configuration-files/unbound/unbound.conf

# Unbound DNS resolver configuration of the Digital Society Switzerland
# This configuration is in production use.
# 
# These optimisations reference was considered:
# https://nlnetlabs.nl/documentation/unbound/howto-optimise/

server:

  # We use two cored machines
  # cat /proc/cpuinfo
  num-threads: 2

  # Improve UDP performance to other NS
  so-reuseport: yes

  # Reduce lock contention
  msg-cache-slabs: 2
  rrset-cache-slabs: 2
  infra-cache-slabs: 2
  key-cache-slabs: 2

  # Increase cache size
  # rrset-cache-size should be the double of msg-cache-size
  # total of both should be around half of total physical memory
  rrset-cache-size: 1300m
  msg-cache-size: 650m

  # Set number of ports to open to 462 per core (totally 1024 available)
  outgoing-range: 8192

  # outpoing-range / amount of cors
  num-queries-per-thread: 4096

  # Reduce chance of packet drops on traffic spikes
  so-rcvbuf: 4m
  so-sndbuf: 4m

  directory: "/etc/unbound"
  pidfile: "/etc/unbound/unbound.pid"
  username: unbound
  interface: 127.0.0.1
  interface: ::0
  access-control: 0.0.0.0/0 allow
  access-control: ::/64 allow

  do-ip4: yes
  do-ip6: yes
  do-udp: yes
  do-tcp: yes

  # Unbound runs as systemd service
  do-daemonize: no

  # Foil spoof attempts
  use-caps-for-id: yes

  # Prefetch cached data to increase performance and privacy
  prefetch: yes
  prefetch-key: yes
  qname-minimisation: yes
  rrset-roundrobin: yes

  auto-trust-anchor-file: "/var/lib/unbound/root.key"

  hide-identity: yes
  hide-version: yes

  minimal-responses: yes

  use-syslog: yes
  statistics-interval: 0
  extended-statistics: yes
  statistics-cumulative: no
  verbosity: 0

  incoming-num-tcp: 400