Unbound Unbound Tuning for gaming

[Twiglets]

I am fascinated by the endless pursuit of nonsense.. so I repeat.. every operating system basically has an integrated mini dns resolver that caches repeated queries.. I still don't understand the connection with playing games.. but maybe you have in mind an institution with hundreds of computers where Java games are played.. then ok .. lastly, focus on knot-resolver from unbound.. which provides much higher performance and better caching..

You have raised something that I have not mentioned before because it just feeds this neverending journey 'down the Rabbit Hole'.
Namely, if testing 'config changes' for unbound, I hope that the local caching is flushed/stopped before testing comparative performance of different changes.

e.g. Windows needs:

ipconfig /flushdns

AND/OR

net stop dnscache

===========================================================================================================================================
ipconfig /flushdns: Clears the DNS resolver cache.

net stop dnscache: Stops the DNS Client service.

 

[Viktor Jaep]

#########################################
# integration IPV6
#
do-ip6: no
private-address: ::/0 # v1.11 Martineau Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
# do-ip6: no
# edns-buffer-size: 1232 # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/u...r-unbound-recursive-dns-server.61669/page-151
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 respip validator iterator" # v1.08 v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96 # v1.03 v1.01

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
ip-ratelimit-slabs: 4
ratelimit-slabs: 4

# tiny memory cache
extended-statistics: yes # v1.06 Martineau for @juched GUI TAB
key-cache-size: 4m
msg-cache-size: 4m
rrset-cache-size: 4m
ip-ratelimit-size: 4m
ratelimit-size: 4m
http-query-buffer-size: 4m
http-response-buffer-size: 4m
stream-wait-size: 4m
quic-size: 8m
cache-max-ttl: 14400 # v1.08 Martineau
cache-min-ttl: 0 # v1.08 Martineau
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 86400 # v1.12 as per @juched
serve-expired-ttl-reset: yes # v1.13 as per @jumpsmm7 Set the TTL of expired records to the serve-expired-ttl value after a failed attempt to retrieve the record from upstream.
incoming-num-tcp: 950
outgoing-num-tcp: 200
num-queries-per-thread: 100
outgoing-range: 200
ip-ratelimit: 3000 # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472 # v1.01 as per @dave14305 minimal config
max-udp-size: 3072 # v1.13 as per @jumpsmm7 mitigate DDOS threats when using dnssec, reduce potential for fragmentation.
#outgoing-port-avoid: 0-32767 # v1.13 as per @jumpsmm7 avoid grabbing udp ports commonly used / only for users with UDP port availability problems
#outgoing-port-permit: 32768-65535 # v1.13 as per @jumpsmm7 ports to permit / Not necessary if port-avoid is not used. limits port randomization.
jostle-timeout: 1000
sock-queue-timeout: 5
infra-cache-numhosts: 40000
discard-timeout: 5000
unwanted-reply-threshold: 5000000
infra-keep-probing: no
infra-host-ttl: 900
so-reuseport: yes
tcp-reuse-timeout: 60000
msg-buffer-size: 65552
max-global-quota: 300
delay-close: 10000
http-max-streams: 300
tls-use-sni: yes
pad-responses: yes
pad-responses-block-size: 468
pad-queries: yes
pad-queries-block-size: 128
val-bogus-ttl: 180
wait-limit-cookie: 30000
wait-limit: 3000
infra-cache-min-rtt: 200
infra-cache-max-rtt: 120000
tcp-idle-timeout: 60000
max-reuse-tcp-queries: 300
tcp-auth-query-timeout: 3000
unknown-server-time-limit: 1400
neg-cache-size: 1m
val-sig-skew-min: 3600
val-sig-skew-max: 86400
cache-min-negative-ttl: 0
cache-max-negative-ttl: 3600
serve-expired-client-timeout: 2900
iter-scrub-ns: 20
iter-scrub-cname: 11
max-sent-count: 32
answer-cookie: yes
target-fetch-policy: "0 0 0 0 0 0"
cookie-secret: "de26012a125d2b6ef535d751a943c698"
ip-ratelimit-cookie: 30000
val-max-restart: 5
val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
serve-expired-reply-ttl: 180
outbound-msg-retry: 5
serve-original-ttl: yes
max-query-restarts: 11
ip-freebind: yes
zonemd-permissive-mode: yes
ip-ratelimit-factor: 30

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 2m # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

#so-sndbuf: 2m

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes
use-caps-for-id: yes
harden-referral-path: no
harden-algo-downgrade: no
harden-large-queries: yes
harden-short-bufsize: yes
val-clean-additional: yes
harden-dnssec-stripped: yes
qname-minimisation-strict: no
harden-unverified-glue: yes
hide-http-user-agent: no

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
trust-anchor-signaling: yes
root-key-sentinel: yes


Lowered cache values as they were set to high in my config

• Hit ratio stays high (80-95%) for home traffic patterns.
• No memory pressure — avoids OOM kills during peak usage.

unbound.conf(5) — Unbound 1.24.2 documentation

unbound.docs.nlnetlabs.nl

this is official guide if you have any questions as I am pretty busy these days

Copy and paste if you like the setup (1 gig ram 4 core router setup)

Values tuned for VPN

Following is an unbiased evaluation by Claude that compares Jack's Unbound config (from post #141) to a vanilla Unbound config:

Unbound Configuration Analysis: Jack's vs Vanilla​

Executive Summary​

Jack's configuration file contains significant structural problems and several concerning changes that could negatively impact the Asus-Merlin router's DNS resolver functionality. The most critical issue is that the file is incomplete - it's missing essential server configuration sections.

---

CRITICAL ISSUES​

1. INCOMPLETE CONFIGURATION - MISSING ESSENTIAL SECTIONS​

Severity: CRITICAL - Will cause Unbound to fail to start
Jack's configuration is missing the entire beginning of the server block, including:

• No server: directive - The file starts at line 1 with IPv6 settings but never declares the server block
• Missing port configuration (port: 53535)
• Missing interface bindings (interface: 127.0.0.1@53535)
• Missing outgoing-interface (critical for VPN routing)
• Missing ALL logging configuration (verbosity, logfile, log settings)
• Missing module-config directive (needed for respip/rpz functionality)
• Missing access-control rules for network subnets
• Missing private-address declarations for RFC1918 ranges
• Missing protocol settings (do-ip4, do-udp, do-tcp)
• Missing adblock includes
• Missing remote-control section
• Missing forward-zone/auth-zone sections

This configuration will NOT work as-is. Unbound will fail to start without the server block and essential directives.

---

PROBLEMATIC CHANGES (Assuming missing sections are restored)​

2. Thread Configuration Mismatch​

Lines 20-26 in Jack's config:

num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
ip-ratelimit-slabs: 4
ratelimit-slabs: 4

Vanilla config (lines 96-100):

num-threads: 1
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2

Issues:

• Asus routers typically have 2-4 CPU cores depending on model
• Setting num-threads: 4 may work on newer routers (AX88U Pro, GT-AX6000) but will waste resources on older dual-core models
• Slabs MUST be a power of 2 (1, 2, 4, 8, 16, etc.) - Jack's config is correct here
• Slabs should equal or exceed num-threads (correct in Jack's config)
• However, 4 threads on a router is likely overkill and increases memory overhead without proportional benefit
• The vanilla config's conservative approach (1 thread, 2 slabs) is more appropriate for embedded systems

Recommendation: Keep vanilla settings unless on a high-end router with 4+ cores AND confirmed high DNS query load

---

3. Drastically Reduced Cache Sizes​

Lines 30-38 in Jack's config:

key-cache-size: 4m
msg-cache-size: 4m
rrset-cache-size: 4m

Vanilla config (lines 104-106):

key-cache-size: 8m
msg-cache-size: 8m
rrset-cache-size: 16m

Issues:

• Jack HALVED the key and message cache sizes (8m → 4m)
• Jack QUARTERED the rrset cache size (16m → 4m)
• This is particularly problematic because Jack added MORE threads, which typically need MORE cache
• Smaller caches = more cache misses = more recursive queries = slower DNS resolution
• The comment says "tiny memory cache" but Jack made it even tinier while increasing threads (contradictory)

Impact:

• Higher cache eviction rate
• Increased latency for repeated queries
• More upstream queries
• Not appropriate for a multi-threaded configuration

Recommendation: Vanilla cache sizes are already conservative for router hardware. Reducing them further hurts performance.

---

​

 

[Viktor Jaep]

4. cache-min-ttl: 0 (Disables Minimum TTL)​

Line 40 in Jack's config:

cache-min-ttl: 0

Vanilla config (line 108):

cache-min-ttl: 1200

Issues:

• Setting to 0 means Unbound will honor even 1-second TTLs from authoritative servers
• Some authoritative servers set very low TTLs (1-60 seconds) for dynamic content
• This causes excessive recursive queries for frequently-accessed domains
• Negates much of the benefit of local caching
• The vanilla setting of 1200 seconds (20 minutes) is a sensible minimum

Impact:

• Dramatically increased query load
• Higher latency for low-TTL records
• More bandwidth usage
• More load on upstream servers

Recommendation: Keep vanilla value of 1200 or at minimum set to 300-600 seconds

---

5. Excessive ip-ratelimit Value​

Line 52 in Jack's config:

ip-ratelimit: 3000

Vanilla config (line 118):

ip-ratelimit: 0

Issues:

• Vanilla sets this to 0 to disable rate limiting (as noted, it can impact sites like ipleak.net)
• Jack set it to 3000 queries per second per IP
• For a home router, this is pointless - no single client will approach 3000 qps
• The vanilla comment specifically says this was set to 0 because it impacts legitimate testing sites
• Rate limiting is more appropriate for public resolvers, not home networks

Analysis:

• Not harmful per se, but unnecessary
• Could potentially cause issues with DNS testing tools or burst query scenarios
• Adds processing overhead for no benefit in home environment

Recommendation: Keep at 0 as vanilla configuration suggests

---

6. Added Numerous Advanced/Obscure Parameters​

Jack added 60+ configuration parameters that are not in vanilla, including:
Lines 33-38: Specialized buffer sizes:

ip-ratelimit-size: 4m
ratelimit-size: 4m
http-query-buffer-size: 4m
http-response-buffer-size: 4m
stream-wait-size: 4m
quic-size: 8m

Issues:

• http-* and quic-size parameters are for DNS-over-HTTPS and DNS-over-QUIC
• Asus-Merlin routers don't use DoH or QUIC for DNS by default
• These waste memory on unused features
• QUIC requires specific build-time support that may not exist

Lines 57-106: Dozens of tuning parameters:

jostle-timeout: 1000
sock-queue-timeout: 5
infra-cache-numhosts: 40000
discard-timeout: 5000
unwanted-reply-threshold: 5000000
infra-keep-probing: no
[...and 50+ more...]

Issues:

• Many of these are advanced performance tuning options meant for high-traffic public resolvers
• Most have undocumented or unclear effects on embedded systems
• Some values are aggressive (unwanted-reply-threshold: 5000000 is VERY high)
• Others conflict with the philosophy of a conservative router config

Specific problematic values:
Line 67:

max-global-quota: 300

• Limits global number of outstanding queries to 300 total (across all clients)
• For a router serving potentially dozens of devices, this could become a bottleneck
• Vanilla config has no such limit

Line 95:

cookie-secret: "de26012a125d2b6ef535d751a943c698"

• SECURITY ISSUE: Hardcoded cookie secret
• Should be randomly generated per installation
• If this config is shared/public, the secret is compromised
• Cookies are used for DNS security features; predictable secrets reduce effectiveness

Line 94:

target-fetch-policy: "0 0 0 0 0 0"

• All zeros means "don't prefetch any targets"
• Disables target prefetching optimization entirely
• May increase latency for multi-level queries

Lines 103-104:

ip-freebind: yes
zonemd-permissive-mode: yes

• ip-freebind allows binding to IP addresses that don't yet exist
• Not needed on a router with stable interfaces
• zonemd-permissive-mode relaxes ZONEMD validation
• Both add complexity without clear benefit

Line 105:

ip-ratelimit-factor: 30

• Combined with ip-ratelimit: 3000, this creates complex rate limiting behavior
• Unnecessary complexity for home router

---

7. Additional Security Settings​

Lines 127-136 in Jack's config add:

use-caps-for-id: yes
harden-referral-path: no
harden-algo-downgrade: no
harden-large-queries: yes
harden-short-bufsize: yes
val-clean-additional: yes
harden-dnssec-stripped: yes
qname-minimisation-strict: no
harden-unverified-glue: yes
hide-http-user-agent: no

Mixed bag:
GOOD additions:

• use-caps-for-id: yes - Improves query ID randomization (good security practice)
• harden-large-queries: yes - Protects against amplification attacks
• harden-short-bufsize: yes - Protects against buffer-based attacks
• val-clean-additional: yes - Removes unsigned data from secure responses
• harden-dnssec-stripped: yes - Protects DNSSEC integrity
• harden-unverified-glue: yes - Improves security

POTENTIALLY PROBLEMATIC:

• harden-referral-path: no - DISABLED a security feature (vanilla doesn't set this, defaults to yes)
• harden-algo-downgrade: no - DISABLED protection against algorithm downgrade attacks
• These are disabled likely because they caused resolution failures, but this reduces security

Lines 151-152:

trust-anchor-signaling: yes
root-key-sentinel: yes

• These are DNSSEC-related improvements
• Generally harmless and potentially beneficial
• Not necessary on vanilla but not harmful

---

​

 

[Viktor Jaep]

MISSING CONFIGURATION IMPACT​

The missing sections from Jack's config would need to be restored for it to function:

1. Server block declaration
2. Port and interface bindings - Critical for dnsmasq integration
3. Outgoing interface - Critical if using VPN
4. Logging configuration - Needed for troubleshooting
5. Module configuration - Needed for respip/rpz features
6. Access control rules - Security requirement
7. Private address ranges - DNS rebinding protection
8. Protocol enables - do-ip4, do-udp, do-tcp
9. Adblock includes - If using ad blocking
10. Remote control section - Required for unbound-control commands
11. Auth-zone or forward-zone - Needed for root zone queries

---

OVERALL ASSESSMENT​

Configuration Philosophy Mismatch​

Vanilla config philosophy:

• Conservative resource usage appropriate for embedded router
• Single-threaded, modest cache sizes
• Minimal advanced features
• Focus on stability and predictability
• Well-commented with version history

Jack's config philosophy:

• Aggressive performance tuning (4 threads, many advanced parameters)
• Contradictory (more threads but less cache)
• Aimed at high-traffic public resolver scenarios
• Many features not applicable to router environment (DoH, QUIC)
• Hardcoded secrets (security issue)
• Incomplete (missing critical sections)

RECOMMENDATIONS​

If Jack wants to improve on vanilla config:​

DO:

1. Keep the vanilla structure and essential sections
2. Consider adding use-caps-for-id: yes for better security
3. Consider the additional DNSSEC hardening options (harden-large-queries, etc.) IF they don't cause resolution failures
4. Test thoroughly after any changes

DON'T:

1. Don't reduce cache sizes below vanilla values
2. Don't set cache-min-ttl to 0
3. Don't add 4 threads unless on a high-end router with proven need
4. Don't add dozens of advanced parameters without understanding each one
5. Don't hardcode security secrets
6. Don't disable security features (harden-referral-path, harden-algo-downgrade)
7. Don't add DoH/QUIC parameters unless actually using those protocols

Best Practice:​

Start with vanilla config and make incremental, tested changes.
The vanilla configuration is well-tuned for Asus-Merlin routers based on years of community feedback. Jack's approach of wholesale replacement with aggressive tuning is more likely to cause problems than improvements on router hardware.

---

SUMMARY TABLE​

Parameter	Vanilla	Jack	Impact	Recommendation
File completeness	Complete	INCOMPLETE	CRITICAL - Won't start	Must restore missing sections
num-threads	1	4	High resource use	Keep vanilla (1)
Cache sizes	8m/8m/16m	4m/4m/4m	Lower performance	Keep vanilla sizes
cache-min-ttl	1200	0	Much higher query load	Keep vanilla (1200)
ip-ratelimit	0	3000	Unnecessary overhead	Keep vanilla (0)
Advanced params	Minimal	60+ added	Complexity, resource waste	Remove most additions
cookie-secret	(generated)	Hardcoded	Security issue	Must randomize
Security hardens	Standard	Some disabled	Reduced security	Keep vanilla approach

---

CONCLUSION​

Jack's configuration would NOT function as-is due to missing critical sections. Even if those sections were restored, the changes made are largely counterproductive for a router environment:

• Reduced caches hurt performance
• Increased threads waste resources
• Many parameters are irrelevant to router use cases
• Security features are compromised
• Complexity is increased without corresponding benefit

The vanilla configuration is superior for Asus-Merlin routers. If Jack experienced issues with the vanilla config, the solution is targeted debugging and minimal adjustments, not wholesale replacement with a public-resolver-style configuration.

 

[Jack-Sparr0w]

Maximum RTT Value
The highest round-trip time (rtt) in this list is 1400 milliseconds.

Details
This peak occurs for 5.39.112.241 ovh.net. ttl 107 ping 0 var 350 rtt 1400 rto 1400 - note the 0 successful pings and ednsknown 0, indicating an unreliable/unprobed server.

Overall Historical Max Across All Your Lists

text
1400ms - 5.39.112.241 ovh.net (this list)
1400ms - 204.8.99.142 torproject.org (list #4)
1281ms - 213.180.193.x Yandex servers (list #2)
1232ms - 150.171.16.240 trafficmanager.net (this list)
1227ms - 200.3.13.14 ripe.net (multiple lists)
1200ms - 216.239.34.105/114 Google servers
Your discard-timeout: 3000 remains perfect - provides 2.1x buffer over the 1400ms peak while covering high variability (var 350ms). The unknown-server-time-limit: 1400 will quickly abandon OVH/TorProject outliers, forcing fallback to reliable 200-1100ms servers like nsone.net, amazontrust.com.



stream-wait-size: <number> 
Number of bytes size maximum to use for waiting stream buffers. A plain number is in bytes, append ‘k’, ‘m’ or ‘g’ for kilobytes, megabytes or gigabytes (1024*1024 bytes in a megabyte). As TCP and TLS streams queue up multiple results, the amount of memory used for these buffers does not exceed this number, otherwise the responses are dropped. This manages the total memory usage of the server (under heavy use), the number of requests that can be queued up per connection is also limited, with further requests waiting in TCP buffers.

Default: 4m

As stated official website of unbound https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html

msg-cache-size: <number> 
Number of bytes size of the message cache. A plain number is in bytes, append ‘k’, ‘m’ or ‘g’ for kilobytes, megabytes or gigabytes (1024*1024 bytes in a megabyte).

Default: 4m

As stated official website of unbound https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html


msg-cache-slabs: <number> 
Number of slabs in the message cache. Slabs reduce lock contention by threads. Must be set to a power of 2. Setting (close) to the number of cpus is a fairly good setting. If left unconfigured, it will be configured automatically to be a power of 2 close to the number of configured threads in multi-threaded environments.

Default: 4m

As stated official website of unbound https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html

log says its all perfect discard-timeout: 3000 from 5000 fixed timeouts. everything works really nice using 5000 gave me a max error that showed 120000. switching to 3000 fixed it. made from official Website

 

[Gary_Dexter]

It’s a battle of the AI’s…!!

 

[Twiglets]

It’s a battle of the AI’s…!!

You do realise that by time ALL the 'AI's have had a go at 'improving' things we will have 15 different answers and a set of Nude Photos that No-One ever wants to see again !!!

 

[Deldarius]

Schweet Bejeebus...I just found this thread and my eyes are bleeding.

I am surprised though, he hasn't found the secret turbo button under the routers cpu yet. Nor has he broken out the red spray paint. As we all know everything is faster with red flames on it.

 

[Tech9]

As we all know everything is faster with red flames on it.

True. We have special turbo boost software running on our routers. See my avatar.

At least we have AI proof of total nonsense in addition to HI. This sentence is spot on:

Don't add dozens of advanced parameters without understanding each one

 

[Deldarius]

Lol, it's as if the Swedish Chef turned hacker.

 

[PeterR]

I used this configuration, my packets entered the 4-dimensional space-time continuum.

 

[Jack-Sparr0w]

post went from 12k to 14k in a few days, must be an interesting thread.

 

[Kingp1n]

post went from 12k to 14k in a few days, must be an interesting thread.

The additional comments definitely make up this thread. I'm tuned in!

 

[Jack-Sparr0w]

Lot of you guys use ac routers, should at least upgrade to BE version or at the least an AX version.

just in case this setup is for dual core router 256 ram no vpn tuned to this config. best used with dynamic ip isp

#########################################
# integration IPV6
#
do-ip6: no
private-address: ::/0 # v1.11 Martineau Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
# do-ip6: no
# edns-buffer-size: 1232 # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/u...aller-utility-for-unbound-recursive-dns-serve>
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 respip validator iterator" # v1.08 v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96 # v1.03 v1.01

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
ip-ratelimit-slabs: 2
ratelimit-slabs: 2

# tiny memory cache
extended-statistics: yes # v1.06 Martineau for @juched GUI TAB
key-cache-size: 2m
msg-cache-size: 2m
rrset-cache-size: 2m
cache-max-ttl: 14400 # v1.08 Martineau
cache-min-ttl: 0 # v1.08 Martineau
jostle-timeout: 1000
infra-cache-numhosts: 20000
unwanted-reply-threshold: 5000000
infra-keep-probing: no
infra-host-ttl: 900
ip-ratelimit-size: 2m
ratelimit-size: 2m
http-query-buffer-size: 2m
http-response-buffer-size: 2m
stream-wait-size: 2m
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 86400 # v1.12 as per @juched
serve-expired-ttl-reset: yes # v1.13 as per @jumpsmm7 Set the TTL of expired records to the serve-expired-ttl value after a failed attempt to retrieve the record from u>
incoming-num-tcp: 200
outgoing-num-tcp: 75
ip-ratelimit: 1000 # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472 # v1.01 as per @dave14305 minimal config
max-udp-size: 3072 # v1.13 as per @jumpsmm7 mitigate DDOS threats when using dnssec, reduce potential for fragmentation.
#outgoing-port-avoid: 0-32767 # v1.13 as per @jumpsmm7 avoid grabbing udp ports commonly used / only for users with UDP port availability problems
#outgoing-port-permit: 32768-65535 # v1.13 as per @jumpsmm7 ports to permit / Not necessary if port-avoid is not used. limits port randomization.

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 1m # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

so-sndbuf: 1m

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes
harden-dnssec-stripped: yes
use-caps-for-id: yes
harden-referral-path: no
harden-algo-downgrade: no
harden-large-queries: yes
harden-short-bufsize: yes
val-clean-additional: yes
qname-minimisation-strict: yes
hide-http-user-agent: no
val-bogus-ttl: 60
infra-cache-min-rtt: 150
tcp-idle-timeout: 60000
infra-cache-max-rtt: 120000
max-reuse-tcp-queries: 200
tcp-auth-query-timeout: 3000
pad-responses: yes
pad-responses-block-size: 468
pad-queries: yes
pad-queries-block-size: 128
tls-use-sni: yes
http-max-streams: 100
delay-close: 10000
tcp-reuse-timeout: 60000
so-reuseport: yes
outgoing-range: 75
unknown-server-time-limit: 1400
neg-cache-size: 1m
val-sig-skew-min: 3600
val-sig-skew-max: 86400
cache-max-negative-ttl: 3600
serve-expired-client-timeout: 1800
max-sent-count: 32
target-fetch-policy: "0 0 0 0 0 0"
val-max-restart: 5
val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
root-key-sentinel: yes
trust-anchor-signaling: yes
http-max-streams: 100
serve-expired-reply-ttl: 30
outbound-msg-retry: 5
max-query-restarts: 11
ip-freebind: yes
zonemd-permissive-mode: yes
serve-original-ttl: yes
ip-ratelimit-factor: 10

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"

#########################################
# Adblock blacklist
include: /opt/var/lib/unbound/adblock/adservers
include: /opt/var/lib/unbound/adblock/firefox_DOH
#########################################

 

[Jack-Sparr0w]

unwanted-reply-threshold: <number> 
If set, a total number of unwanted replies is kept track of in every thread. When it reaches the threshold, a defensive action is taken and a warning is printed to the log. The defensive action is to clear the rrset and message caches, hopefully flushing away any poison. A value of 10 million is suggested. (unwanted-reply-threshold: 5000000) future proof just hardens security.

 

[Deldarius]

Did the packets taste any different than before? A hint of cilantro with diesel undertones or pinesol infused water buffalo, perhaps?

 

[Viktor Jaep]

unwanted-reply-threshold: <number> 
If set, a total number of unwanted replies is kept track of in every thread. When it reaches the threshold, a defensive action is taken and a warning is printed to the log. The defensive action is to clear the rrset and message caches, hopefully flushing away any poison. A value of 10 million is suggested. (unwanted-reply-threshold: 5000000) future proof just hardens security.

Again, not needed. Keeping it zero (default) makes the chances of successful cache poisoning 1 in 4 billion (per attempt), and impossible with DNSSEC, which incidentally is enabled by default.