NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.11k stars 357 forks source link

Unbound cache question because I'm confused #1066

Closed Aura67 closed 5 months ago

Aura67 commented 5 months ago

Hello, I installed unbound 1.20.0 when it came out only then I noticed that the feature was activated with unbound from the apt source so I sat down and entered: ./configure --disable-flto --enable- subnet --enable-cachedb the feature is also activated only now the question is where does pihole now answer the DnS answers if they are already in the cache maybe you can give me the answer config from me by the way unbound now finds my root.hints without any problems.


server:
    # If no logfile is specified, syslog is used
    # logfile: "/etc/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/etc/unbound/root.hints"

   # Should additional section of secure message also be kept clean of
    # unsecure data. Useful to shield the users of this validator from
    # potential bogus data in the additional section. All unsigned data
    # in the additional section is removed from secure messages.
    val-clean-additional: yes

    # Do not show version information of Unbound - security aspect
    hide-identity: yes
    hide-version: yes

    # QNAME minimisation in strict mode. Do not fall-back to sending full
    # QNAME to potentially broken nameservers. A lot of domains will not be
    # resolvable when this option in enabled.
    # This option only has effect when qname-minimisation is enabled.
    qname-minimisation-strict: no

    # send minimal amount of information to upstream servers to enhance privacy
    qname-minimisation: yes

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # The time to live for bogus data, rrsets and messages. This avoids
    # some of the revalidation, until the time interval expires. in secs.
    val-bogus-ttl: 60

    # trust anchor signaling sends a RFC8145 key tag query after priming.
    trust-anchor-signaling: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # IP fragmentation is unreliable on the Internet today, and can cause
    # transmission failures when large DNS messages are sent via UDP. Even
    # when fragmentation does work, it may not be secure; it is theoretically
    # possible to spoof parts of a fragmented DNS message, without easy
    # detection at the receiving end. Recently, there was an excellent study
    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
    # in collaboration with NLnet Labs explored DNS using real world data from the
    # the RIPE Atlas probes and the researchers suggested different values for
    # IPv4 and IPv6 and in different scenarios. They advise that servers should
    # be configured to limit DNS messages sent over UDP to a size that will not
    # trigger fragmentation on typical network links. DNS servers can switch
    # from UDP to TCP when a DNS response is too big to fit in this limited
    # buffer size. This value has also been suggested in DNS Flag Day 2020.
    edns-buffer-size: 1232

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # if yes, perform key lookups adjacent to normal lookups.
    prefetch-key: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10
kkkgo commented 5 months ago

Although I don't know what you want to achieve, cachedb is used to interface with third-party cache systems like Redis. However, your configuration does not include options related to Redis. If you simply want to achieve caching effects, you do not need to recompile with --enable-cachedb.

wcawijngaards commented 5 months ago

I have edited the issue ticket to remove large font use. The ``` text ``` markup can denote literal content.