<div dir="ltr">> Do you reach your server's conntrack limit?  <br><br>The word conntrack never appears in my logs, so I don't think it's that. The ISP also requires this from tor exits: net.netfilter.nf_conntrack_max = 10000<br><br>> Try setting RelayBandwidthRate to 95% of your link capacity.<div><br>Why 95%? Are you thinking to give it more bandwidth?<br><br>> From the IPs in your logs I assume your unbound is configured to query<br>> recursively itself (no upstream forwarding) that is good, can you confirm that<br>> and provide your unbound config + iptalbes -vnL?  </div><div><br><div dir="ltr"><div><div><div>Correct, unbound is recursive. Here's the config:<br><div>server:</div><div>        verbosity: 1</div><div>        statistics-interval: 0</div><div>        statistics-cumulative: no</div><div>        extended-statistics: no</div><div>        num-threads: 2</div><div>        interface-automatic: no</div><div>        do-ip6: no</div><div>        chroot: ""</div><div>        username: "unbound"</div><div>        directory: "/etc/unbound"</div><div>        log-time-ascii: yes</div><div>        pidfile: "/var/run/unbound/unbound.pid"</div><div>        harden-glue: yes</div><div>        harden-dnssec-stripped: yes</div><div>        harden-below-nxdomain: yes</div><div>        harden-referral-path: yes</div><div>        use-caps-for-id: no</div><div>        unwanted-reply-threshold: 10000000</div><div>        prefetch: yes</div><div>        prefetch-key: yes</div><div>        rrset-roundrobin: yes</div><div>        minimal-responses: yes</div><div>        module-config: "validator iterator"</div><div>        trusted-keys-file: /etc/unbound/keys.d/*.key</div><div>        auto-trust-anchor-file: "/var/lib/unbound/root.key"</div><div>        val-clean-additional: yes</div><div>        val-permissive-mode: no</div><div>        val-log-level: 1</div><div>        include: /etc/unbound/local.d/*.conf</div><div>remote-control:</div><div>        control-enable: no</div><div>        server-key-file: "/etc/unbound/unbound_server.key"</div><div>        server-cert-file: "/etc/unbound/unbound_server.pem"</div><div>        control-key-file: "/etc/unbound/unbound_control.key"</div><div>        control-cert-file: "/etc/unbound/unbound_control.pem"</div><div>include: /etc/unbound/conf.d/*.conf</div><div><br></div><div>Quintin</div></div></div></div></div></div></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><font color="#000000" face="monospace"><span style="font-size:10.5625px">0101100101000001010010000101011101000101010010000010000001000010</span></font></div><div><font color="#000000" face="monospace"><span style="font-size:10.5625px">0100110001000101010100110101001100100000010110010100111101010101</span></font></div></div></div>