From a85bb07933be6aa411c770f499da0e36b5a718e5 Mon Sep 17 00:00:00 2001
From: Markus Fleschutz <markus@fleschutz.de>
Date: Sun, 29 May 2022 10:50:38 +0200
Subject: [PATCH] Update unbound.conf

---
 Data/unbound.conf | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/Data/unbound.conf b/Data/unbound.conf
index b7f08e44..3de77948 100644
--- a/Data/unbound.conf
+++ b/Data/unbound.conf
@@ -4,29 +4,31 @@ remote-control:
         control-enable: yes               # allows control using "unbound-control"
 
 server:
+	# GENERAL SETTINGS:
 	interface: 0.0.0.0                # listen on all IPv4 network interfaces
 	interface: ::0	                  # listen on all IPv6 network interfaces
 	port: 53                          # listen on port 53
 	access-control: 127.0.0.1/8 allow # allow IPv4 queries from the local host
 	access-control: ::1/64 allow      # allow IPv6 queries from the local host
         access-control: 192.168.0.0/16 allow # allow IPv4 query from the local network
-
-        qname-minimisation: yes           # send minimal amount of information to upstream servers to enhance privacy
         auto-trust-anchor-file: "/var/lib/unbound/root.key" # location of the trust anchor file that enables DNSSEC
-	num-threads: 1
+	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt # for encrypted DNS over TLS
+	# PRIVACY SETTINGS:
+        qname-minimisation: yes           # send minimal amount of information to upstream servers to enhance privacy
+	hide-identity: yes                # less verbose responses
+	hide-version: yes                 # less verbose responses
+	verbosity: 0                      # log nothing
+	# PERFORMANCE SETTINGS:
+	num-threads: 2			  # number of threads to use (not more than CPU cores)
+	msg-cache-size: 100m
+	rrset-cache-size: 200m
 	aggressive-nsec: yes
 	prefetch: yes                     # refresh expiring cache entries, if less than 10% of their TTL remains
 	prefetch-key: yes
-	hide-identity: yes                # less verbose responses
-	hide-version: yes                 # less verbose responses
-	rrset-cache-size: 100m
-	msg-cache-size: 50m
 	cache-min-ttl: 3600               # cache positive responses for 1 hour minimum
 	cache-max-ttl: 172800             # cache positive responses for 2 days maximum 
 	cache-max-negative-ttl: 3600      # cache negative responses for 1 hour maximum 
 	so-reuseport: yes                 # faster UDP with multithreading (only on Linux)
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt # for encrypted DNS over TLS
-	verbosity: 0                      # log nothing
 
 forward-zone:
 	name: "fritz.box."