Hi,
The blog post on DNS also has an interesting conundrum with DNSSEC. That is, if we are forwarding to a DNSSEC provider, including Quad9, having Unbound do additional DNSSEC validation is wasted and slows down the process. pfSense and OPNsense have the ability to disable DNSSEC, and this comes in handy when using Unbound in forwarding mode with a DNSSEC and DoT provider, such as Quad9.
I absolutely disagree. Since you cannot rely on your DNS provider (let’s put it that way) for validating DNSSEC, turning the validation off renders the security you gain from DNSSEC void.
In my experience, Quad9 is quite fast…when used with a properly tuned unbound that isn’t rigidly forced to use presets that aren’t optimal. For reference, my post on some optimization I have to use with IPFire to get decent performance: Unbound - custom configuration
Could we please keep this split so we can talk about possible Unbound configuration optimisations there, while we focus on Quad9 here?
Finally, when I’ve installed IPFire fresh out of the box, it seems to run Unbound on a single thread vs spawning a thread for each processor core. I suspect that this single threaded nature and the aggressive connection closing may be at odds with each other. Perhaps something the IPFire devs can also validate more to see if this theory is correct?
This is correct and intentional, and was introduced with commit 0f0f3ae7dc5da502c1aaf4bb295778d7657a0af5.
Thanks, and best regards,
Peter Müller