daisuke.higashi at gmail.com
Tue Oct 27 16:08:44 UTC 2015
Unbound and many modern DNS cache servers do
negative caching and respect the negative cache TTL.
But the caching won't work well in some circumstances:
1. The cache size (msg-cache-size, rrset-cache-size) of
heavily-loaded Unbound should be increased.
Unbound's default cache size (4 megabytes) is
too small for such busy (17kqps) DNS cache server.
If a busy cache server is running with insufficient cache memory,
cache entries are deleted and overwritten by newer entry very quickly.
2. Negative response of a certain format won't be cached,
e.g. NXDOMAIN response which contains no SOA record
in its authority section.
If dnsbl.spfbl.net's authoritative servers generate such
bad response (I can't confirm that, since the auth server is
not reachable from me), ask operator of the server to use decent software...
More information about the Unbound-users