<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
I am unskilled at DNS. I have just enough knowldge to be annoying.<br>
<br>
Ive been running Unbound at rDNS for years on a home server to get
better performance, DNSSEC and DoTLS 1.3 using 1.1.1.1<br>
<br>
This has worked great. Movng to 1.10.0 was uneventful.<br>
<br>
Until... I set the serve-expired stuff to draft-ietf
recommendations. Specifically if I set
serve-expired-client-timeout: to any value other then 0 ( enable it
) then after like 5 mins things stop resolving. <br>
<br>
I get a strange issue that appears. "Number of queries dropped due
to lack of space" shows EVERY query is dropped. This is very odd as
my request list is near empty. This starts like 5-10 mins after
starting Unbound.<br>
<br>
I do have a weird config for sure tho. I am compiling with
--with-libevent --without-pthreads --without-solaris-threads my
conf is below.<br>
<br>
<img
src="http://10.1.1.7:93/munin/XtremeBSD/XtremeBSD/unbound_munin_queue-day.png"
alt="daily graph" class="i" width="497" height="311"><br>
<br>
<br>
unbound.conf:<br>
<br>
server:<br>
val-log-level: 1<br>
use-syslog: yes<br>
verbosity: 0<br>
access-control: 10.0.0.0/8 allow<br>
access-control: 192.168.88.0/24 allow<br>
access-control: 127.0.0.0/8 allow<br>
tls-session-ticket-keys: yes<br>
aggressive-nsec: yes<br>
cache-max-ttl: 7200<br>
cache-min-ttl: 360<br>
do-ip4: yes<br>
do-ip6: no<br>
do-tcp: yes<br>
harden-below-nxdomain: yes<br>
harden-glue: yes<br>
harden-referral-path: yes<br>
harden-large-queries: yes<br>
harden-dnssec-stripped: yes<br>
harden-short-bufsize: yes<br>
harden-algo-downgrade: yes<br>
target-fetch-policy: "4 3 2 1 0"<br>
hide-identity: yes<br>
hide-version: yes<br>
hide-trustanchor: yes<br>
root-hints: "/usr/local/etc/unbound/root.hints"<br>
interface: 10.1.1.7<br>
interface: 10.1.1.8<br>
interface: 10.1.1.6<br>
interface: 10.1.1.11<br>
interface: 192.168.88.50<br>
interface: 192.168.88.51<br>
outgoing-interface: 192.168.88.50<br>
outgoing-interface: 192.168.88.51<br>
outgoing-port-permit: 25000-45000<br>
outgoing-num-tcp: 100<br>
incoming-num-tcp: 30<br>
minimal-responses: yes<br>
num-threads: 6<br>
outgoing-range: 4096<br>
num-queries-per-thread: 2048<br>
pidfile: "/var/run/unbound.pid"<br>
port: 53<br>
prefetch: yes<br>
prefetch-key: yes<br>
rrset-roundrobin: yes<br>
so-reuseport: yes<br>
tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt"<br>
use-caps-for-id:
yes <br>
statistics-cumulative: no<br>
extended-statistics: yes<br>
statistics-interval: 0<br>
private-address: 10.0.0.0/8<br>
private-address: 192.168.88.0/24<br>
val-clean-additional: yes<br>
<br>
include: /etc/unbound/dnsbl1.conf<br>
<br>
serve-expired: yes<br>
serve-expired-ttl: 259200<br>
serve-expired-ttl-reset: yes<br>
serve-expired-reply-ttl: 30<br>
# serve-expired-client-timeout: 1800<br>
<br>
# Speed tweaks<br>
msg-cache-slabs: 1<br>
rrset-cache-slabs: 1<br>
infra-cache-slabs: 1<br>
key-cache-slabs: 1<br>
rrset-cache-size: 100m<br>
msg-cache-size: 50m<br>
so-rcvbuf: 4m<br>
so-sndbuf: 4m<br>
<br>
remote-control:<br>
control-enable: yes<br>
control-interface: 0.0.0.0<br>
control-use-cert: no<br>
<br>
forward-zone:<br>
name: "."<br>
<br>
#Secure DNS over TLS<br>
<br>
forward-tls-upstream: yes<br>
forward-addr: 1.1.1.1@853 #Cloudflare<br>
forward-addr: 1.0.0.1@853 #Cloudflare<br>
# forward-addr: 8.8.8.8@853 #Google<br>
# forward-addr: 8.8.4.4@853 #Google<br>
# forward-addr: 9.9.9.9@853 # quad9.net<br>
# forward-addr: 149.112.112.112@853 # quad9.net<br>
<br>
<br>
<br>
</body>
</html>