We are still actively working on the spam issue.
Difference between revisions of "Unbound"
m (→Performance) |
m (Changed formatting to comply with wiki standards.) |
||
| Line 1: | Line 1: | ||
[[File:Unbound.png|thumb]] | [[File:Unbound.png|thumb]] | ||
| + | '''Unbound''' is a validating, recursive, and caching DNS server. It is quite useful for enforcing DNSSEC and caching DNS queries. Best used in conjunction with [[DNSCrypt]]. | ||
| − | + | == Installation == | |
| − | + | === GNU/Linux === | |
| − | |||
| − | |||
| − | |||
| − | = Installation = | ||
| − | == GNU/Linux == | ||
Install it from your distro's repository, or download it from [https://www.unbound.net/downloads/unbound-latest.tar.gz here]. | Install it from your distro's repository, or download it from [https://www.unbound.net/downloads/unbound-latest.tar.gz here]. | ||
| − | == Windows == | + | === Windows === |
Windows children may download it from the [https://www.unbound.net/download.html official page]. | Windows children may download it from the [https://www.unbound.net/download.html official page]. | ||
| − | = What to expect = | + | == What to expect == |
There are numerous advantages to having a DNS server like Unbound, most of which can be summed up in a few short sentences: | There are numerous advantages to having a DNS server like Unbound, most of which can be summed up in a few short sentences: | ||
* Enforces DNSSEC; | * Enforces DNSSEC; | ||
| Line 20: | Line 16: | ||
* Hardens DNS queries. | * Hardens DNS queries. | ||
| − | = Configuration = | + | == Configuration == |
This is how a proper unbound.conf file ought to look like: [http://pastebin.com/raw.php?i=hXPPNdhP unbound.conf]. | This is how a proper unbound.conf file ought to look like: [http://pastebin.com/raw.php?i=hXPPNdhP unbound.conf]. | ||
| − | == General == | + | === General === |
<pre> | <pre> | ||
server: | server: | ||
| Line 38: | Line 34: | ||
</pre> | </pre> | ||
| − | == Performance == | + | === Performance === |
<pre> | <pre> | ||
# use all threads | # use all threads | ||
| Line 66: | Line 62: | ||
</pre> | </pre> | ||
| − | Note: If you have libevent, the outgoing-range can be increased to 4096 or 8192, for a slight performance gain. In which case, num-queries-threads should be <(outgoing-range/2)+50> to guarantee that every query can get a socket, and some to spare for queries-for-nameservers. | + | Note: If you have libevent, the outgoing-range can be increased to 4096 or 8192, for a slight performance gain. In which case, <code>num-queries-threads</code> should be <code><(outgoing-range/2)+50></code> to guarantee that every query can get a socket, and some to spare for queries-for-nameservers. |
| − | == Security == | + | === Security === |
<pre> | <pre> | ||
hide-identity: yes | hide-identity: yes | ||
| Line 83: | Line 79: | ||
</pre> | </pre> | ||
| − | == | + | === with DNSCrypt === |
<pre> | <pre> | ||
# this is necessary for the local host, in this case DNSCrypt, to be used to send queries | # this is necessary for the local host, in this case DNSCrypt, to be used to send queries | ||
| Line 93: | Line 89: | ||
</pre> | </pre> | ||
| − | = External links = | + | == External links == |
| − | [https://www.unbound.net Official site] | + | *[https://www.unbound.net Official site] |
| − | + | *[https://github.com/jedisct1/unbound Github project mirror] | |
| − | [https://github.com/jedisct1/unbound Github project mirror] | + | *[https://www.unbound.net/documentation/index.html Documentation] |
| − | |||
| − | [https://www.unbound.net/documentation/index.html Documentation] | ||
[[Category:Software]] | [[Category:Software]] | ||
Revision as of 05:10, 9 December 2015
Unbound is a validating, recursive, and caching DNS server. It is quite useful for enforcing DNSSEC and caching DNS queries. Best used in conjunction with DNSCrypt.
Contents
Installation
GNU/Linux
Install it from your distro's repository, or download it from here.
Windows
Windows children may download it from the official page.
What to expect
There are numerous advantages to having a DNS server like Unbound, most of which can be summed up in a few short sentences:
- Enforces DNSSEC;
- Reduces privacy exposure by caching DNS queries;
- Consequentially, decreases DNS look up latency if the DNS query has already been cached;
- Hardens DNS queries.
Configuration
This is how a proper unbound.conf file ought to look like: unbound.conf.
General
server:
interface: 127.0.0.1
interface: ::1
verbosity: 1
port: 53
do-ip4: yes
do-ip6: <yes, if your ISP/router supports it>
do-udp: yes
do-tcp: yes
do-daemonize: yes
logfile: "<where you want your log files to be>"
Performance
# use all threads
num-threads: <number of threads>
# 2^{number_of_threads}
msg-cache-slabs: <same>
rrset-cache-slabs: <same>
infra-cache-slabs: <same>
key-cache-slabs: <same>
# more cache memory
rrset-cache-size: 100m
msg-cache-size: <rrset-cache-size/2>
# more outgoing connections
# depends on number of threads
outgoing-range: <(1024/threads)-50>
num-queries-per-thread: <(1024/threads)/2>
# Larger socket buffer
so-rcvbuf: 4m
so-sndbuf: 4m
# Faster UDP with multithreading (only on Linux).
so-reuseport: yes
Note: If you have libevent, the outgoing-range can be increased to 4096 or 8192, for a slight performance gain. In which case, num-queries-threads should be <(outgoing-range/2)+50> to guarantee that every query can get a socket, and some to spare for queries-for-nameservers.
Security
hide-identity: yes
hide-version: yes
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
use-caps-for-id: yes
# enables support for DNSSEC(!)
auto-trust-anchor-file: "<path to your root.key file>"
with DNSCrypt
# this is necessary for the local host, in this case DNSCrypt, to be used to send queries
do-not-query-localhost: no
forward-zone:
name: "."
# 127.0.0.1 is DNSCrypt's --local-address; 40 is the port DNSCrypt is using
forward-addr: 127.0.0.1@40
