Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
A pretty good unbound.conf, DNSSEC, caching and local forwarding
control-enable: yes
do-ip6: no
do-ip4: yes
do-udp: yes
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
num-threads: 4
# Enable logs
verbosity: 1
# List of Root DNS Server
root-hints: "/var/lib/unbound/root.hints"
# Use the root servers key for DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Respond to DNS requests on all interfaces
max-udp-size: 3072
# Authorized IPs to access the DNS Server
access-control: refuse
access-control: allow
access-control: allow
# not allowed to be returned for public internet names
# Hide DNS Server info
hide-identity: yes
hide-version: yes
# Limit DNS Fraud and use DNSSEC
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
use-caps-for-id: yes
# Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
unwanted-reply-threshold: 10000000
# Have the validator print validation failures to the log.
val-log-level: 1
# Minimum lifetime of cache entries in seconds
cache-min-ttl: 300
# Maximum lifetime of cached entries
cache-max-ttl: 14400
prefetch: yes
prefetch-key: yes
# Optimisations
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# increase memory size of the cache
rrset-cache-size: 256m
msg-cache-size: 128m
# increase buffer size so that no messages are lost in traffic spikes
so-rcvbuf: 1m
# Enable unvalidated lookups to VPC internal domains
private-domain: "internal"
domain-insecure: "internal"
unblock-lan-zones: yes
insecure-lan-zones: yes
name: "internal."
forward-tls-upstream: no
name: ""
# All other queries go to trusted DNS providers
name: "."
forward-tls-upstream: yes
# Quad9
# Cloudflare DNS

This comment has been minimized.

Copy link

@ialex87 ialex87 commented Jun 1, 2020

Hey thanks for sharing this, out of curiosity what's is the dns latency on non cached dns query ? I'm constantly getting high values around 500ms.


This comment has been minimized.

Copy link
Owner Author

@Overbryd Overbryd commented Jun 2, 2020

That might depend on the upstream DNS server you are using.

Have you compared an uncached query against unbound vs a query against the upstream dns?


This comment has been minimized.

Copy link

@DavidOsipov DavidOsipov commented Jul 19, 2020

High values are thanks to DNSSEC checks. However it shouldn't be a problem since you have a caching resolver.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.