Join Log in
Score:0
avatar Server

Unbound configuration for DNSBL service

br flag
Cyril N.

We have a few SpamAssassin servers that are connected to a local DNS server that runs Unbound. The purpose of this is to cache some queries that we makes toward services such as SpamHaus, URIBL and the likes from SpamAssassin because we often quickly reach the free quota usage.

We started a partnership with SpamHaus with a custom key and we are averaging at 8M queries per day, which is a lot.

One problem I'm having is that I'm not 100% sure our Unbound configuration is optimized for our usage, and I'm hoping to have some help from you on setting the proper configuration.

Here's our current unbound.conf.d/service.conf file:

server:
    verbosity: 1
    use-syslog: yes
    logfile: "/var/log/unbound/unbound.log"
    log-time-ascii: yes

    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes

    interface: 0.0.0.0
    interface: ::0

    # Allow local machine
    access-control: 127.0.0.0/8 allow
    access-control: 192.168.0.0/16 allow

    # Disallow everything else
    access-control: 0.0.0.0/0 refuse

    # use all CPUs
    num-threads: 2

    # power of 2 close to num-threads  
    msg-cache-slabs: 16
    rrset-cache-slabs: 16
    infra-cache-slabs: 16
    key-cache-slabs: 16

    # Read the root hints from this file
    root-hints: "/var/lib/unbound/root.hints"

    harden-referral-path: no
    use-caps-for-id: no
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    qname-minimisation: no

    # the time to live (TTL) value lower bound, in seconds. Default 0.
    # If more than an hour could easily give trouble due to stale data.
    # WARNING : against protocol rule but efficient against stupidly too low TTLs
    cache-min-ttl: 1800 # 30 minutes

    # the time to live (TTL) value cap for RRsets and messages in the
    # cache. Items are not cached for longer. In seconds.
    cache-max-ttl: 3600 # 60 minutes

    prefetch: yes

    # If nonzero, unwanted replies are not only reported in statistics, but also
    # a running total is kept per thread. If it reaches the threshold, a warning
    # is printed and a defensive action is taken, the cache is cleared to flush
    # potential poison out of it.  A suggested value is 10000000, the default is
    # 0 (turned off). We think 10K is a good value.
    unwanted-reply-threshold: 10000

    # Should additional section of secure message also be kept clean of unsecure
    # data. Useful to shield the users of this validator from potential bogus
    # data in the additional section. All unsigned data in the additional section
    # is removed from secure messages.
    val-clean-additional: yes

    # Log validation failures
    val-log-level: 2

    private-address: 192.168.0.0/16
    private-address: 10.0.0.0/8

    # Optimise
    # https://unbound.net/documentation/howto_optimise.html

    # Faster UDP with multithreading (only on Linux).
    so-reuseport: yes

    # Cache size
    rrset-cache-size: 100m
    msg-cache-size: 50m

    # DNSSEC managment
    harden-below-nxdomain: yes
    harden-dnssec-stripped: yes


forward-zone:
    name: "."
    # OpenDNS
    forward-addr: 208.67.222.222
    forward-addr: 208.67.220.220
    forward-addr: 2620:119:35::35
    forward-addr: 2620:119:53::53

Is there anything we can do to optimize our DNS queries?

Thanks in advance!

123
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.