> Do you reach your server's conntrack limit?  

The word conntrack never appears in my logs, so I don't think it's that. The ISP also requires this from tor exits: net.netfilter.nf_conntrack_max = 10000

> Try setting RelayBandwidthRate to 95% of your link capacity.

Why 95%? Are you thinking to give it more bandwidth?

> From the IPs in your logs I assume your unbound is configured to query
> recursively itself (no upstream forwarding) that is good, can you confirm that
> and provide your unbound config + iptalbes -vnL?  

Correct, unbound is recursive. Here's the config:
server:
        verbosity: 1
        statistics-interval: 0
        statistics-cumulative: no
        extended-statistics: no
        num-threads: 2
        interface-automatic: no
        do-ip6: no
        chroot: ""
        username: "unbound"
        directory: "/etc/unbound"
        log-time-ascii: yes
        pidfile: "/var/run/unbound/unbound.pid"
        harden-glue: yes
        harden-dnssec-stripped: yes
        harden-below-nxdomain: yes
        harden-referral-path: yes
        use-caps-for-id: no
        unwanted-reply-threshold: 10000000
        prefetch: yes
        prefetch-key: yes
        rrset-roundrobin: yes
        minimal-responses: yes
        module-config: "validator iterator"
        trusted-keys-file: /etc/unbound/keys.d/*.key
        auto-trust-anchor-file: "/var/lib/unbound/root.key"
        val-clean-additional: yes
        val-permissive-mode: no
        val-log-level: 1
        include: /etc/unbound/local.d/*.conf
remote-control:
        control-enable: no
        server-key-file: "/etc/unbound/unbound_server.key"
        server-cert-file: "/etc/unbound/unbound_server.pem"
        control-key-file: "/etc/unbound/unbound_control.key"
        control-cert-file: "/etc/unbound/unbound_control.pem"
include: /etc/unbound/conf.d/*.conf

Quintin


--
0101100101000001010010000101011101000101010010000010000001000010
0100110001000101010100110101001100100000010110010100111101010101