Daisuke HIGASHI daisuke.higashi at gmail.com
Tue Oct 27 16:08:44 UTC 2015

  Unbound and many modern DNS cache servers do
negative caching and respect the negative cache TTL.
But the caching won't work well in some circumstances:

1. The cache size (msg-cache-size, rrset-cache-size) of
   heavily-loaded Unbound should be increased.
   Unbound's default cache size (4 megabytes) is
   too small for such busy (17kqps) DNS cache server.

   If a busy cache server is running with insufficient cache memory,
   cache entries are deleted and overwritten by newer entry very quickly.

2. Negative response of a certain format won't be cached,
   e.g. NXDOMAIN response which contains no SOA record
   in its authority section.

   If dnsbl.spfbl.net's authoritative servers generate such
   bad response (I can't confirm that, since the auth server is
   not reachable from me), ask operator of the server to use decent software...

 Daisuke Higashi

More information about the Unbound-users mailing list