From 3d4845954b273f08cd120a1d11b032d635c19ef0 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 15 Feb 2022 16:32:23 +0100 Subject: surtr: unbound --- hosts/surtr/dns/default.nix | 58 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 55 insertions(+), 3 deletions(-) (limited to 'hosts/surtr/dns/default.nix') diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index abb5d50e..87ab922c 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix @@ -20,8 +20,8 @@ remote: - id: inwx_notify address: 185.181.104.96@53 - - id: google - address: ["8.8.8.8"] + - id: recursive + address: 127.0.0.1@5353 acl: - id: inwx_acl @@ -40,7 +40,7 @@ submission: - id: validating-resolver - parent: google + parent: recursive policy: - id: rsa2048 @@ -106,5 +106,57 @@ file: ${./zones/org.rheperire.soa} ''; }; + + + fileSystems."/var/lib/unbound" = + { device = "surtr/safe/var-lib-unbound"; + fsType = "zfs"; + }; + + systemd.services.unbound.unitConfig.RequiresMountFor = [ "/var/lib/unbound" ]; + + services.unbound = { + enable = true; + resolveLocalQueries = false; + stateDir = "/var/lib/unbound"; + localControlSocketPath = "/run/unbound/unbound.ctl"; + + settings = { + server = { + interface = ["127.0.0.1:5353" "::0:5353"]; + access-control = ["127.0.0.0/8 allow" "::0/128 allow"]; + root-hints = "${pkgs.dns-root-data}/root.hints"; + + num-threads = 12; + so-reuseport = true; + msg-cache-slabs = 16; + rrset-cache-slabs = 16; + infra-cache-slabs = 16; + key-cache-slabs = 16; + + rrset-cache-size = "100m"; + msg-cache-size = "50m"; + outgoing-range = 8192; + num-queries-per-thread = 4096; + + so-rcvbuf = "4m"; + so-sndbuf = "4m"; + + # serve-expired = true; + # serve-expired-ttl = 86400; + # serve-expired-reply-ttl = 0; + + prefetch = true; + prefetch-key = true; + + minimal-responses = false; + + extended-statistics = true; + + rrset-roundrobin = true; + use-caps-for-id = true; + }; + }; + }; }; } -- cgit v1.2.3