Out of the box access list are going to be auto - but you might need to add that for your vpn tunnel network sure.
query name min is when you are walking down from roots and vs asking for www.domain.tld you only ask roots for tld, he says oh .com go ask the ns for .com, you then go ask .com ns hey whats ns for domain.tld..
Only when you get to the actual authoritative NS do you ask for the full record.
Keep in mind this can cause issues with some domains and cnames, etc.. There are some threads here where testing that and believe technet and stuff from ms one of the domains that wouldn't resolve..
How is it you couldn't look up the RFC that is clearly listed in the notes about that setting
"Only send minimum required labels of the QNAME and set QTYPE to A when possible. Best effort approach; full QNAME and original QTYPE will be sent when upstream replies with a RCODE other than NOERROR, except when receiving NXDOMAIN from a DNSSEC signed zone. Default is off.
Refer to RFC 7816 for in-depth information on Query Name Minimization."
You really have little use in the advanced section until you know what your doing ;) And are wanting to do something a bit out of the box. Quick look there and one thing you might want to enable is
"Serve cache records even with TTL of 0" Prob give you better cache hits.
Your hide options are exactly that - they will NOT answer those sorts of queries.. Unless you were going to let the public query it there is no reason to enable those... Unless you think someone on your own local network or connected to your vpn is going to query your unbound for its version info and then from that HACK it ;)
