Use unbound to forward queries

Ailomanga sakamoto kixort at
Fri Feb 8 11:03:34 UTC 2019

I just use unbound which listen 53 port to forward the queries to at 5353(dnscrypt v2),but I find it works slowly.When unbound gets a request,it always sends the query to the root-server at first,and then it forward to at 5353.How can I let unbound forward at first?
I want to use redis to cache,and I also want to use subnet. But the module-config only allows subnetcache or cachedb.
it is my conf:
verbosity: 1
num-threads: 2
interface: at 53
interface: ::0 at 53
interface: at 853
interface: ::0 at 853
prefer-ip6: no
outgoing-num-tcp: 1024
incoming-num-tcp: 2048
so-rcvbuf: 8m
so-sndbuf: 8m
so-reuseport: yes
edns-buffer-size: 4096
max-udp-size: 4096
msg-buffer-size: 65552
msg-cache-size: 64m
num-queries-per-thread: 2048
jostle-timeout: 300
unknown-server-time-limit: 2000
rrset-cache-size: 512m
rrset-cache-slabs: 4
cache-min-ttl: 90
cache-max-ttl: 43200
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
tcp-upstream: no
udp-upstream-without-downstream: no
tcp-mss: 0
outgoing-tcp-mss: 0
tcp-idle-timeout: 30000
access-control: allow
use-syslog: yes
pidfile: "/var/run/"
root-hints: "named.cache"
hide-identity: yes
hide-version: yes
harden-glue: yes
qname-minimisation: yes
qname-minimisation-strict: no
rrset-roundrobin: yes
prefetch: yes
do-not-query-localhost: yes
minimal-responses: yes
module-config: "subnetcache validator iterator"
neg-cache-size: 20m
include: "/usr/local/dns/etc/unbound/local.unbound.conf"

edns-tcp-keepalive: yes
edns-tcp-keepalive-timeout: 60000
auto-trust-anchor-file: "/usr/local/dns/etc/unbound/root.key"
hide-trustanchor: no
aggressive-nsec: yes

tls-service-key: "/usr/local/dns/etc/tls.key"
tls-service-pem: "/usr/local/dns/etc/tls.crt"
tls-port: 853
tls-upstream: no
tls-cert-bundle: "/usr/local/dns/etc/certs.pem"

send-client-subnet: ::0/64

include: "/usr/local/dns/etc/unbound/whitelist.conf"
    name: "."
    forward-addr: at 5353  #DNScrypt-proxy
    forward-first: yes

#     backend: "unbound"
#     secret-seed: "default"
#     redis-server-host:
#     redis-server-port: 6379
#     redis-timeout: 100
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Unbound-users mailing list