On Tue, 5 Sep 2023 07:46:53 +0200 (CEST) Hans Sandsdalen via Unbound-users <unbound-users@lists.nlnetlabs.nl> wrote:
> Hi > > Yesteday we lost connection to internet. I supposed that dns would be ok for > our internal hosts. But unbound became very slow, sometimes did not respond > at all. We use nsd and unbound. > > What can I do to prevent this in the future? > > /etc/unbound/unbound.conf.d/ contains tree files: > KSPT.conf qname-minimisation.conf root-auto-trust-anchor-file.conf > > KSPT.conf: > > server: > verbosity: 1 > interface: 0.0.0.0 > access-control: 192.168.0.0/16 allow > access-control: 10.0.0.0/8 allow > access-control: 127.0.0.0/8 allow > port: 53 > do-ip4: yes > do-ip6: no > root-hints: "/etc/unbound/root.hints" > cache-min-ttl: 300 > cache-max-ttl: 86400 > prefetch: yes > num-threads: 1 > minimal-responses: yes > prefetch: no > do-not-query-localhost: no > local-zone: "domain.no" nodefault > local-zone: "168.192.in-addr.arpa" nodefault > local-zone: "10.in-addr.arpa" nodefault > domain-insecure: "domain.no" > domain-insecure: "168.192.in-addr.arpa" > domain-insecure: "10.in-addr.arpa" > private-domain: "domain.no" > stub-zone: > name: "168.192.in-addr.arpa." > stub-addr: 127.0.0.1@1053 > stub-zone: > name: "10.in-addr.arpa." > stub-addr: 127.0.0.1@1053 > stub-zone: > name: "spacetec.no" > stub-addr: 127.0.0.1@1053 > > remote-control: > control-enable: yes > > qname-minimisation.conf: > > server: > # Send minimum amount of information to upstream servers to enhance > # privacy. Only sends minimum required labels of the QNAME and sets > # QTYPE to NS when possible. > > # See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for > # details. > > qname-minimisation: yes > > root-auto-trust-anchor-file.conf: > > server: > # The following line will configure unbound to perform cryptographic > # DNSSEC validation using the root trust anchor. > auto-trust-anchor-file: "/var/lib/unbound/root.key" > > --- > HANS SANDSDALEN > Manager IT Tromsø > Space Ground Systems > Kongsberg Defence & Aerospace AS > > +47 977 62 632 > [ mailto:h...@spacetec.no | h...@spacetec.no ] > [ http://www.kongsberg.com/space | www.kongsberg.com/space ] > > > > > CONFIDENTIALITY This e-mail and any attachment contain KONGSBERG information > which may be proprietary, confidential or subject to export regulations, and > is only meant or the intended recipient(s). Any disclosure, copying, > distribution or use is prohibited, if not otherwise explicitly agreed with > KONGSBERG. If received in error, please delete it immediately from your > system and notify the sender properly. > Hi, infra-keep-probing: <yes or no> If enabled the server keeps probing hosts that are down, in the one probe at a time regime. Default is no. Hosts that are down, eg. they did not respond during the one probe at a time period, are marked as down and it may take infra-host-ttl time to get probed again. This fixed it for me. Hope this helps. Ciao, Tito