As Michael pointed out already, it does not make sense to tamper with TTLs as the zone operators set them on purpose. Serving expired data can cause unexpected behaviour which is undebuggable in most cases.
Hyperlocal (fetching root zone and similar ones) makes sense to me, but we have some users sitting behind internet connections with extremley low bandwith and would need to make this configurable.
For the reason I mentioned in my previous post: If the operator of a zone decides to set extremely low or high TTLs, he/she usually has a good reason to do so. A resolver should not interfere at this point.
Please read the current configuration carefully:
# Import any local configurations
include: "/etc/unbound/local.d/*.conf"
You are free to include any Unbound configuration statements in that directory. Thanks for mentioning private-address, I will have a look at this.
I agree.
Well, from what I notice, the unbound project is modular, its configuration will depend on the operating environment. Any custom configuration can be negative. I learned a lot from your explanations.
Are you creating a custom .conf file in /etc/unbound/local.d/ with these custom options, or are you directly modifying unbound.conf for these customized settings?
I am using the following with a custom file in /etc/unbound/local.d/
I realize some of these settings may be redundant and/or not recommended by the IPFire developers but, I found the DNS over TLS very slow with the default settings out of the box in IPFire. In my case, IPFire was only using a single thread and the Unbound statistics showed very low cache hit rate. With these adjustments I’m seeing much higher cache hit rates and web surfing feels a lot faster.
Also one more note, I’m using Quad9 for my DNS over TLS provider. They seem very aggressive at closing the connection once the DNS lookup completes. With a single thread for Unbound, this means I was frequently running in to issues with DNS burst lookups, because the connection would be closed before the single thread could open a new connection back to Quad9. Adding 4 threads helps this quite a bit.
unfortunately, the DNS rebinding configuration cannot be enabled as a default for all IPFire installations, as it presumes resolved resources not to be located in internal networks. If somebody is using IPFire for segmenting his/her/its internal network, this will cause trouble.
Perhaps we could integrate this as an opt-in feature, but this would mean another switch at the DNS settings page, and we have too many there already (“less knobbiness”).
I am new to the IPFire project. A doubt: there is the main unbound file, but the change is not allowed. With the customized options in the local.d folder changes are possible. An example:
the prefetch: yes option is in the main file. If I add prefetch: no, will this value change?
Yes, it appears that any customization we set will over-ride the “default” options that are already listed in the unbound.conf file.
An example:
SSH as root to your IPFire host and create a file /etc/unbound/local.d/my_custom_settings.conf
Edit the file, and place the following inside: prefetch: no
Restart unbound to load the new settings: /etc/init.d/unbound restart
Run the following command to check if prefetch is now set to “no”: unbound-control get_option prefetch
You should see output like this: [root@ipfire local.d]# unbound-control get_option prefetch
`no`
This validates that the custom settings are being loaded on the service startup/restart. In this case, we can also verify that our custom setting overrides the “default” settings chosen for IPFire.
A word of caution, I test these on a LAB VM with IPFire first. I would not recommend doing this in production as you will disrupt DNS services briefly when stopping/starting Unbound.