Tor Exit Relay with Unbound, problems

Betaman2k · October 6, 2025, 10:19am

Hey

Who can help me with a Tor exit relay using Unbound ?

With Unbound, I have 1-2 days of exit, followed by bad exit.

Without Unbound, I have until Exit and all votes on EXIT (public DNS, which I don’t like)

My Unbound config:

*************************************************

server:

# The  verbosity  number, level 0 means no verbosity, only errors.
# Level 1 gives operational information. Level  2  gives  detailed
# operational  information. Level 3 gives query level information,
# output per query.  Level 4 gives  algorithm  level  information.
# Level 5 logs client identification for cache misses.  Default is
# level 1.
verbosity: 0

interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes

# May be set to yes if you have IPv6 connectivity
do-ip6: yes

# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no

# Use this only when you downloaded the list of primary root servers!
# Read  the  root  hints from this file. Make sure to 
# update root.hints evry 5-6 months.
root-hints: "/var/lib/unbound/root.hints"

# Trust glue only if it is within the servers authority
#harden-glue: yes

harden-glue: no

# Ignore very large queries.
#harden-large-queries: yes

harden-large-queries: no

# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
# If you want to disable DNSSEC, set harden-dnssec stripped: no
#harden-dnssec-stripped: yes

harden-dnssec-stripped: no

# Number of bytes size to advertise as the EDNS reassembly buffer
# size. This is the value put into  datagrams over UDP towards
# peers. The actual buffer size is determined by msg-buffer-size
# (both for TCP and UDP).
edns-buffer-size: 1232

# Rotates RRSet order in response (the pseudo-random 
# number is taken from Ensure privacy of local IP 
# ranges the query ID, for speed and thread safety).  
# private-address: 192.168.0.0/16
rrset-roundrobin: yes

# Time to live minimum for RRsets and messages in the cache. If the minimum
# kicks in, the data is cached for longer than the domain owner intended,
# and thus less queries are made to look up the data. Zero makes sure the
# data in the cache is as the domain owner intended, higher values,
# especially more than an hour or so, can lead to trouble as the data in
# the cache does not match up with the actual data anymore
cache-min-ttl: 600
cache-max-ttl: 172800

# Have unbound attempt to serve old responses from cache with a TTL of 0 in
# the response without waiting for the actual resolution to finish. The
# actual resolution answer ends up in the cache later on. 
serve-expired: yes

# Harden against algorithm downgrade when multiple algorithms are
# advertised in the DS record.
harden-algo-downgrade: yes

# Ignore very small EDNS buffer sizes from queries.
harden-short-bufsize: yes

# Refuse id.server and hostname.bind queries
hide-identity: yes

# Report this identity rather than the hostname of the server.
identity: "Server"

# Refuse version.server and version.bind queries
hide-version: yes

# Prevent the unbound server from forking into the background as a daemon
do-daemonize: no

# Number  of  bytes size of the aggressive negative cache.
neg-cache-size: 8m

key-cache-size: 32m

# Send minimum amount of information to upstream servers to enhance privacy
qname-minimisation: yes

# Deny queries of type ANY with an empty response.
# Works only on version 1.8 and above
#deny-any: yes

deny-any: no

auto-trust-anchor-file: "/var/lib/unbound/root.key"


# Do no insert authority/additional sections into response messages when
# those sections are not required. This reduces response size
# significantly, and may avoid TCP fallback for some responses. This may
# cause a slight speedup
#minimal-responses: yes

minimal-responses: no

# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
# This flag updates the cached domains
prefetch: yes

# Fetch the DNSKEYs earlier in the validation process, when a DS record is
# encountered. This lowers the latency of requests at the expense of little
# more CPU usage.
prefetch-key: yes

# One thread should be sufficient, can be increased on beefy machines. In reality for 
# most users running on small networks or on a single machine, it should be unnecessary
# to seek performance enhancement by increasing num-threads above 1.
num-threads: 1

# more cache memory. rrset-cache-size should twice what msg-cache-size is.
msg-cache-size: 200m
rrset-cache-size: 400m

# Faster UDP with multithreading (only on Linux).
so-reuseport: yes

# Ensure kernel buffer is large enough to not lose messages in traffix spikes
so-rcvbuf: 8m
so-sndbuf: 8m

# Set the total number of unwanted replies to keep track of in every thread.
# When it reaches the threshold, a defensive action of clearing the rrset
# and message caches is taken, hopefully flushing away any poison.
# Unbound suggests a value of 10 million.
unwanted-reply-threshold: 100000

#Use 0x20-encoded random bits in the  query  to  foil  spoof  at-
#tempts.   This  perturbs  the  lowercase  and uppercase of query
#names sent to authority servers and checks if  the  reply  still
#has  the  correct casing.  Disabled by default.  This feature is
#an experimental implementation of draft dns-0x20.
#use-caps-for-id: yes

use-caps-for-id: no

# Minimize logs
# Do not print one line per query to the log
log-queries: no
# Do not print one line per reply to the log
log-replies: no
# Do not print log lines that say why queries return SERVFAIL to clients
log-servfail: no
# Do not print log lines to inform about local zone actions
log-local-actions: no
# Do not print log lines that say why queries return SERVFAIL to clients
logfile: /dev/null

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

**********************

Since I can still use apt update, I did that.

iptables -t nat -A OUTPUT -o lo -p udp --dport 53 -j REDIRECT --to-port 5335
iptables -t nat -A OUTPUT -o lo -p tcp --dport 53 -j REDIRECT --to-port 5335

ip6tables -t nat -A OUTPUT -o lo -p udp --dport 53 -j REDIRECT --to-port 5335
ip6tables -t nat -A OUTPUT -o lo -p tcp --dport 53 -j REDIRECT --to-port 5335

I hope someone can help me find the error in my unbound config.

cya

Brian