jokester/ansible-playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: increase unbound ttl&cache

Browse Source
This commit is contained in:
Clément Désiles 2026-02-03 22:08:20 +01:00
parent 1f758deb82
commit 321a14a108
No known key found for this signature in database
2 changed files with 24 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
roles/unbound/templates/custom-vpn.conf.j2
View File

@ -5,9 +5,9 @@ view:
{% if unbound_custom_vpn_records is defined %} {% if unbound_custom_vpn_records is defined %}
{% for host, ips in unbound_custom_vpn_records.items() %} {% for host, ips in unbound_custom_vpn_records.items() %}
local-data: "{{ host }}. IN A {{ ips.v4 }}" local-data: "{{ host }}. IN A {{ ips.v4 }}"
{% if ips.v6 is defined %} {% if ips.v6 is defined %}
local-data: "{{ host }}. IN AAAA {{ ips.v6 }}" local-data: "{{ host }}. IN AAAA {{ ips.v6 }}"
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

32
roles/unbound/templates/unbound.conf.j2
View File

@ -26,8 +26,8 @@ server:
access-control: ::1 allow access-control: ::1 allow
# Specify custom local answers for each interface by using views: # Specify custom local answers for each interface by using views:
access-control-view: 192.168.1.56/24 lan access-control-view: 192.168.1.0/24 lan
access-control-view: 192.168.27.1/27 vpn access-control-view: 192.168.27.0/27 vpn
do-ip4: yes do-ip4: yes
do-udp: yes do-udp: yes
@ -59,13 +59,19 @@ server:
use-caps-for-id: no use-caps-for-id: no
# the time to live (TTL) value lower bound, in seconds. Default 0. # the time to live (TTL) value lower bound, in seconds. Default 0.
# If more than an hour could easily give trouble due to stale data. # Setting to 0 respects upstream TTLs, avoiding outages on fast-flux services.
cache-min-ttl: 3600 cache-min-ttl: 0
# the time to live (TTL) value cap for RRsets and messages in the # the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds. # cache. Items are not cached for longer. In seconds.
cache-max-ttl: 86400 cache-max-ttl: 86400
# Serve expired records while fetching fresh ones in the background.
# Improves reliability when upstream resolvers are temporarily unavailable.
serve-expired: yes
serve-expired-ttl: 86400
serve-expired-client-timeout: 0
# Reduce EDNS reassembly buffer size. # Reduce EDNS reassembly buffer size.
# IP fragmentation is unreliable on the Internet today, and can cause # IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even # transmission failures when large DNS messages are sent via UDP. Even
@ -89,14 +95,20 @@ server:
# see: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-prefetch # see: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-prefetch
prefetch: no prefetch: no
# One thread should be sufficient, can be increased on beefy machines. # Threads and cache slabs optimized for 4-core CPU
# In reality for most users running on small networks or on a single machine, num-threads: 4
# it should be unnecessary to seek performance enhancement by increasing num-threads above 1. msg-cache-slabs: 4
num-threads: 1 rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
# Cache sizes optimized for 64GB RAM
msg-cache-size: 512m
rrset-cache-size: 1g
# Ensure kernel buffer is large enough to not lose messages in traffic spikes # Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m so-rcvbuf: 4m
so-sndbuf: 0 so-sndbuf: 4m
# Ensure privacy of local IP ranges # Ensure privacy of local IP ranges
private-address: 192.168.0.0/16 private-address: 192.168.0.0/16