Example unbound.conf

By: Jacob Taylor
on

I'm going to drop this here for anybody else that might find it useful. It's a bit overkill as far as caching goes (the cache is likely huge for the relative use), but it works extremely well.

I presently have Charter as my ISP, and their network hardware is so bad that if you try and open more than 20 or so connections simultaneously, the routermodem chokes out. This results in a massive number dns lookup failures (and connection timeouts) even when using, say, google's dns servers. With the number of tracking scripts, images, and other resources on webpages these days, it mostly just doesn't work. Every page you view has probably partially failed in some way. So, as part of my stop-gap measure, I cache DNS. Here's how.

Short explanation: It has decently large caches for the different parts of dns lookups and responses, and when a record is nearing expiration it preemptively looks it up again (that way your local cache is hopefully always fresh and giving you sub-millisecond responses). It will listen on all interfaces (ipv4 and ipv6) to local network requests (in my case, 192.168.*). And some hardening stuff that I'm sure is useless on a local network, but I figured why the heck not.

Any recommendations? More or less cache, and of what kinds? Any other tunables I should know about? Otherwise, hopefully this helps someone. ♥

# this particular unbound.conf configured by Aranjedeath # must be used with libevent compiled unbound. server: # This is distributed with most packages, location may vary (probably not). # required for dnssec validation. auto-trust-anchor-file: "/var/lib/unbound/root.key" # caveat: most distributions do not give this file out. must be downloaded manually # and then renamed. https://www.iana.org/domains/root/files # (lookup) performance increase. root-hints: "/var/lib/unbound/root.hints" num-threads: 2 msg-cache-size: 32m msg-cache-slabs: 8 rrset-cache-size: 64m rrset-cache-slabs: 8 infra-cache-slabs: 8 key-cache-slabs: 8 key-cache-size: 16m harden-short-bufsize: yes harden-large-queries: yes harden-glue: yes harden-dnssec-stripped: yes harden-below-nxdomain: yes prefetch-key: yes prefetch: yes outgoing-range: 8192 num-queries-per-thread: 4096 do-udp: yes do-ip6: yes interface: 0.0.0.0 interface: ::0 access-control: 192.168.0.0/16 allow access-control: ::1 allow #allows access for peers coming from inside hyperboria access-control: fc00::/8 allow private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 169.254.0.0/16 private-address: 192.168.0.0/16 private-address: 203.0.113.0/24 private-address: 198.51.100.0/24 private-address: 198.18.0.0/15 private-address: 192.0.2.0/24 private-address: 100.64.0.0/10 private-address: 192.0.0.0/29 private-address: 240.0.0.0/4 private-address: ::ffff:0:0/96 private-address: 2001:10::/28 private-address: 2001:db8::/32 #for hypenet private-address: fe80::/10 forward-zone: name: "." forward-addr: 208.67.222.222 forward-addr: 8.8.4.4

Caveat: This runs on Ubuntu, so if you're running another OS your trust anchor file is likely to be elsewhere. Otherwise, it should just work™.

Note: The writing at the top has not been modified after publishing, but the configuration does get updated occasionally.