Unbound - Authoritative Recursive Caching DNS Server

[SolluxCaptor]

Report 30 minutes with unbound with these options.

serve-expired: yes
serve-expired-ttl-reset: yes
serve-expired-ttl: 3600
cache-max-negative-ttl: 60

Here is result after 30 minutes:

total.num.queries=1053
total.num.queries_ip_ratelimited=0
total.num.cachehits=245
total.num.cachemiss=808
total.num.prefetch=43
total.num.zero_ttl=44
total.num.recursivereplies=808

Looks like a lot of providers like <30 minute TTL.. against general recommendations of 24 hours

 

[rgnldo]

On Adblock, changed the adblock option from static to always_nxdomain. By this method, it is possible to improve adblock for wildcard domains, response time and further reducing memory consumption.

 

[rgnldo]

Looks like a lot of providers like

serve-expired: yes
serve-expired-ttl-reset: yes
serve-expired-ttl: 3600

This option achieves prefetch performance only.

TTL standard is maintained as recommended by unbound
Cache Min TTL: Time to live minimum for RRsets and messages in the cache. Default is 0. Zero makes sure the data in the cache is as the domain owner intended, higher values, especially more than an hour or so, can lead to trouble as the data in the cache does not match up with the actual data any more. If the default is 0, there is no need to add to the unbound file.
Cache Max TTL: Time to live maximum for RRsets and messages in the cache. Default is 86400 seconds (1 day). When the internal TTL expires, the cache item has expired

 

[SolluxCaptor]

serve-expired: yes
serve-expired-ttl-reset: yes
serve-expired-ttl: 3600

This option achieves prefetch performance only.

TTL standard is maintained as recommended by unbound
Cache Min TTL: Time to live minimum for RRsets and messages in the cache. Default is 0. Zero makes sure the data in the cache is as the domain owner intended, higher values, especially more than an hour or so, can lead to trouble as the data in the cache does not match up with the actual data any more. If the default is 0, there is no need to add to the unbound file.
Cache Max TTL: Time to live maximum for RRsets and messages in the cache. Default is 86400 seconds (1 day). When the internal TTL expires, the cache item has expired

Ah! Missed that from Unbound. Makes sense to prevent security issues. I will leave current config as is (above settings) and continue testing.

 

[SolluxCaptor]

Something else of note, it appears running Unbound alone is indeed secure (from tampering) - due to the usage of DNSSEC for the replies it will get from root servers, even if the destination domain doesn't support it, transport between Unbound and root does have a DNSSEC sig (if I understand correctly) with the intended destination IP:

"But it looks to me an adversary which can sit between my unbound server traffic and DNS roots can capture, record spoof my DNS queries

My desired setup: Pihole <--DNSoverTLS--> Unbound <--some transport security--> DNS root servers"

"You have transport security through the use of DNSSEC, which is enabled with the configuration used in the Pi-Hole documentation implementation of unbound. Even if an adversary can sit between your instance of unbound and the authoritative servers, they don't have the private key and can't properly sign the responses, so they would fail DNSSEC authentication checks and would fail as BOGUS.

https://nlnetlabs.nl/documentation/unbound/howto-anchor/"

So, the main downside of running Unbound as well...Unbound from DNS upstream, (hence its name) - is merely that the requests are readable (theoretically) in plaintext anywhere upstream. But, the answer we get cannot be manipulated from root to Unbound. Meaning all you should worry about is snooping (something my ISP will do regardless once I get the IP back from any DNS).

Am I understanding that bit correctly? Or would a site also need DNSSEC, for root - Unbound to remain untampered?

 

[dave14305]

Has anyone considered the option of running Unbound on a secondary IP on the lan interface br0 (like Pixelserv) using port 53 and serving that as the LAN DHCP DNS 1 server? Then in unbound.conf create a stub zone for your local domain to forward to dnsmasq at 127.0.0.1:53 to maintain local hostname resolution.

If you don't already use Diversion, you can add the IP like this (replace with your own LAN subnet):

ifconfig br0:unbound 192.168.1.2 up

I haven't tested it yet, but it sounds good in my head. Use DNSFilter in Router mode to redirect any clients using other DNS IP addresses. Remember Router mode is originally meant to enforce the LAN DHCP DNS 1 server, but replaces it with the router IP if no LAN DHCP DNS 1 server is populated.

Maybe a good weekend test.

 

[Seij]

Small thing: it's kind of annoying not having the 5 total prompts in a row. Right now you answer 4 (Logging through ad-blocking), then you have to wait for ad block to download and install, and then you have to come back and answer the Firefox DoH prompt. Would be a bit more streamlined if the user could answer all 5 up front, hit enter, and return later with a fully functional Unbound setup.

 

[dave14305]

Here are some changes to my unbound.conf to allow lookup of local hostnames via dnsmasq (these are only the changed lines):

server:

interface: 127.0.0.1@53535
interface: 192.168.1.2@53

private-domain: "home.lan"

domain-insecure: "home.lan"
domain-insecure: "1.168.192.in-addr.arpa"
local-zone: "168.192.in-addr.arpa." nodefault
local-zone: "router.asus.com." static
local-data: "router.asus.com. IN A 192.168.1.1"
local-data-ptr: "192.168.1.1 router.asus.com"

forward-zone:
        name: "home.lan"
        forward-addr: 127.0.0.1
forward-zone:
        name: "1.168.192.in-addr.arpa"
        forward-addr: 127.0.0.1

I'm only testing in isolation with unbound running without dnsmasq.conf changes yet and manual "nslookup myname.home.lan 192.168.1.2" commands from a Windows command prompt.

Next step would be to put 192.168.1.2 as LAN DHCP DNS 1 server and enable DNSFilter. Then I wouldn't need any dnsmasq integration changes, but I would probably still disable dnsmasq cache. I'm sure there are shortcomings, such as losing Diversion.

EDIT: Source for making this work for local hosts: https://kevinlocke.name/bits/2017/03/09/unbound-with-dnsmasq-on-openwrt/

 

[dave14305]

The downside is ensuring that the extra IP is available soon enough to be served as DHCP DNS server to the client. Maybe piggybacking on the Pixelserv IP is a bad idea since it might get shutdown if Diversion is disabled manually. And with DNSFilter enabled, there is no forgiveness in case the IP is not ready (or if the USB is removed at boot), so I will leave that disabled for now.

But so far so good.

 

[SolluxCaptor]

serve-expired: yes
serve-expired-ttl-reset: yes
serve-expired-ttl: 3600

This option achieves prefetch performance only.

TTL standard is maintained as recommended by unbound
Cache Min TTL: Time to live minimum for RRsets and messages in the cache. Default is 0. Zero makes sure the data in the cache is as the domain owner intended, higher values, especially more than an hour or so, can lead to trouble as the data in the cache does not match up with the actual data any more. If the default is 0, there is no need to add to the unbound file.
Cache Max TTL: Time to live maximum for RRsets and messages in the cache. Default is 86400 seconds (1 day). When the internal TTL expires, the cache item has expired

Getting great results with this so far:

uptime: 0 Days, 07:27:11
total.num.queries=9342
total.num.queries_ip_ratelimited=0
total.num.cachehits=5558
total.num.cachemiss=3784
total.num.prefetch=2194
total.num.zero_ttl=2350
total.num.recursivereplies=3784

Ton of providers definitely using a very low TTL (<3600 seconds or 1 hr), absolutely no issues so far. Also in my network, I have a NAS running Docker with an almost constant connection to an API.

 

[SolluxCaptor]

Also holy **** even with 97% RAM used, AI protect (all features enabled), 2 OVPN servers, Unbound, Skynet, Diversion, Pixelserv-TLS, UIScribe, etc. I still see unhinderded gigabit performance. My network is only really rated for 960 Mbps technically! This was uncached

free -m
total used free shared buffers cached
Mem: 903572 867812 35760 1924 89148 243760
-/+ buffers/cache: 534904 368668
Swap: 2097148 1792 2095356

No issues with swap either, Linux RAM management FTW! Performance is just staggering for a consumer router, literally at the limit of CAT5e Can't wait to see what's in store next

 

[SolluxCaptor]

Heads up btw:

 serve-expired-ttl-reset: <yes or no>
         Set the TTL of expired records to the serve-expired-ttl value
         after a failed attempt to retrieve the record from upstream.
         This makes sure that the expired records will be served as long
         as there are queries for it. Default is "no".

That does not necessarily sound like a good thing when I read it literally..

after a failed attempt to retrieve the record from upstream. This makes sure that the expired records will be served as long as there are queries for it

(forever potentially)

 

[rgnldo]

Heads up btw:

 serve-expired-ttl-reset: <yes or no>
         Set the TTL of expired records to the serve-expired-ttl value
         after a failed attempt to retrieve the record from upstream.
         This makes sure that the expired records will be served as long
         as there are queries for it. Default is "no".

That does not necessarily sound like a good thing when I read it literally..
(forever potentially)

Rest assured, 3600 is a safe value. It was well calculated. This reason of caution and concern for safety.

 

[SolluxCaptor]

This is the part I am not understanding I think:

"after a failed attempt to retrieve the record from upstream."

If it fails to retrieve it upstream?

"This makes sure that the expired records will be served as long as there are queries for it"

This makes it sound permanent if always requested - always a TTL expired cached response. - not sure if it means until Unbound's set TTL value though?
It may just be me though, lol - but I was seeing over 2k expired TTLs in my cache.

 

[rgnldo]

This makes it sound permanent if always requested - always a TTL expired cached response. - not sure if it means until Unbound's set TTL value though?
It may just be me though, lol - but I was seeing over 2k expired TTLs in my cache.

It is a concern that you desired when you chose high values. No risk will come with 3600 seconds. Within an hour, the cache will expire and will require new recursion. Safe, functional and performance.

 

[rgnldo]

I will not be able to return, organizing some implementations.

 

[SolluxCaptor]

It is a concern that you desired when you chose high values. No risk will come with 3600 seconds. Within an hour, the cache will expire and will require new recursion. Safe, functional and performance. The same I recommend for its addition of large adblock lists with excessive memory values.

I had it set to 3600 when I got that high TTL though.. I am trying to say that option may bypass that timeout if set to yes, if I read its English correctly. In any case we can only test [emoji106]

 

[rgnldo]

Unbound is in good hands. Fully functional and working better than the dedicated servers I organize. Congratulations everyone involved. Thank you very much @Martineau

 

[Jumpstarter]

Also holy **** even with 97% RAM used, AI protect (all features enabled), 2 OVPN servers, Unbound, Skynet, Diversion, Pixelserv-TLS, UIScribe, etc. I still see unhinderded gigabit performance. My network is only really rated for 960 Mbps technically! This was uncached

free -m
total used free shared buffers cached
Mem: 903572 867812 35760 1924 89148 243760
-/+ buffers/cache: 534904 368668
Swap: 2097148 1792 2095356

No issues with swap either, Linux RAM management FTW! Performance is just staggering for a consumer router, literally at the limit of CAT5e Can't wait to see what's in store next

My speeds are blazing fast awell. I am normally only able to hit 800Mbps, with this setup I am hitting 1Gbps as well. OMG! and I am not using nearly as much ram or CPU to run this with skynet, Unbound, diversion

 

[SolluxCaptor]

My speeds are blazing fast awell. I am normally only able to hit 800Mbps, with this setup I am hitting 1Gbps as well. OMG! and I am not using nearly as much ram or CPU to run this with skynet, Unbound, diversion

I was noticing most of it was buffer / disk cache as Linux does. Lol but reboot clears it back to about 76% for a while, but over time it grows!

And seriously, just insanity how fast we're getting