From 3d4845954b273f08cd120a1d11b032d635c19ef0 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 15 Feb 2022 16:32:23 +0100
Subject: surtr: unbound
---
hosts/surtr/dns/default.nix | 58 ++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 55 insertions(+), 3 deletions(-)
(limited to 'hosts/surtr')
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index abb5d50e..87ab922c 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -20,8 +20,8 @@
remote:
- id: inwx_notify
address: 185.181.104.96@53
- - id: google
- address: ["8.8.8.8"]
+ - id: recursive
+ address: 127.0.0.1@5353
acl:
- id: inwx_acl
@@ -40,7 +40,7 @@
submission:
- id: validating-resolver
- parent: google
+ parent: recursive
policy:
- id: rsa2048
@@ -106,5 +106,57 @@
file: ${./zones/org.rheperire.soa}
'';
};
+
+
+ fileSystems."/var/lib/unbound" =
+ { device = "surtr/safe/var-lib-unbound";
+ fsType = "zfs";
+ };
+
+ systemd.services.unbound.unitConfig.RequiresMountFor = [ "/var/lib/unbound" ];
+
+ services.unbound = {
+ enable = true;
+ resolveLocalQueries = false;
+ stateDir = "/var/lib/unbound";
+ localControlSocketPath = "/run/unbound/unbound.ctl";
+
+ settings = {
+ server = {
+ interface = ["127.0.0.1:5353" "::0:5353"];
+ access-control = ["127.0.0.0/8 allow" "::0/128 allow"];
+ root-hints = "${pkgs.dns-root-data}/root.hints";
+
+ num-threads = 12;
+ so-reuseport = true;
+ msg-cache-slabs = 16;
+ rrset-cache-slabs = 16;
+ infra-cache-slabs = 16;
+ key-cache-slabs = 16;
+
+ rrset-cache-size = "100m";
+ msg-cache-size = "50m";
+ outgoing-range = 8192;
+ num-queries-per-thread = 4096;
+
+ so-rcvbuf = "4m";
+ so-sndbuf = "4m";
+
+ # serve-expired = true;
+ # serve-expired-ttl = 86400;
+ # serve-expired-reply-ttl = 0;
+
+ prefetch = true;
+ prefetch-key = true;
+
+ minimal-responses = false;
+
+ extended-statistics = true;
+
+ rrset-roundrobin = true;
+ use-caps-for-id = true;
+ };
+ };
+ };
};
}
--
cgit v1.2.3