Unbound Unbound Tuning for gaming

[Jack-Sparr0w]

neg-cache-size: 16m
val-bogus-ttl: 60
wait-limit-cookie: 10000
wait-limit: 1000
infra-cache-min-rtt: 1000
tcp-idle-timeout: 60000
infra-cache-max-rtt: 120000
max-reuse-tcp-queries: 200
tcp-auth-query-timeout: 3000
pad-responses: yes
pad-responses-block-size: 468
pad-queries: yes
pad-queries-block-size: 128
tls-use-sni: yes
http-max-streams: 100
ip-ratelimit-slabs: 4
ip-ratelimit-size: 16m
ratelimit-slabs: 4
ratelimit-size: 16m
http-query-buffer-size: 16m
http-response-buffer-size: 16m
stream-wait-size: 16m
quic-size: 16m
max-global-quota: 200
delay-close: 10000
udp-connect: yes Don't use this if you are using Skynet (It breaks Functionality)
unknown-server-time-limit: 0 use: unbound-control dump_infra in putty without logging into amtm to get value (Example use 1000)
Very useful with any vpn such as NordVPN. helps to get all requests to unbound.
msg-buffer-size: 65552
so-sndbuf: 2
tcp-reuse-timeout: 60000
so-reuseport: yes (amazing feature)
num-queries-per-thread: 100
outgoing-range: 200
ip ratelimit 1000
so rcvbuf 2m
incoming num tcp 950 best for overhead 200 for lower end system
outgoing num tcp 200 best for overhead 75 for lower end system
cache max ttl 14400
# tiny memory cache
key-cache-size: 16m
msg-cache-size: 16m
rrset-cache-size: 32m
infra-cache-numhosts: 40000 AX-88u (aligns with this setup) AC86U- 20000 infra-cache-numhosts
val-sig-skew-min: 3600
val-sig-skew-max: 86400
cache-min-negative-ttl: 0
cache-max-negative-ttl: 3600
serve-expired-client-timeout: 1800
unbound iter-scrub-ns: 20
iter-scrub-cname: 11
max-sent-count: 32
target-fetch-policy: "3 2 1 0 0"
answer-cookie: yes - (cookie secret must be used)
cookie-secret: a5f6ef87030bd9a99edf17e835086ef9 as (Example) use hex key generator, use with (answer-cookie: yes)
Hex Key Generator- https://www.browserling.com/tools/random-hex
ip-ratelimit-cookie: 10000
val-max-restart: 5
val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
jostle-timeout: 200 is the default , Best to use- ( unbound-control dump_infra ) and change it to same number as rtt, most are set to jostle-timeout: 1000 is probably the best setting all around

root-key-sentinel: yes
trust-anchor-signaling: yes
http-max-streams: 100


# no threads and no memory slabs for threads
num-threads: 4 # L&LDv1.03 (Orig 1) RT-AX88U For RT-AC86U use (2)
msg-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
rrset-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
infra-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
key-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)

infra-keep-probing: yes
This is a default setting for pfSense, and many other vendors

infra-host-ttl: 900 works well with infra-keep-probing: yes

infra-cache-numhosts: 20000 or 40000 ax 88u

discard-timeout: 1900 is default use 3000 if VPN or DoT is high latency with long timeout.
unwanted-reply-threshold: 5000000 leave to default on lower end system

use (vx) to edit unbound config file (stock settings are slow)

4 core cpu and 1 gig ram

If setting is not needed use:

Example:
hide-trustanchor: no
udp-connect: no


might have to whitelist ASN for Nord Server with this type of setup, to find ASN for given server, go to NordVPN website, copy ip at the top and paste it into search and look for AS number relater to that search. (Ex: AS141039) then use whitelist in Skynet

 

[Gary_Dexter]

Are you even aware of what 99% of those settings are and how they impact things?

 

[jacklul]

Majority of those posted config variables are at default values anyway... No reason to pollute config file with those.
Probably would make sense to filter those out using documentation.

And probably mentioned few times already: DNS resolution speed does not impact gaming at all, addresses are resolved once and then the game talks to the server using IP address.

 

[Viktor Jaep]

neg-cache-size: 16m
val-bogus-ttl: 60
wait-limit-cookie: 10000
wait-limit: 1000
infra-cache-min-rtt: 1000
tcp-idle-timeout: 60000
infra-cache-max-rtt: 120000
max-reuse-tcp-queries: 200
tcp-auth-query-timeout: 3000
pad-responses: yes
pad-responses-block-size: 468
pad-queries: yes
pad-queries-block-size: 128
tls-use-sni: yes
http-max-streams: 100
ip-ratelimit-slabs: 4
ip-ratelimit-size: 16m
ratelimit-slabs: 4
ratelimit-size: 16m
http-query-buffer-size: 16m
http-response-buffer-size: 16m
stream-wait-size: 16m
quic-size: 16m
max-global-quota: 200
delay-close: 10000
udp-connect: yes Don't use this if you are using Skynet (It breaks Functionality)
unknown-server-time-limit: 0 use: unbound-control dump_infra in putty without logging into amtm to get value (Example use 1000)
Very useful with any vpn such as NordVPN. helps to get all requests to unbound.
msg-buffer-size: 65552
so-sndbuf: 2
tcp-reuse-timeout: 60000
so-reuseport: yes (amazing feature)
num-queries-per-thread: 100
outgoing-range: 200
ip ratelimit 1000
so rcvbuf 2m
incoming num tcp 950 best for overhead 200 for lower end system
outgoing num tcp 200 best for overhead 75 for lower end system
cache max ttl 14400
# tiny memory cache
key-cache-size: 16m
msg-cache-size: 16m
rrset-cache-size: 32m
infra-cache-numhosts: 40000 AX-88u (aligns with this setup) AC86U- 20000 infra-cache-numhosts
val-sig-skew-min: 3600
val-sig-skew-max: 86400
cache-min-negative-ttl: 0
cache-max-negative-ttl: 3600
serve-expired-client-timeout: 1800
unbound iter-scrub-ns: 20
iter-scrub-cname: 11
max-sent-count: 32
answer-cookie: yes
target-fetch-policy: "3 2 1 0 0"
cookie-secret: a5f6ef87030bd9a99edf17e835086ef9 as (Example) use hex key generator
ip-ratelimit-cookie: 10000


# no threads and no memory slabs for threads
num-threads: 4 # L&LDv1.03 (Orig 1) RT-AX88U For RT-AC86U use (2)
msg-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
rrset-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
infra-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
key-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)

infra-keep-probing: yes
This is a default setting for pfSense, and many other vendors

infra-host-ttl: 900 works well with infra-keep-probing: yes

infra-cache-numhosts: 20000 or 40000 ax 88u

discard-timeout: 1900 is default use 3000 if VPN or DoT is high latency with long timeout.
unwanted-reply-threshold: 5000000 leave to default on lower end system

use (vx) to edit unbound config file (stock settings are slow)

4 core cpu and 1 gig ram

If setting is not needed use:

Example:
hide-trustanchor: no
udp-connect: no


might have to whitelist ASN for Nord Server with this type of setup, to find ASN for given server, go to NordVPN website, copy ip at the top and paste it into search and look for AS number relater to that search. (Ex: AS141039) then use whitelist in Skynet

When are you going to post a screenshot of your current stats?

 

[Jack-Sparr0w]

I only get 46% with Nord vpn, how are you in the 80's, I thought you had Nord to?

 

[Gary_Dexter]

46% what?

 

[Viktor Jaep]

I only get 46% with Nord vpn, how are you in the 80's, I thought you had Nord to?

I'm using Unbound over VPN...

 

[Jack-Sparr0w]

any tips?

 

[Viktor Jaep]

any tips?

Unbound-over-VPN (or WG) doesn't work with NordVPN any longer... unless something has recently changed. I should probably test it again soon... But since having to find an alternative, I've had luck with ProtonVPN and AirVPN, which are my other 2 VPN providers.

Unless you want to go about it manually, it's just a matter of enabling this functionality in VPNMON-R3.

 

[Gary_Dexter]

Why would you not use the VPN providers DNS?

 

[Viktor Jaep]

Why would you not use the VPN providers DNS?

It adds another layer of privacy. When using your VPN Provider's DNS, that gives them an easier way to see what you're doing and where you're going. I don't have any doubt that some are also nefariously tracking outbound traffic and/or logging (even when they say "no logs"), but at least it's one less thing.

 

[Gary_Dexter]

But it’s encrypted DNS when using the VPN
DNS.

Unbound DNS (to the root servers) is unencrypted and plain text (therefore visible by your ISP etc.) still.

 

[Viktor Jaep]

But it’s encrypted DNS when using the VPN
DNS.

Unbound DNS (to the root servers) is unencrypted and plain text (therefore visible by your ISP etc.) still.

Not exactly correct. My DNS traffic is invisible to my ISP, because it's encrypted and tunneling through to my VPN provider's exit in some other place around the country, and exiting there. My ISP has no idea what I'm doing online. All they see is encrypted traffic to/from my VPN provider(s).

Your VPN provider sees your internal DNS server usage, unencrypted DNS traffic, and knows your unencrypted root DNS calls (if needed). My VPN provider will have to capture my unencrypted DNS traffic and unencrypted root DNS calls as they go outbound from my VPN exit. But neither of our ISP's get to see any of that traffic.

It's very likely that your VPN provider is collecting usage stats based on your online activity/DNS lookups, and selling that. I make it a little harder for them to get this info, but I have no doubt they're getting my traffic stats.

I take it a step further... I have 1 VPN provider slot dedicated to network traffic... and a 2nd VPN provider (different from the 1st) that is dedicated only to Unbound DNS lookups for that network traffic. So that traffic is completely split. One VPN provider sees what sites I'm going to along with zero DNS traffic... the other sees what DNS calls I'm making, not knowing if I'm even going to those sites.

There's no real way to have complete privacy, but this gets just a little closer... if you even trust your VPN provider(s). Which I don't.