If you are running unwind(8) on your laptop / workstation or
unbound(8) for a small home network I'd be interested to know how
often they talk to the root zone during a typical day.
Could you please add the following table and match rules to
/etc/pf.conf:
table <rootdns> const { \
198.41.0.4, 2001:503:ba3e::2:30, \
199.9.14.201, 2001:500:200::b, \
192.33.4.12, 2001:500:2::c, \
199.7.91.13, 2001:500:2d::d, \
192.203.230.10, 2001:500:a8::e, \
192.5.5.241, 2001:500:2f::f, \
192.112.36.4, 2001:500:12::d0d, \
198.97.190.53, 2001:500:1::53, \
192.36.148.17, 2001:7fe::53, \
192.58.128.30, 2001:503:c27::2:30, \
193.0.14.129, 2001:7fd::1, \
199.7.83.42, 2001:500:9f::42, \
202.12.27.33, 2001:dc3::35 }
match out proto {tcp} to <rootdns> port 53 label rootdns_tcp
match out proto {udp} to <rootdns> port 53 label rootdns_udp
Alternatively, this diff should apply to to a default /etc/pf.conf:
diff --git pf.conf pf.conf
index ecf2183c210..9cb8d752f6f 100644
--- pf.conf
+++ pf.conf
@@ -2,8 +2,26 @@
#
# See pf.conf(5) and /etc/examples/pf.conf
+table <rootdns> const { \
+ 198.41.0.4, 2001:503:ba3e::2:30, \
+ 199.9.14.201, 2001:500:200::b, \
+ 192.33.4.12, 2001:500:2::c, \
+ 199.7.91.13, 2001:500:2d::d, \
+ 192.203.230.10, 2001:500:a8::e, \
+ 192.5.5.241, 2001:500:2f::f, \
+ 192.112.36.4, 2001:500:12::d0d, \
+ 198.97.190.53, 2001:500:1::53, \
+ 192.36.148.17, 2001:7fe::53, \
+ 192.58.128.30, 2001:503:c27::2:30, \
+ 193.0.14.129, 2001:7fd::1, \
+ 199.7.83.42, 2001:500:9f::42, \
+ 202.12.27.33, 2001:dc3::35 }
+
set skip on lo
+match out proto {tcp} to <rootdns> port 53 label rootdns_tcp
+match out proto {udp} to <rootdns> port 53 label rootdns_udp
+
block return # block stateless traffic
pass # establish keep-state
Then reload the ruleset and restart unwind:
# pfctl -f /etc/pf.conf
# rcctl restart unwind
You can now get stats on how often your machine talks to the root name servers:
# pfctl -s label
rootdns_tcp 2730 0 0 0 0 0 0 0
rootdns_udp 266 2 187 1 56 1 131 0
The columns are: label, evaluations, packets total, bytes total,
packets in, bytes in, packets out, bytes out, state creations
Please report the stats after a day of normal use, thanks.
------------------------------------------------------------------------
The point of this excercise is to work out if it's worthwhile to
implement RFC 8806 "Running a Root Server Local to a Resolver" in
unwind(8).
We are trading latency for bandwidth. Lower latency is almost always a
win for unwind(8) usecases. But the work if we fetch the root zone is
not trivial either.
The zone usually gets updated twice a day and is about 1.2MB. Due to the
timing parameters unwind(8) would check every 30 minutes with a SOA
query if a new zone is available:
$ dig @k.root-servers.net +multiline +noall +answer . soa
. 86400 IN SOA a.root-servers.net.
nstld.verisign-grs.com. (
2020090300 ; serial
1800 ; refresh (30 minutes)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
The code complexity should be managable, all the bits and pieces are
there in libunbound.
--
I'm not entirely sure you are real.
