Re: [pfSense] Unbound

Sun, 16 Feb 2014 15:55:53 -0800

I was under the impression that unbound would be faster do to its caching. dnsmasq doesn't cache does it? I actually notice a difference once the initial lookup is done but over all unbound seems really flaky. It also doesn't appear to be very stable. 

On 2/16/2014 9:55 AM, Adam Thompson wrote:

On 14-02-16 08:11 AM, Brian Caouette wrote:

What do you recommend for settings? Can you provide some screen shots?
I also noticed the stats this morning show nothing in the unbound cache. No mater how many sites I visit nothing shows up in there. Yesterday when it first started working there were thousands. Not sure whats going on with it.
That may be normal. Unbound actually flushes its cached data when it's supposed to, unlike dnsmasq which deliberately holds on to stale data. Note that this isn't a bug in dnsmasq, it's a way to solve a specific issue that improves most people's experience.
Bottom line: using unbound is going to make you a lot more standards-compliant, and potentially a lot more secure, but also slower. There isn't a lot of point running unbound unless you're worried about cache poisoning or you want to do DNSSEC validation. 

My unbound config starts like this:

---snip---
server:
        verbosity: 1
        interface: 0.0.0.0
        interface: ::0
        access-control: X.X.X.0/24 allow_snoop
        access-control: X.X.X.0/24 allow_snoop
        access-control: X.X.X.186/29 allow_snoop
        access-control: X:X:X::/48 allow_snoop
        statistics-interval: 3600
        extended-statistics: yes
        cache-max-ttl: 3600
        infra-host-ttl: 600
        log-time-ascii: yes
        log-queries: yes
        root-hints: "named.cache"

        unwanted-reply-threshold: 10000000
        prefetch: yes
        prefetch-key: yes

        module-config: "validator iterator"
        val-permissive-mode: no
        val-log-level: 2
        auto-trust-anchor-file: "/var/unbound/etc/ta/root.key"
---snip---
Do make sure that if you have DNSSEC validation turned on, that you also have updated the trust anchor; stale TAs will cause lots of problems. Turning on prefetch can help in some situations. Having a stale root hints file will also cause problems. I don't run unbound on my pfSense box, so I don't recall if pfSense automatically updates the TA and/or the root-hints for you. 



_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list

Reply via email to