On 14-02-16 08:11 AM, Brian Caouette wrote:
What do you recommend for settings? Can you provide some screen shots?
I also noticed the stats this morning show nothing in the unbound
cache. No mater how many sites I visit nothing shows up in there.
Yesterday when it first started working there were thousands. Not sure
whats going on with it.
That may be normal. Unbound actually flushes its cached data when it's
supposed to, unlike dnsmasq which deliberately holds on to stale data.
Note that this isn't a bug in dnsmasq, it's a way to solve a specific
issue that improves most people's experience.
Bottom line: using unbound is going to make you a lot more
standards-compliant, and potentially a lot more secure, but also
slower. There isn't a lot of point running unbound unless you're
worried about cache poisoning or you want to do DNSSEC validation.
My unbound config starts like this:
---snip---
server:
verbosity: 1
interface: 0.0.0.0
interface: ::0
access-control: X.X.X.0/24 allow_snoop
access-control: X.X.X.0/24 allow_snoop
access-control: X.X.X.186/29 allow_snoop
access-control: X:X:X::/48 allow_snoop
statistics-interval: 3600
extended-statistics: yes
cache-max-ttl: 3600
infra-host-ttl: 600
log-time-ascii: yes
log-queries: yes
root-hints: "named.cache"
unwanted-reply-threshold: 10000000
prefetch: yes
prefetch-key: yes
module-config: "validator iterator"
val-permissive-mode: no
val-log-level: 2
auto-trust-anchor-file: "/var/unbound/etc/ta/root.key"
---snip---
Do make sure that if you have DNSSEC validation turned on, that you also
have updated the trust anchor; stale TAs will cause lots of problems.
Turning on prefetch can help in some situations. Having a stale root
hints file will also cause problems. I don't run unbound on my pfSense
box, so I don't recall if pfSense automatically updates the TA and/or
the root-hints for you.
--
-Adam Thompson
[email protected]
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
