From 8cac08d3c42ed073d1c6419c1960e72c682078d9 Mon Sep 17 00:00:00 2001 From: stoXe Date: Sat, 19 Jun 2021 02:22:04 +0000 Subject: [PATCH] Update unwanted-reply-threshhold to 10m per recommendation Disable use-caps-for-id Disable num-thread specification Add so-rcvbuf --- unbound/unbound.conf | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/unbound/unbound.conf b/unbound/unbound.conf index 3c7780e..d3a0bd2 100644 --- a/unbound/unbound.conf +++ b/unbound/unbound.conf @@ -183,14 +183,14 @@ server: # When it reaches the threshold, a defensive action of clearing the rrset # and message caches is taken, hopefully flushing away any poison. # Unbound suggests a value of 10 million. - unwanted-reply-threshold: 10000 + unwanted-reply-threshold: 10000000 # Use 0x20-encoded random bits in the query to foil spoof attempts. This # perturbs the lowercase and uppercase of query names sent to authority # servers and checks if the reply still has the correct casing. # This feature is an experimental implementation of draft dns-0x20. # Experimental option. - use-caps-for-id: yes + #use-caps-for-id: yes # Help protect users that rely on this validator for authentication from # potentially bad data in the additional section. Instruct the validator to @@ -241,7 +241,7 @@ server: # The number of threads to create to serve clients. # This is set dynamically at run time to effectively use available CPUs # resources - num-threads: 3 + #num-threads: 3 # Number of ports to open. This number of file descriptors can be opened # per thread. @@ -283,6 +283,9 @@ server: # incoming queries to threads more evenly. so-reuseport: yes + # Ensure kernel buffer is large enough to not lose messages in traffic spikes + so-rcvbuf: 1m + ########################################################################### # LOCAL ZONE ###########################################################################