache-size: 1m
val-sig-skew-min: 3600
val-sig-skew-max: 86400
cache-min-negative-ttl: 0
cache-max-negative-ttl: 3600
serve-expired-client-timeout: 2900
iter-scrub-ns: 20
iter-scrub-cname: 11
max-sent-count: 32
answer-cookie: yes
target-fetch-policy: "0 0 0 0 0 0 0 0 0 0"
cookie-secret: "de26012a125d2b6ef535d751a943c698"
ip-ratelimit-cookie: 30000
val-max-restart: 5
val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
serve-expired-reply-ttl: 180
outbound-msg-retry: 5
serve-original-ttl: yes
max-query-restarts: 11
ip-freebind: yes
zonemd-permissive-mode: yes
ip-ratelimit-factor: 30

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 2m # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

#so-sndbuf: 2m

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes
use-caps-for-id: yes
harden-referral-path: no
harden-algo-downgrade: no
harden-large-queries: yes
harden-short-bufsize: yes
val-clean-additional: yes
harden-dnssec-stripped: yes
qname-minimisation-strict: no
harden-unverified-glue: yes
hide-http-user-agent: no

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
trust-anchor-signaling: yes
root-key-sentinel: yes


Lowered cache values as they were set to high in my config

• Hit ratio stays high (80-95%) for home traffic patterns.
• No memory pressure — avoids OOM kills during peak usage.

unbound.conf(5) — Unbound 1.24.2 documentation

unbound.docs.nlnetlabs.nl

this is official guide if you have any questions as I am pretty busy these days

Copy and paste if you like the setup (1 gig ram 4 core router setup)

Values tuned for VPN

 

[Jack-Sparr0w]

Most vales are changed to respect Authoritative DNS servers set the Time to Live (TTL). Best used with Dynamic IP from wan or VPN. If you have this type of setup these values might interest you.

 

[Jack-Sparr0w]

use (unbound-control dump_infra) command and match values to your rtt

rtt 1000 when unbound-control dump_infra is used in putty root. tune from that value

 

[Jack-Sparr0w]

#so-rcvbuf: 2m # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

#so-sndbuf: 2m is the max due to rem core default of router

 

[BreakingDad]

my aim > your resolve

 

[Viktor Jaep]

this is official guide if you have any questions as I am pretty busy these days

So, no questions asked. No explanations. No metrics or comparisons to show that these settings actually have any effect whatsoever. Just copy and paste because you're too busy?

 

[Twiglets]

So, no questions asked. No explanations. No metrics or comparisons to show that these settings actually have any effect whatsoever. Just copy and paste because you're too busy?

Yep ... that is about it ... to reply to @Tech9 (from another 'closely related' thread) 'Opportunity missed !!!'

 

[Tech9]

This is the same salad like the "firewall" they have "created". Collected from here and there on Internet pieces of advice, often given for specific reason and not as general recommendation. Sort of manual AI without the I.

 

[Jack-Sparr0w]

I can make it easy for you

use this to check code https://www.perplexity.ai/

tell the ai to use official website as reference. https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html

ask ai to tune to 4 core router 1 gig ram. I mean i did it myself without ai but this makes it easy. It will tell you that its done by the book and config is pretty good on its values. the official website has documents tuned for 1 gig ram 4 core cpu. you could just use those values if needed. default settings only allows unbound to run on 1 thread

 

[Jack-Sparr0w]

its just there to check if code is right and values are right by reference to website. I mean by all means go through my values and change what you need to. This works for me though

 

[Jack-Sparr0w]

I did it myself without ai just using official website of unbound. there is reference even in unbound merlin to Ninite labs as it is the official website of Unbound DNS

 

[Jack-Sparr0w]

just use that if you need to know anything

 

[Twiglets]

In a nutshell (to condense all the text/replies together).

Your additional qualification to these 'Black Box' configurations is as follows

1. It works for me.
2. It is all documented in the official docs.
3. If you want to change anything ... follow the instructions.
4. If you want to understand what it does or why it works ... read the fine documentation.

I can accept 'it works for you' BUT it is a bit of a big ask to expect someone with no experience of unbound or DNS resolution in general to wade through the 'official docs' to understand what you have done/how it is an improvement etc.
I would not drop a complete neophyte into the middle of unbound and expect them to swim.

If you are giving others the benefit of your efforts, I would expect a little bit of hand holding as you have gained the experience they have not.
I can wade through all this with ease BUT I would need to understand what I am expected to gain BEFORE I would use my time.
I can relate all this to my experience BUT it would not necessarily be of use to someone else in a different situation.

This is why I said that I have made changes to 'my unbound config' BUT would be reluctant to 'drop' them on someone else without them having the knowledge to understand and adapt them to their needs.

As it stands it is difficult for anyone to advise using these changes as the impact is unknown and there is little to guide a neophyte.

Giving out things to others usually requires accepting that you will need to give some level of support to the people who take up the 'offer'.
You cannot expect others to have the same knowledge as you have gained, therefore you need to give some of the knowledge as well.

Thanks for the updates/changes BUT I will not be using them as it involves too much effort to identify what it is supposed to do & whether that is a 'gain' for me in my particular setup.

 

[Viktor Jaep]

In a nutshell (to condense all the text/replies together).

Your additional qualification to these 'Black Box' configurations is as follows

1. It works for me.
2. It is all documented in the official docs.
3. If you want to change anything ... follow the instructions.
4. If you want to understand what it does or why it works ... read the fine documentation.

I can accept 'it works for you' BUT it is a bit of a big ask to expect someone with no experience of unbound or DNS resolution in general to wade through the 'official docs' to understand what you have done/how it is an improvement etc.
I would not drop a complete neophyte into the middle of unbound and expect them to swim.

If you are giving others the benefit of your efforts, I would expect a little bit of hand holding as you have gained the experience they have not.
I can wade through all this with ease BUT I would need to understand what I am expected to gain BEFORE I would use my time.
I can relate all this to my experience BUT it would not necessarily be of use to someone else in a different situation.

This is why I said that I have made changes to 'my unbound config' BUT would be reluctant to 'drop' them on someone else without them having the knowledge to understand and adapt them to their needs.

As it stands it is difficult for anyone to advise using these changes as the impact is unknown and there is little to guide a neophyte.

Giving out things to others usually requires accepting that you will need to give some level of support to the people who take up the 'offer'.
You cannot expect others to have the same knowledge as you have gained, therefore you need to give some of the knowledge as well.

Thanks for the updates/changes BUT I will not be using them as it involves too much effort to identify what it is supposed to do & whether that is a 'gain' for me in my particular setup.

Don't forget... he's probably too busy to answer your post, or provide any other guidance at this point as he stated earlier.

 

[Tech9]

Since DNS for Gaming is now tuned... let's go back to NTP for Gaming. I play Chess on my phone.

 

[Twiglets]

Don't forget... he's probably too busy to answer your post, or provide any other guidance at this point as he stated earlier.

I am not expecting a reply BUT needed to set the 'current state/context' for anyone still reading through this thread.

 

[Viktor Jaep]

Since DNS for Gaming is now tuned... let's go back to NTP for Gaming. I play Chess on my phone.

Bro, just use perplexity.ai and dump the unbound.conf in there so it can optimize your checkmate frags!

 

[jacklul]

ask ai to tune to 4 core router 1 gig ram. I mean i did it myself without ai but this makes it easy. It will tell you that its done by the book and config is pretty good on its values. the official website has documents tuned for 1 gig ram 4 core cpu. you could just use those values if needed. default settings only allows unbound to run on 1 thread

AI has no capability to test the things it outputs.
Unless you run tha model locally and give it environment to test in (VM or physical), even then it can mess up and do 'rm -fr /' because that's what user ProCoder69 on reddit suggested.

 

[Tech9]

Bro, just use perplexity.ai

It recommended "Networking for Kids" video on YouTube. I'll watch it when I'm not so busy.

 

[Difides]

I am fascinated by the endless pursuit of nonsense.. so I repeat.. every operating system basically has an integrated mini dns resolver that caches repeated queries.. I still don't understand the connection with playing games.. but maybe you have in mind an institution with hundreds of computers where Java games are played.. then ok .. lastly, focus on knot-resolver from unbound.. which provides much higher performance and better caching..
edit :

if you really want a performance increase .. then don't use a dns resolver on a router but on a dedicated server with sufficient performance .. even the most powerful asus is quite slow in this .. in my stack the average difference when using a dedicated dns resolver is even tens of milliseconds