Unbound - Authoritative Recursive Caching DNS Server

[rgnldo]

The purpose of this post is to pair possible solutions together with unbound. This happens in various forums in which I participate. I see no feedback from the majority on feedback and collaboration. I remember when we suggested including the TLS forwarding feature in unbound. This was the result of many collaborations. Here I only observe negative feedback and no technical knowledge. The resource

forward-zone:
   name: "."
   forward-addr:

It is used in many different ways in forums in which I participate. With or without dnsmasq

 

[rgnldo]

The problem with DoT today is the use of port 853. I experiment with DoT clients on a firewall controlled network, there are connectivity issues with DoT on port 853. For now, only stubby and DoH can configure recursive servers. on port 443 on the TCP protocol. We are almost getting the native TCP / TLS feature in unbound. For now, it is already possible with stubby.

This configuration is being tested. I am seeing support in version 1.9.5.

server:

    # port to answer queries from
    port: 53535

    verbosity: 2
    logfile: "/opt/var/lib/unbound/unbound.log"
    log-queries: yes
    log-replies: yes
    
    # Listen on tcp 443,853
    interface: 0.0.0.0@853
    interface: 0.0.0.0@443

    # Allow from anywhere
    access-control: 0.0.0.0/0 allow
    access-control: ::0/0 allow

    outgoing-interface: 0.0.0.0
    do-udp: no
    tcp-upstream: yes
    udp-upstream-without-downstream: no

    # service clients over TLS (on the TCP sockets), with plain DNS inside
    # the TLS stream.  Give the certificate to use and private key.
    # default is "" (disabled).  requires restart to take effect.
    tls-service-key: "/opt/var/lib/unbound/unbound_.key"
    tls-service-pem: "/opt/var/lib/unbound/unbound_.pem"
    tls-port: 853

    # cipher setting for TLSv1.2
    tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"

    # cipher setting for TLSv1.3
    tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

    # number of threads to create. 1 disables threading.
    num-threads: 1

    msg-cache-size: 8M
    rrset-cache-size: 16M

    # DNSSEC
    auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
    
    trust-anchor-signaling: yes
    val-clean-additional: yes
    val-permissive-mode: no
    val-override-date: "0"
    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-below-nxdomain: yes
    qname-minimisation: yes

    deny-any: yes
    
    # Set this to yes to prefer ipv6 upstream servers over ipv4.
    prefer-ip6: no

    rrset-roundrobin: yes
    minimal-responses: yes
    do-not-query-localhost: yes

    # Self jail Unbound with user "unbound" to /var/lib/unbound
    username: "nobody"
    directory: "/opt/var/lib/unbound"
    chroot: "/opt/var/lib/unbound"

# Enable Unbound Remote Control
remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    server-key-file: "/opt/var/lib/unbound/unbound_server.key"
    server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
    control-key-file: "/opt/var/lib/unbound/unbound_control.key"
    control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"
   control-port: 8953

 

[Martineau]

@Martineau in the tests here, when the installer chooses to completely remove Unbound, it should also remove the haveged and stubby packages, if installed and the other corresponding folders.

opkg remove haveged stubby --autoremove
rm -R /opt/etc/stubby
rm /opt/etc/init.d/S62stubby

Unbound installer v1.15 available.

NOTE: I don't persistently track which Entware packages have been explicitly installed by 'unbound_installer'

e.g. haveged is already installed on my system, so it doesn't make sense to have the unbound_installer remove it.

Spoiler: Unbound uninstall log

Uninstalling unbound
KILLing unbound PID=9570
Removing Ad and Tracker Update cron job
Existing unbound package found. Removing unbound
Removing package unbound-control-setup from root...
Removing package unbound-control from root...
Removing package unbound-anchor from root...
Removing package unbound-daemon from root...
unbound Entware packages 'unbound-control-setup unbound-control unbound-anchor unbound-daemon' successfully removed
/opt/var/lib/unbound/adblock folder and all files removed
/opt/var/lib/unbound folder and all files removed
No files found to remove in /opt/etc/unbound
/opt/etc/unbound folder and all files removed
Removing '/opt/etc/init.d/S61unbound'

Uninstalling stubby
Removing package stubby from root...
Not deleting modified conffile /opt/etc/stubby/stubby.yml.
libyaml was autoinstalled and is now orphaned, removing.
Removing package libyaml from root...
getdns was autoinstalled and is now orphaned, removing.
Removing package getdns from root...
ca-certificates was autoinstalled and is now orphaned, removing.
Removing package ca-certificates from root...

Deleting '/opt/etc/stubby'
Removing unbound installer directives from 'dnsmasq.postconf'
Restarting dnsmasq.....
Deleting Performance/Memory tweaks '/jffs/scripts/stuning'

Uninstall of unbound completed.

The router will now REBOOT to finalize the removal of unbound
After the REBOOT, review the DNS settings on the WAN GUI and adjust if necessary
Press Y to REBOOT or press ENTER to ABORT

 

[Martineau]

If anyone is interested in testing, use this script that optimizes /proc tuning adjustments. Improving connectivity. I am getting excellent results. If we get results, we will add it to script-installer as an option.
Download from: https://raw.githubusercontent.com/rgnldo/Unbound-Asuswrt-Merlin/master/stuning

in the path /jffs/scripts

dos2unix /jffs/scripts/stuning
chmod +x /jffs/scripts/stuning

add on /jffs/scripts/init-start

/jffs/scripts/stuning start

Reboot

Unbound v1.15 available and reinstated Option 5. 'CPU/Performance tweaks' using this external srcript.

NOTE: It may be prudent to rename 'stuning' to something more appropriate

e.g. 'unbound_SystemPerf' ?

 

[rgnldo]

Unbound installer v1.15 available.

/opt/etc/init.d/rc.unslung restart
 Shutting down stubby...              done.
 Starting stubby...              done.

launcher S62stubby remains
Stubby still Installed

 

[rgnldo]

haveged is already installed on my system

I understand. It is recommended. The problem is that the user wants to clean up all packages needed in the unbound installation.

 

[Martineau]

/opt/etc/init.d/rc.unslung restart
 Shutting down stubby...              done.
 Starting stubby...              done.

launcher S62stubby remains
Stubby still Installed

Nope...can't reproduce.

When run in debug mode the 'opt/etc/init.d/S62stubby' delete command (as used in the original Stubby installer) works for me.

+ echo -e \e[96mUninstalling stubby\e[90m
Uninstalling stubby
+ opkg remove stubby --autoremove
Removing package stubby from root...
Not deleting modified conffile /opt/etc/stubby/stubby.yml.
libyaml was autoinstalled and is now orphaned, removing.
Removing package libyaml from root...
getdns was autoinstalled and is now orphaned, removing.
Removing package getdns from root...
ca-certificates was autoinstalled and is now orphaned, removing.
Removing package ca-certificates from root...
+ /opt/bin/find /opt/etc/init.d -type f -name S62stubby* -delete
+ echo -e \e[96mDeleting  '/opt/etc/stubby'
Deleting  '/opt/etc/stubby'
+ rm -R /opt/etc/stubby

 

[rgnldo]

Nope...can't reproduce.

When run in debug mode the 'opt/etc/init.d/S62stubby' delete command (as used in the original Stubby installer) works for me.

+ echo -e \e[96mUninstalling stubby\e[90m
Uninstalling stubby
+ opkg remove stubby --autoremove
Removing package stubby from root...
Not deleting modified conffile /opt/etc/stubby/stubby.yml.
libyaml was autoinstalled and is now orphaned, removing.
Removing package libyaml from root...
getdns was autoinstalled and is now orphaned, removing.
Removing package getdns from root...
ca-certificates was autoinstalled and is now orphaned, removing.
Removing package ca-certificates from root...
+ /opt/bin/find /opt/etc/init.d -type f -name S62stubby* -delete
+ echo -e \e[96mDeleting  '/opt/etc/stubby'
Deleting  '/opt/etc/stubby'
+ rm -R /opt/etc/stubby

Pardon. I redid the installation from scratch and uninstalled it. You're right. Thank you for your cooperation.

 

[Martineau]

I understand. It is recommended. The problem is that the user wants to clean up all packages needed in the unbound installation.

I believe the consensus is that Stubby benefits from 'haveged'?

So since Stubby is included in the latest RMerlin firmware (although Entware hosts version 0.2.9-1 vs. RMerlin Firmware version 0.2.9) I don't think it is detrimental to leave 'haveged' installed.

 

[rgnldo]

I believe the consensus is that Stubby benefits from 'haveged'?

So since Stubby is included in the latest RMerlin firmware (although Entware hosts version 0.2.9-1 vs. RMerlin Firmware version 0.2.9) I don't think it is detrimental to leave 'haveged' installed.

on S02haveged

ARGS="-w 1024 -d 32 -i 32 -v 1"

The idea of haveged is to fill this pool back up whenever the available bits gets near 1024. So while this number will fluctuate, it shouldn't drop below 1000 or so unless you're really demanding lots of randomness

cat /proc/sys/kernel/random/write_wakeup_threshold
1024

cat /proc/sys/kernel/random/entropy_avail
1874

cat /proc/sys/kernel/random/poolsize
4096

Good entropy on FW Merlin

 

[rgnldo]

@Martineau i am trying to adapt this script. I installed the BC package. But there is no return. Can you help?
https://github.com/cleanbrowsing/dnsperftest/blob/master/dnstest.sh

 

[rgnldo]

used --with-libvent argument

This is a compilation argument. Probably unbound was compiled with libevent support.

Just install this package. Do not use stubby.

opkg install libevent2

Change unbound.conf to these lines as per AX88U specifications.

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4

so-reuseport: yes
outgoing-range: 4096
num-queries-per-thread: 1024

# tiny memory cache
key-cache-size: 64m
msg-cache-size: 32m
rrset-cache-size: 32m

 

[SolluxCaptor]

This is a compilation argument. Probably unbound was compiled with libevent support.

Just install this package. Do not use stubby.

opkg install libevent2

Change unbound.conf to these lines as per AX88U specifications.

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4

so-reuseport: yes
outgoing-range: 4096
num-queries-per-thread: 1024

# tiny memory cache
key-cache-size: 64m
msg-cache-size: 32m
rrset-cache-size: 32m

Got it, you are right installing opkg was enough for Unbound to work on 2 threads properly. Thanks so much for your work, is there somewhere I can donate to the project / collaboration?

 

[rgnldo]

@SolluxCaptor Do not worry about your level of knowledge. The purpose of the forum is to collaborate. I learn a lot from everyone here.

 

[rgnldo]

I can donate to the project / collaboration?

Buy me a beer
https://www.snbforums.com/threads/the-rmerlin-donation-thread.17285/

@Martineau accept donation?

 

[Martineau]

@Martineau i am trying to adapt this script. I installed the BC package. But there is no return. Can you help?
https://github.com/cleanbrowsing/dnsperftest/blob/master/dnstest.sh

                  test1   test2   test3   test4   test5   test6   test7   test8   test9   test10  Average
127.0.0.1         7 ms    34 ms   7 ms    7 ms    10 ms   9 ms    7 ms    13 ms   1 ms    8 ms      10.30
cloudflare        7 ms    7 ms    6 ms    15 ms   7 ms    7 ms    6 ms    7 ms    7 ms    7 ms      7.60
level3            6 ms    7 ms    7 ms    7 ms    7 ms    7 ms    6 ms    7 ms    7 ms    7 ms      6.80
google            7 ms    7 ms    21 ms   7 ms    18 ms   19 ms   6 ms    15 ms   7 ms    13 ms     12.00
quad9             14 ms   13 ms   7 ms    7 ms    9 ms    7 ms    8 ms    7 ms    7 ms    10 ms     8.90
freenom           1000 ms 152 ms  159 ms  1000 ms 143 ms  1000 ms 1000 ms 411 ms  1000 ms 635 ms    650.00
opendns           7 ms    7 ms    8 ms    7 ms    9 ms    8 ms    8 ms    19 ms   7 ms    7 ms      8.70
norton            7 ms    7 ms    8 ms    7 ms    8 ms    7 ms    8 ms    8 ms    7 ms    7 ms      7.40
cleanbrowsing     168 ms  179 ms  170 ms  170 ms  171 ms  421 ms  166 ms  171 ms  171 ms  441 ms    222.80
yandex            48 ms   48 ms   48 ms   50 ms   48 ms   48 ms   48 ms   46 ms   48 ms   50 ms     48.20
adguard           7 ms    7 ms    7 ms    7 ms    7 ms    7 ms    7 ms    7 ms    7 ms    7 ms      7.00
neustar           12 ms   12 ms   12 ms   12 ms   12 ms   12 ms   12 ms   12 ms   12 ms   12 ms     12.00
comodo            7 ms    8 ms    7 ms    16 ms   7 ms    7 ms    7 ms    20 ms   8 ms    10 ms     9.70

 

[rgnldo]

                  test1   test2   test3   test4   test5   test6   test7   test8   test9   test10  Average
127.0.0.1         7 ms    34 ms   7 ms    7 ms    10 ms   9 ms    7 ms    13 ms   1 ms    8 ms      10.30
cloudflare        7 ms    7 ms    6 ms    15 ms   7 ms    7 ms    6 ms    7 ms    7 ms    7 ms      7.60
level3            6 ms    7 ms    7 ms    7 ms    7 ms    7 ms    6 ms    7 ms    7 ms    7 ms      6.80
google            7 ms    7 ms    21 ms   7 ms    18 ms   19 ms   6 ms    15 ms   7 ms    13 ms     12.00
quad9             14 ms   13 ms   7 ms    7 ms    9 ms    7 ms    8 ms    7 ms    7 ms    10 ms     8.90
freenom           1000 ms 152 ms  159 ms  1000 ms 143 ms  1000 ms 1000 ms 411 ms  1000 ms 635 ms    650.00
opendns           7 ms    7 ms    8 ms    7 ms    9 ms    8 ms    8 ms    19 ms   7 ms    7 ms      8.70
norton            7 ms    7 ms    8 ms    7 ms    8 ms    7 ms    8 ms    8 ms    7 ms    7 ms      7.40
cleanbrowsing     168 ms  179 ms  170 ms  170 ms  171 ms  421 ms  166 ms  171 ms  171 ms  441 ms    222.80
yandex            48 ms   48 ms   48 ms   50 ms   48 ms   48 ms   48 ms   46 ms   48 ms   50 ms     48.20
adguard           7 ms    7 ms    7 ms    7 ms    7 ms    7 ms    7 ms    7 ms    7 ms    7 ms      7.00
neustar           12 ms   12 ms   12 ms   12 ms   12 ms   12 ms   12 ms   12 ms   12 ms   12 ms     12.00
comodo            7 ms    8 ms    7 ms    16 ms   7 ms    7 ms    7 ms    20 ms   8 ms    10 ms     9.70

@rgnldo:/tmp/mnt/ENTWARE/test# ./dnstest.sh
./dnstest.sh: line 3: command: not found
bc was not found. Please install bc.

It's installed BC.

 

[Martineau]

@rgnldo:/tmp/mnt/ENTWARE/test# ./dnstest.sh
./dnstest.sh: line 3: command: not found
bc was not found. Please install bc.

It's installed BC.

Try this...

Spoiler: Script

#!/opt/bin/bash
# command -v bc > /dev/null || { echo "bc was not found. Please install bc."; exit 1; }
[ -n "$(which bc)" ] || { echo "bc was not found. Please install bc."; exit 1; }
# { command -v drill > /dev/null && dig=drill; } || { command -v dig > /dev/null && dig=dig; } || { echo "dig was not found. Please install dnsutils."; exit 1; }
[ -n "$(which drill)" ] && dig="drill";[ -n "$(which dig)" ] && dig="dig"
[ -z "$dig" ] && { echo "dig was not found. Please install dnsutils."; exit 1; }

NAMESERVERS=`cat /etc/resolv.conf | grep ^nameserver | cut -d " " -f 2 | sed 's/\(.*\)/&#&/'`
PROVIDERS="
1.1.1.1#cloudflare
4.2.2.1#level3
8.8.8.8#google
9.9.9.9#quad9
80.80.80.80#freenom
208.67.222.123#opendns
199.85.126.20#norton
185.228.168.168#cleanbrowsing
77.88.8.7#yandex
176.103.130.132#adguard
156.154.70.3#neustar
8.26.56.26#comodo
"
# Domains to test. Duplicated domains are ok
DOMAINS2TEST="www.google.com amazon.com facebook.com www.youtube.com www.reddit.com  wikipedia.org twitter.com gmail.com www.google.com whatsapp.com"

totaldomains=0
printf "%-18s" ""
for d in $DOMAINS2TEST; do
    totaldomains=$((totaldomains + 1))
    printf "%-8s" "test$totaldomains"
done
printf "%-8s" "Average"
echo ""

for p in $NAMESERVERS $PROVIDERS; do
    pip=${p%%#*}
    pname=${p##*#}
    ftime=0
    printf "%-18s" "$pname"
    for d in $DOMAINS2TEST; do
        ttime=$($dig +tries=1 +time=2 +stats @$pip $d |grep "Query time:" | cut -d : -f 2- | cut -d " " -f 2)
        if [ -z "$ttime" ]; then
            #let's have time out be 1s = 1000ms
            ttime=1000
        elif [ "x$ttime" = "x0" ]; then
            ttime=1
        fi
        printf "%-8s" "$ttime ms"
        ftime=$((ftime + ttime))
    done
    avg=$(bc -lq <<< "scale=2; $ftime/$totaldomains")
    echo "  $avg"
done

exit 0;

I got stitched up with the unbound installer, please do not expect me to fix more scripts you randomly find on the Internet.

 

[rgnldo]

Try this...

Spoiler: Script

#!/opt/bin/bash

# command -v bc > /dev/null || { echo "bc was not found. Please install bc."; exit 1; }
[ -n "$(which bc)" ] || { echo "bc was not found. Please install bc."; exit 1; }
# { command -v drill > /dev/null && dig=drill; } || { command -v dig > /dev/null && dig=dig; } || { echo "dig was not found. Please install dnsutils."; exit 1; }
# { command -v drill > /dev/null && dig=drill; } || { command -v dig > /dev/null && dig=dig; } || { echo "dig was not found. Please install dnsutils."; exit 1; }


NAMESERVERS=`cat /etc/resolv.conf | grep ^nameserver | cut -d " " -f 2 | sed 's/\(.*\)/&#&/'`

PROVIDERS="
1.1.1.1#cloudflare
4.2.2.1#level3
8.8.8.8#google
9.9.9.9#quad9
80.80.80.80#freenom
208.67.222.123#opendns
199.85.126.20#norton
185.228.168.168#cleanbrowsing
77.88.8.7#yandex
176.103.130.132#adguard
156.154.70.3#neustar
8.26.56.26#comodo
"

# Domains to test. Duplicated domains are ok
DOMAINS2TEST="www.google.com amazon.com facebook.com www.youtube.com www.reddit.com  wikipedia.org twitter.com gmail.com www.google.com whatsapp.com"


totaldomains=0
printf "%-18s" ""
for d in $DOMAINS2TEST; do
    totaldomains=$((totaldomains + 1))
    printf "%-8s" "test$totaldomains"
done
printf "%-8s" "Average"
echo ""


for p in $NAMESERVERS $PROVIDERS; do
    pip=${p%%#*}
    pname=${p##*#}
    ftime=0

    printf "%-18s" "$pname"
    for d in $DOMAINS2TEST; do
        ttime=$(dig +tries=1 +time=2 +stats @$pip $d |grep "Query time:" | cut -d : -f 2- | cut -d " " -f 2)
        if [ -z "$ttime" ]; then
            #let's have time out be 1s = 1000ms
            ttime=1000
        elif [ "x$ttime" = "x0" ]; then
            ttime=1
        fi

        printf "%-8s" "$ttime ms"
        ftime=$((ftime + ttime))
    done
    avg=$(bc -lq <<< "scale=2; $ftime/$totaldomains")

    echo "  $avg"
done


exit 0;

I got stitched up with the unbound installer, please do not expect me to fix more scripts you randomly find on the Internet.

Ok. I'm adapting for the purpose of measuring unbound query performance to attach to Munin monitoring. I am using only the logic of this script. But thank you for your cooperation. I'll do it here on my own.

 

[SolluxCaptor]

Got it, you are right installing opkg was enough for Unbound to work on 2 threads properly. Thanks so much for your work, is there somewhere I can donate to the project / collaboration?

Hmm. Actually I am still seeing the same thing with 2 threads, run dig command once - get fresh result. Run once more, cache. One more time - recursion again, run again - then cache again (and it stays)? Not sure how to verify that is what's happening here, each thread *appears* to have its own cache.

dig @127.0.0.1 yahoo.com

; <<>> DiG 9.14.4 <<>> @127.0.0.1 yahoo.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33686
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;yahoo.com. IN A

;; ANSWER SECTION:
yahoo.com. 1800 IN A 98.137.246.8
yahoo.com. 1800 IN A 72.30.35.10
yahoo.com. 1800 IN A 98.137.246.7
yahoo.com. 1800 IN A 72.30.35.9
yahoo.com. 1800 IN A 98.138.219.232
yahoo.com. 1800 IN A 98.138.219.231

;; Query time: 44 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 07 10:37:12 EST 2020
;; MSG SIZE rcvd: 134

andrew@RT-AX88U-48A8:/tmp/home/root# dig @127.0.0.1 yahoo.com

; <<>> DiG 9.14.4 <<>> @127.0.0.1 yahoo.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11285
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;yahoo.com. IN A

;; ANSWER SECTION:
yahoo.com. 1798 IN A 98.137.246.8
yahoo.com. 1798 IN A 72.30.35.10
yahoo.com. 1798 IN A 98.137.246.7
yahoo.com. 1798 IN A 72.30.35.9
yahoo.com. 1798 IN A 98.138.219.232
yahoo.com. 1798 IN A 98.138.219.231

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 07 10:37:14 EST 2020
;; MSG SIZE rcvd: 134

andrew@RT-AX88U-48A8:/tmp/home/root# dig @127.0.0.1 yahoo.com

; <<>> DiG 9.14.4 <<>> @127.0.0.1 yahoo.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64448
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;yahoo.com. IN A

;; ANSWER SECTION:
yahoo.com. 1800 IN A 98.137.246.7
yahoo.com. 1800 IN A 98.137.246.8
yahoo.com. 1800 IN A 72.30.35.9
yahoo.com. 1800 IN A 98.138.219.232
yahoo.com. 1800 IN A 72.30.35.10
yahoo.com. 1800 IN A 98.138.219.231

;; Query time: 83 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 07 10:37:17 EST 2020
;; MSG SIZE rcvd: 134

andrew@RT-AX88U-48A8:/tmp/home/root# dig @127.0.0.1 yahoo.com

; <<>> DiG 9.14.4 <<>> @127.0.0.1 yahoo.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11883
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;yahoo.com. IN A

;; ANSWER SECTION:
yahoo.com. 1794 IN A 98.137.246.8
yahoo.com. 1794 IN A 72.30.35.10
yahoo.com. 1794 IN A 98.137.246.7
yahoo.com. 1794 IN A 72.30.35.9
yahoo.com. 1794 IN A 98.138.219.232
yahoo.com. 1794 IN A 98.138.219.231

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 07 10:37:18 EST 2020
;; MSG SIZE rcvd: 134

Here is my top result if it is of help:

PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
1266 1 andrew S 12572 1.3 0 0.1 watchdog
1289 1 andrew S 9048 1.0 1 0.1 networkmap --bootwait
231 2 andrew SW 0 0.0 0 0.0 [bcmsw_rx]
1270 1 andrew S 12572 1.3 1 0.0 sw_devled
1711 1 andrew S 12572 1.3 0 0.0 usbled
1188 1 andrew S 9304 1.0 1 0.0 nt_center
1262 1 andrew S 4880 0.5 3 0.0 vis-datacollector
16753 6611 andrew R 3476 0.3 3 0.0 top
2344 1 nobody S 3200 0.3 0 0.0 avahi-daemon: running [RT-AX88U-48A8.local]
666 2 andrew SW 0 0.0 1 0.0 [dhd_watchdog_th]
1832 1831 andrew S 298m 33.7 2 0.0 syslog-ng
1884 1868 nobody S 141m 16.0 0 0.0 unbound -c /opt/var/lib/unbound/unbound.conf
1868 1 nobody S 141m 16.0 1 0.0 unbound -c /opt/var/lib/unbound/unbound.conf
2273 1 andrew S 82920 9.1 0 0.0 dnsmasq --log-async
1346 1 andrew S 52408 5.8 2 0.0 amas_lib
1886 1 nobody S 48844 5.4 0 0.0 pixelserv-tls 192.168.2.2
321 1 andrew S 18524 2.0 2 0.0 /bin/swmdk
6648 1 andrew S < 14692 1.6 1 0.0 dcd -i 3600 -p 43200 -b -d /tmp/bwdpi/
1175 1 andrew S 14620 1.6 2 0.0 /sbin/netool
1313 1 andrew S 14620 1.6 3 0.0 conn_diag
1 0 andrew S 14048 1.5 0 0.0 /sbin/init
3619 1 andrew S 13240 1.4 3 0.0 wred -B
1151 1 andrew S 12572 1.3 1 0.0 /sbin/wanduck
3807 1 andrew S 12572 1.3 2 0.0 bwdpi_wred_alive

Sometimes, I won't even hit cache until my 3rd try. Also here is my very odd full log using sa in Unbound Installer script:

sa

thread0.num.queries=361 thread1.num.queries_ip_ratelimited=0 total.num.cachehits=326
thread0.num.queries_ip_ratelimited=0 thread1.num.cachehits=188 total.num.cachemiss=440
thread0.num.cachehits=138 thread1.num.cachemiss=217 total.num.prefetch=1
thread0.num.cachemiss=223 thread1.num.prefetch=1 total.num.zero_ttl=0
thread0.num.prefetch=0 thread1.num.zero_ttl=0 total.num.recursivereplies=440
thread0.num.zero_ttl=0 thread1.num.recursivereplies=217 total.requestlist.avg=5.64399
thread0.num.recursivereplies=223 thread1.requestlist.avg=4.17431 total.requestlist.max=76
thread0.requestlist.avg=7.08072 thread1.requestlist.max=76 total.requestlist.overwritten=0
thread0.requestlist.max=56 thread1.requestlist.overwritten=0 total.requestlist.exceeded=0
thread0.requestlist.overwritten=0 thread1.requestlist.exceeded=0 total.requestlist.current.all=0
thread0.requestlist.exceeded=0 thread1.requestlist.current.all=0 total.requestlist.current.user=0
thread0.requestlist.current.all=0 thread1.requestlist.current.user=0 total.recursion.time.avg=0.120523
thread0.requestlist.current.user=0 thread1.recursion.time.avg=0.119702 total.recursion.time.median=0.0731055
thread0.recursion.time.avg=0.121322 thread1.recursion.time.median=0.0686868 total.tcpusage=0
thread0.recursion.time.median=0.0775243 thread1.tcpusage=0 time.now=1578412087.523573
thread0.tcpusage=0 total.num.queries=766 time.up=52915370.847053
thread1.num.queries=405 total.num.queries_ip_ratelimited=0 time.elapsed=52915370.847053

All entries are there twice but have a thread ID, intended behavior? I was also checking out Unbound's page on it here: https://nlnetlabs.nl/documentation/unbound/libunbound-tutorial-5/ it appears there are a few ways to approach multi-thread if I understand correctly.