On pfSense 2.2.6, I switched from dnsmasq to unbound.
Resolver/unbound is configured for DNSSEC (i.e., no forwarding) and has about
150 overrides to function as our internal/split DNS (with 5 domain overrides
for internal/private-address reverse lookups). The "Network Interfaces"
setting has only the LANs selected and the "Outgoing Interfaces" setting has
only the WAN interface selected. There are no DNS servers configured via
"General Setup". With this setup, I understand that unbound is using multiple
root servers instead of a small number of caching servers.
All internal systems are configured to use only pfSense as the DNS. DNS
resolution works fine.
With dnsmasq, the number of filter states was typically around 125 but with
unbound, it's now typically around 450 where nearly all the states are
(pfSense's) port 53/DNS connections. In addition, the number of states shown
via the 1-day RRD graph shows an overall escalation from about 200 filter
states to over 600 filter states.
QUESTIONs:
---
Is it normal to have this kind of increase in the number of UDP DNS-port states
when moving to unbound with this kind of configuration?
Is it normal to have the number of UDP DNS-port states continuously escalate
and triple over a 1-day period?
Can anyone suggest something I may have configured incorrectly?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
