Unbound Unbound Tuning for gaming

[Jack-Sparr0w]

module-config: "respip validator iterator" # v1.08 add 'respip' for rpz feature @juched

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/12 allow # v1.10 Martineau Fix CIDR 16->12
access-control: 192.168.0.0/16 allow # v1.10 @dave14305 Fix CIDR 24->16
access-control: 103.86.96.0/16 allow
access-control: 103.86.99.0/16 allow

# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: fd00::/8 # v1.11 Martineau
private-address: fe80::/10 # v1.11 Martineau
dns64-ignore-aaaa: ".*.*"
dns64-ignore-aaaa: "*"
dns64-ignore-aaaa: *.
do-not-query-address: ::/0
do-not-query-address: ::1
do-not-query-address: ::0/0
do-not-query-address: fe80::/10
do-not-query-address: fd00::/8
do-not-query-address: ::0
do-not-query-address: ::
do-ip4: yes
do-udp: yes
do-tcp: yes
prefer-ip4: yes
prefer-ip6: no
do-nat64: no
dns64-synthall: no
local-zone: "ipv6.microsoft.com" refuse
local-zone: "teredo.reality" refuse
local-zone: "xbox-ipv6.xboxlive.com" refuse
local-zone: "teredo.xboxlive.com" refuse
local-zone: "ipv6.msftncsi.com" refuse
local-zone: "teredo.ipv6.microsoft.com" refuse
local-zone: "ipv6.msftconnecttest.com" refuse
local-zone: "win1910.ipv6.microsoft.com" refuse
local-zone: "win10.ipv6.microsoft.com" refuse
local-zone: "win8.ipv6.microsoft.com" refuse
local-zone: "win7.ipv6.microsoft.com" refuse
local-zone: "xbox.ipv6.microsoft.com" refuse
local-zone: "ipv6.litwareinc.com" refuse
local-zone: "teredo.autoconfig.ipv6.microsoft.com" refuse
local-zone: "isatest.public.amers.ham1.ipv6.microsoft.com" refuse
local-zone: "6to4.ipv6.microsoft.com" refuse
local-zone: "ip6.arpa" refuse
local-zone: "vrchatapi.onrender.com" refuse
local-zone: "vrcx.live" refuse
local-zone: "gigdi.net" refuse
local-zone: "vrchatip.com" refuse
local-zone: "vrchatapi.pages.dev" refuse
local-zone: "sync.top" refuse
local-zone: "umbrellacorp.vrchat.cloud" refuse
local-zone: "onrender.com" refuse
local-zone: "pages.dev" refuse
local-zone: "replit.co" refuse
local-zone: "replit.dev" refuse
local-zone: "workers.dev" refuse
local-zone: "slothytech.com" refuse

#########################################
# integration IPV6
#
do-ip6: no
private-address: ::/0 # v1.11 Martineau Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
# do-ip6: no
# edns-buffer-size: 1200 # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/u...aller-utility-for-unbound-recursive-dns-serve>
# access-control: ::/0 refuse
# access-control: ::0/0 refuse
# access-control: ::1 refuse
# access-control: fd00::/8 refuse
# access-control: fe80::/10 refuse
# access-control: ::0 refuse
# private-address: fd00::/8
# private-address: fe80::/10
#########################################

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
ip-ratelimit-slabs: 4
ratelimit-slabs: 4

# tiny memory cache
extended-statistics: yes # v1.06 Martineau for @juched GUI TAB
key-cache-size: 50m
msg-cache-size: 50m
rrset-cache-size: 100m
ip-ratelimit-size: 16m
ratelimit-size: 16m
http-query-buffer-size: 16m
http-response-buffer-size: 16m
stream-wait-size: 50m
quic-size: 16m
cache-max-ttl: 3600 # v1.08 Martineau
cache-min-ttl: 0 # v1.08 Martineau
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 3600 # v1.12 as per @juched
serve-expired-ttl-reset: yes # v1.13 as per @jumpsmm7 Set the TTL of expired records to the serve-expired-ttl value after a failed attempt to retrieve the record from upstream.
incoming-num-tcp: 950
outgoing-num-tcp: 200
num-queries-per-thread: 100
outgoing-range: 200
jostle-timeout: 5000
ip-ratelimit: 2000 # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1100 # v1.01 as per @dave14305 minimal config
max-udp-size: 1024 # v1.13 as per @jumpsmm7 mitigate DDOS threats when using dnssec, reduce potential for fragmentation.
#outgoing-port-avoid: 0-32767 # v1.13 as per @jumpsmm7 avoid grabbing udp ports commonly used / only for users with UDP port availability problems
#outgoing-port-permit: 32768-65535 # v1.13 as per @jumpsmm7 ports to permit / Not necessary if port-avoid is not used. limits port randomization.
sock-queue-timeout: 5
infra-cache-numhosts: 40000
discard-timeout: 6334
unwanted-reply-threshold: 5000000
infra-keep-probing: no
infra-host-ttl: 900
infra-lame-ttl: 900
so-reuseport: yes
tcp-reuse-timeout: 90000
msg-buffer-size: 65552
max-global-quota: 300
delay-close: 60000
http-max-streams: 150
tls-use-sni: no
pad-responses: yes
pad-responses-block-size: 468
pad-queries: yes
pad-queries-block-size: 128
val-bogus-ttl: 90
wait-limit-cookie: 20000
wait-limit: 2000
infra-cache-min-rtt: 60
infra-cache-max-rtt: 180000
tcp-idle-timeout: 45000
max-reuse-tcp-queries: 300
tcp-auth-query-timeout: 6000
unknown-server-time-limit: 6000
neg-cache-size: 16m
val-sig-skew-min: 3600
val-sig-skew-max: 86400
cache-min-negative-ttl: 0
cache-max-negative-ttl: 3600
serve-expired-client-timeout: 6000
iter-scrub-ns: 20
iter-scrub-cname: 11
max-sent-count: 32
answer-cookie: yes
target-fetch-policy: "0 0 0 0 0 0 0 0 0 0 0 0"
ip-ratelimit-cookie: 20000
val-max-restart: 5
val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
serve-expired-reply-ttl: 45
outbound-msg-retry: 5
serve-original-ttl: yes
max-query-restarts: 11
ip-freebind: yes
ip-ratelimit-factor: 10
ratelimit-factor: 10
udp-connect: yes
tcp-mss: 1000
outgoing-tcp-mss: 900
edns-tcp-keepalive: yes
edns-tcp-keepalive-timeout: 180000
tls-ciphers: "ECDHE-RSA-WITH-AES256-GCM-SHA384"
tls-ciphersuites: "TLS_AES_256_GCM_SHA384"
ede: yes
ede-serve-expired: yes
ratelimit: 2000
fast-server-permil: 900
fast-server-num: 3

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 2m # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default
#so-sndbuf: 2m

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: no
#########################################

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: yes
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes
use-caps-for-id: no
harden-referral-path: no
harden-algo-downgrade: yes
harden-large-queries: no
harden-short-bufsize: yes
val-clean-additional: yes
harden-dnssec-stripped: no
qname-minimisation-strict: no
harden-unverified-glue: no
hide-http-user-agent: no
harden-unknown-additional: yes

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"

auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone"
fallback-enabled: no
for-downstream: no
for-upstream: yes
zonefile: root.zone

(fixes vpn ping 60 and ping restart 180 when VPN is binded) (infra-cache-max-rtt: 180000)

surgical precision.

Lowered cache values as they were set to high in my config

• Hit ratio stays high (80-95%) for home traffic patterns.
• No memory pressure — avoids OOM kills during peak usage.

unbound.conf(5) — Unbound 1.24.2 documentation

unbound.docs.nlnetlabs.nl

this is official guide if you have any questions

Copy and paste if you like the setup (1 gig ram 4 core router setup)

remote-cert-tls server
remote-random
nobind
resolv-retry infinite
persist-key
persist-tun
auth-nocache
tls-version-min 1.2
tls-version-max 1.3
tls-ciphersuites TLS_AES_256_GCM_SHA384
tls-cert-profile preferred
data-ciphers AES-256-GCM
tls-groups X25519
verify-x509-name CN=ca1304.nordvpn.com
reneg-sec 3600
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 60
ping-restart 180
ping-timer-rem
proto udp4
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
pull
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
pull-filter ignore "redirect-gateway ipv6"
pull-filter ignore "dhcp-option DNS"
pull-filter ignore "dhcp-option DNS6"
pull-filter ignore "block-outside-dns"
block-ipv6
mute-replay-warnings

#log /tmp/vpn.log

 

[Jack-Sparr0w]

Most vales are changed to respect Authoritative DNS servers set the Time to Live (TTL). Best used with Dynamic IP from wan or VPN. If you have this type of setup these values might interest you.

use vpn director and add 192.168.0.0/16 to killswitch and thank me later (same as unbounds config)

pull-filter ignore "block-outside-dns" discards the server's block-outside-dns push, which would otherwise block non-VPN DNS traffic . This avoids conflicts when using local resolvers like Unbound

dhcp-option DNS 127.0.0.1 overrides any server-pushed DNS servers, setting your system's resolver exclusively to localhost (Unbound). Combined, they ensure VPN connections don't hijack DNS while maintaining leak protection via Unbound's recursive forwarding over the tunnel.

Local: root → TLD → authoritative

I did a dig test with this config with Nord open VPN and it worked perfect.

Client app → 127.0.0.1:53 (forced by dhcp-option) Unbound (recursive, do-ip6: no) (all upstream queries)VPN tun0 interface → root/TLD servers

Full Recursive (Privacy-Max)

Feb 7 20:49:37 ovpn-client1[31980]: [caxxxx.nordvpn.com] Peer Connection Initiated with [AF_INET]xxxxxxxxxxx
Feb 7 20:49:37 ovpn-client1[31980]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Feb 7 20:49:37 ovpn-client1[31980]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Feb 7 20:49:39 ovpn-client1[31980]: SENT CONTROL [caxxxx.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Feb 7 20:49:39 ovpn-client1[31980]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,explicit-exit-notify,comp-lzo no,route-gateway 10.100.0.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.100.0.2 255.255.0.0,peer-id 14,cipher AES-256-GCM'
Feb 7 20:49:39 ovpn-client1[31980]: Pushed option removed by filter: 'dhcp-option DNS 103.86.96.100'
Feb 7 20:49:39 ovpn-client1[31980]: Pushed option removed by filter: 'dhcp-option DNS 103.86.99.100'
Feb 7 20:49:39 ovpn-client1[31980]: OPTIONS IMPORT: --ifconfig/up options modified
Feb 7 20:49:39 ovpn-client1[31980]: OPTIONS IMPORT: route options modified
Feb 7 20:49:39 ovpn-client1[31980]: OPTIONS IMPORT: route-related options modified
Feb 7 20:49:39 ovpn-client1[31980]: TUN/TAP device tun11 opened
Feb 7 20:49:39 ovpn-client1[31980]: TUN/TAP TX queue length set to 1000
Feb 7 20:49:39 ovpn-client1[31980]: /usr/sbin/ip link set dev tun11 up mtu 1500
Feb 7 20:49:39 ovpn-client1[31980]: /usr/sbin/ip link set dev tun11 up
Feb 7 20:49:39 ovpn-client1[31980]: /usr/sbin/ip addr add dev tun11 10.100.0.2/16 broadcast +
Feb 7 20:49:39 ovpn-client1[31980]: ovpn-up 1 client tun11 1500 0 10.100.0.2 255.255.0.0 init
Feb 7 20:49:39 openvpn-routing: Setting client 1 routing table's default route through the tunnel
Feb 7 20:49:39 vpndirector: Routing to vpn from 192.168.0.0/16 to any through ovpnc1
Feb 7 20:49:39 ovpn-client1[31980]: Data Channel: cipher 'AES-256-GCM', peer-id: 14, compression: 'stub'
Feb 7 20:49:39 ovpn-client1[31980]: Timers: ping 60, ping-restart 180
Feb 7 20:49:39 ovpn-client1[31980]: Protocol options: explicit-exit-notify 1
Feb 7 20:49:41 ovpn-client1[31980]: Initialization Sequence Completed

; <<>> DiG 9.20.7 <<>> @127.0.0.1 -p 53 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18009
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
(good)
;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 300 IN A 172.217.5.14

;; Query time: 79 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sat Feb 07 21:29:41 CST 2026
;; MSG SIZE rcvd: 83

 

[Jack-Sparr0w]

use (unbound-control dump_infra) command and match values to your rtt

rtt 1000 when unbound-control dump_infra is used in putty root. tune from that value

 

[Jack-Sparr0w]

#so-rcvbuf: 2m # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

#so-sndbuf: 2m is the max due to rem core default of router

 

[BreakingDad]

my aim > your resolve

 

[Viktor Jaep]

this is official guide if you have any questions as I am pretty busy these days

So, no questions asked. No explanations. No metrics or comparisons to show that these settings actually have any effect whatsoever. Just copy and paste because you're too busy?

 

[Twiglets]

So, no questions asked. No explanations. No metrics or comparisons to show that these settings actually have any effect whatsoever. Just copy and paste because you're too busy?

Yep ... that is about it ... to reply to @Tech9 (from another 'closely related' thread) 'Opportunity missed !!!'

 

[Tech9]

This is the same salad like the "firewall" they have "created". Collected from here and there on Internet pieces of advice, often given for specific reason and not as general recommendation. Sort of manual AI without the I.

 

[Jack-Sparr0w]

I can make it easy for you

use this to check code https://www.perplexity.ai/

tell the ai to use official website as reference. https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html

ask ai to tune to 4 core router 1 gig ram. I mean i did it myself without ai but this makes it easy. It will tell you that its done by the book and config is pretty good on its values. the official website has documents tuned for 1 gig ram 4 core cpu. you could just use those values if needed. default settings only allows unbound to run on 1 thread

 

[Jack-Sparr0w]

its just there to check if code is right and values are right by reference to website. I mean by all means go through my values and change what you need to. This works for me though

 

[Jack-Sparr0w]

I did it myself without ai just using official website of unbound. there is reference even in unbound merlin to Ninite labs as it is the official website of Unbound DNS

 

[Jack-Sparr0w]

just use that if you need to know anything

 

[Twiglets]

In a nutshell (to condense all the text/replies together).

Your additional qualification to these 'Black Box' configurations is as follows

1. It works for me.
2. It is all documented in the official docs.
3. If you want to change anything ... follow the instructions.
4. If you want to understand what it does or why it works ... read the fine documentation.

I can accept 'it works for you' BUT it is a bit of a big ask to expect someone with no experience of unbound or DNS resolution in general to wade through the 'official docs' to understand what you have done/how it is an improvement etc.
I would not drop a complete neophyte into the middle of unbound and expect them to swim.

If you are giving others the benefit of your efforts, I would expect a little bit of hand holding as you have gained the experience they have not.
I can wade through all this with ease BUT I would need to understand what I am expected to gain BEFORE I would use my time.
I can relate all this to my experience BUT it would not necessarily be of use to someone else in a different situation.

This is why I said that I have made changes to 'my unbound config' BUT would be reluctant to 'drop' them on someone else without them having the knowledge to understand and adapt them to their needs.

As it stands it is difficult for anyone to advise using these changes as the impact is unknown and there is little to guide a neophyte.

Giving out things to others usually requires accepting that you will need to give some level of support to the people who take up the 'offer'.
You cannot expect others to have the same knowledge as you have gained, therefore you need to give some of the knowledge as well.

Thanks for the updates/changes BUT I will not be using them as it involves too much effort to identify what it is supposed to do & whether that is a 'gain' for me in my particular setup.

 

[Viktor Jaep]

In a nutshell (to condense all the text/replies together).

Your additional qualification to these 'Black Box' configurations is as follows

1. It works for me.
2. It is all documented in the official docs.
3. If you want to change anything ... follow the instructions.
4. If you want to understand what it does or why it works ... read the fine documentation.

I can accept 'it works for you' BUT it is a bit of a big ask to expect someone with no experience of unbound or DNS resolution in general to wade through the 'official docs' to understand what you have done/how it is an improvement etc.
I would not drop a complete neophyte into the middle of unbound and expect them to swim.

If you are giving others the benefit of your efforts, I would expect a little bit of hand holding as you have gained the experience they have not.
I can wade through all this with ease BUT I would need to understand what I am expected to gain BEFORE I would use my time.
I can relate all this to my experience BUT it would not necessarily be of use to someone else in a different situation.

This is why I said that I have made changes to 'my unbound config' BUT would be reluctant to 'drop' them on someone else without them having the knowledge to understand and adapt them to their needs.

As it stands it is difficult for anyone to advise using these changes as the impact is unknown and there is little to guide a neophyte.

Giving out things to others usually requires accepting that you will need to give some level of support to the people who take up the 'offer'.
You cannot expect others to have the same knowledge as you have gained, therefore you need to give some of the knowledge as well.

Thanks for the updates/changes BUT I will not be using them as it involves too much effort to identify what it is supposed to do & whether that is a 'gain' for me in my particular setup.

Don't forget... he's probably too busy to answer your post, or provide any other guidance at this point as he stated earlier.

 

[Tech9]

Since DNS for Gaming is now tuned... let's go back to NTP for Gaming. I play Chess on my phone.

 

[Twiglets]

Don't forget... he's probably too busy to answer your post, or provide any other guidance at this point as he stated earlier.

I am not expecting a reply BUT needed to set the 'current state/context' for anyone still reading through this thread.

 

[Viktor Jaep]

Since DNS for Gaming is now tuned... let's go back to NTP for Gaming. I play Chess on my phone.

Bro, just use perplexity.ai and dump the unbound.conf in there so it can optimize your checkmate frags!

 

[jacklul]

ask ai to tune to 4 core router 1 gig ram. I mean i did it myself without ai but this makes it easy. It will tell you that its done by the book and config is pretty good on its values. the official website has documents tuned for 1 gig ram 4 core cpu. you could just use those values if needed. default settings only allows unbound to run on 1 thread

AI has no capability to test the things it outputs.
Unless you run tha model locally and give it environment to test in (VM or physical), even then it can mess up and do 'rm -fr /' because that's what user ProCoder69 on reddit suggested.

 

[Tech9]

Bro, just use perplexity.ai

It recommended "Networking for Kids" video on YouTube. I'll watch it when I'm not so busy.

 

[Difides]

I am fascinated by the endless pursuit of nonsense.. so I repeat.. every operating system basically has an integrated mini dns resolver that caches repeated queries.. I still don't understand the connection with playing games.. but maybe you have in mind an institution with hundreds of computers where Java games are played.. then ok .. lastly, focus on knot-resolver from unbound.. which provides much higher performance and better caching..
edit :

if you really want a performance increase .. then don't use a dns resolver on a router but on a dedicated server with sufficient performance .. even the most powerful asus is quite slow in this .. in my stack the average difference when using a dedicated dns resolver is even tens of milliseconds