Created
March 29, 2019 14:54
-
-
Save Overbryd/ab15ee86c58260cb6d0be634a4c58057 to your computer and use it in GitHub Desktop.
A pretty good unbound.conf, DNSSEC, caching and local forwarding
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| remote-control: | |
| control-enable: yes | |
| server: | |
| do-ip6: no | |
| do-ip4: yes | |
| do-udp: yes | |
| tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt | |
| num-threads: 4 | |
| # Enable logs | |
| verbosity: 1 | |
| # List of Root DNS Server | |
| root-hints: "/var/lib/unbound/root.hints" | |
| # Use the root servers key for DNSSEC | |
| auto-trust-anchor-file: "/var/lib/unbound/root.key" | |
| # Respond to DNS requests on all interfaces | |
| interface: 0.0.0.0 | |
| max-udp-size: 3072 | |
| # Authorized IPs to access the DNS Server | |
| access-control: 0.0.0.0/0 refuse | |
| access-control: 127.0.0.1 allow | |
| access-control: 10.42.0.0/16 allow | |
| # not allowed to be returned for public internet names | |
| private-address: 10.42.0.0/16 | |
| # Hide DNS Server info | |
| hide-identity: yes | |
| hide-version: yes | |
| # Limit DNS Fraud and use DNSSEC | |
| harden-glue: yes | |
| harden-dnssec-stripped: yes | |
| harden-referral-path: yes | |
| use-caps-for-id: yes | |
| # Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning | |
| unwanted-reply-threshold: 10000000 | |
| # Have the validator print validation failures to the log. | |
| val-log-level: 1 | |
| # Minimum lifetime of cache entries in seconds | |
| cache-min-ttl: 300 | |
| # Maximum lifetime of cached entries | |
| cache-max-ttl: 14400 | |
| prefetch: yes | |
| prefetch-key: yes | |
| # Optimisations | |
| msg-cache-slabs: 8 | |
| rrset-cache-slabs: 8 | |
| infra-cache-slabs: 8 | |
| key-cache-slabs: 8 | |
| # increase memory size of the cache | |
| rrset-cache-size: 256m | |
| msg-cache-size: 128m | |
| # increase buffer size so that no messages are lost in traffic spikes | |
| so-rcvbuf: 1m | |
| # Enable unvalidated lookups to VPC internal domains | |
| private-domain: "internal" | |
| domain-insecure: "internal" | |
| unblock-lan-zones: yes | |
| insecure-lan-zones: yes | |
| forward-zone: | |
| name: "internal." | |
| forward-tls-upstream: no | |
| forward-addr: 10.42.0.2 | |
| forward-zone: | |
| name: "10.in-addr.arpa." | |
| forward-addr: 10.42.0.2 | |
| # All other queries go to trusted DNS providers | |
| forward-zone: | |
| name: "." | |
| forward-tls-upstream: yes | |
| # Quad9 | |
| forward-addr: 9.9.9.9@853#dns.quad9.net | |
| forward-addr: 149.112.112.112@853#dns.quad9.net | |
| # Cloudflare DNS | |
| forward-addr: 1.1.1.1@853#cloudflare-dns.com | |
| forward-addr: 1.0.0.1@853#cloudflare-dns.com |
That might depend on the upstream DNS server you are using.
Have you compared an uncached query against unbound vs a query against the upstream dns?
High values are thanks to DNSSEC checks. However it shouldn't be a problem since you have a caching resolver.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey thanks for sharing this, out of curiosity what's is the dns latency on non cached dns query ? I'm constantly getting high values around 500ms.