Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A pretty good unbound.conf, DNSSEC, caching and local forwarding
remote-control:
control-enable: yes
server:
do-ip6: no
do-ip4: yes
do-udp: yes
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
num-threads: 4
# Enable logs
verbosity: 1
# List of Root DNS Server
root-hints: "/var/lib/unbound/root.hints"
# Use the root servers key for DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Respond to DNS requests on all interfaces
interface: 0.0.0.0
max-udp-size: 3072
# Authorized IPs to access the DNS Server
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.1 allow
access-control: 10.42.0.0/16 allow
# not allowed to be returned for public internet names
private-address: 10.42.0.0/16
# Hide DNS Server info
hide-identity: yes
hide-version: yes
# Limit DNS Fraud and use DNSSEC
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
use-caps-for-id: yes
# Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
unwanted-reply-threshold: 10000000
# Have the validator print validation failures to the log.
val-log-level: 1
# Minimum lifetime of cache entries in seconds
cache-min-ttl: 300
# Maximum lifetime of cached entries
cache-max-ttl: 14400
prefetch: yes
prefetch-key: yes
# Optimisations
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# increase memory size of the cache
rrset-cache-size: 256m
msg-cache-size: 128m
# increase buffer size so that no messages are lost in traffic spikes
so-rcvbuf: 1m
# Enable unvalidated lookups to VPC internal domains
private-domain: "internal"
domain-insecure: "internal"
unblock-lan-zones: yes
insecure-lan-zones: yes
forward-zone:
name: "internal."
forward-tls-upstream: no
forward-addr: 10.42.0.2
forward-zone:
name: "10.in-addr.arpa."
forward-addr: 10.42.0.2
# All other queries go to trusted DNS providers
forward-zone:
name: "."
forward-tls-upstream: yes
# Quad9
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
# Cloudflare DNS
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
@ialex87

This comment has been minimized.

Copy link

ialex87 commented Jun 1, 2020

Hey thanks for sharing this, out of curiosity what's is the dns latency on non cached dns query ? I'm constantly getting high values around 500ms.

@Overbryd

This comment has been minimized.

Copy link
Owner Author

Overbryd commented Jun 2, 2020

That might depend on the upstream DNS server you are using.

Have you compared an uncached query against unbound vs a query against the upstream dns?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.