fix(dns): tweak unbound setting again

Still some intermittent issues with DNS-resolving
2025-10-30 17:37:59 +00:00 · 2025-01-02 14:38:58 +01:00
parent 668f052356
commit e4fbd938c1
3 changed files with 22 additions and 16 deletions
--- a/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml
+++ b/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml
@@ -19,8 +19,8 @@ dns:
  ratelimit_subnet_len_ipv6: 56
  ratelimit_whitelist: [ ]
  refuse_any: true
-  upstream_dns:
-    - 10.96.0.11
+  #upstream_dns:
+  #  - 10.96.0.11
  upstream_dns_file: ""
  bootstrap_dns:
    - 10.96.0.11
--- a/k8s/infra/network/dns/unbound/config/unbound.conf
+++ b/k8s/infra/network/dns/unbound/config/unbound.conf
@@ -10,7 +10,7 @@ server:

    do-ip4: yes
    do-ip6: yes
-    prefer-ip6: yes
+    prefer-ip6: no
    do-tcp: yes
    do-udp: yes

@@ -24,7 +24,8 @@ server:
    log-servfail: yes

    logfile: /opt/unbound/etc/unbound/unbound.log
-    verbosity: 2
+    log-time-ascii: yes
+    verbosity: 0

    infra-cache-slabs: 4
    incoming-num-tcp: 10
@@ -34,7 +35,7 @@ server:
    msg-cache-slabs: 4

    num-queries-per-thread: 4096
-    num-threads: 3
+    num-threads: 1

    outgoing-range: 8192

@@ -47,10 +48,13 @@ server:
    prefetch-key: yes

    serve-expired: yes
+    serve-expired-ttl: 172800  # between 86400 (1 day) and 259200 (3 days)
+    serve-expired-client-timeout: 1800  # RFC 8767 recommended value

    so-reuseport: yes
+    so-rcvbuf: 1m

-    #aggressive-nsec: yes
+    aggressive-nsec: yes

    delay-close: 10000

@@ -60,7 +64,7 @@ server:

    neg-cache-size: 4M

-    #qname-minimisation: yes
+    qname-minimisation: yes

    access-control: 127.0.0.1/32 allow
    access-control: 192.168.0.0/16 allow
@@ -112,18 +116,18 @@ server:
    max-global-quota: 1000

    # https://github.com/NLnetLabs/unbound/issues/362
-    qname-minimisation: no
-    aggressive-nsec: no
+    #qname-minimisation: no
+    #aggressive-nsec: no

    infra-keep-probing: yes
-    infra-cache-min-rtt: 1000
-    infra-cache-max-rtt: 2000
-    infra-host-ttl: 10
+    infra-cache-min-rtt: 2000
+    infra-cache-max-rtt: 15000
+    infra-host-ttl: 5

-    outbound-msg-retry: 128
-    max-sent-count: 256
+    outbound-msg-retry: 64
+    max-sent-count: 128

-    udp-connect: no
+    #udp-connect: no

    #ede: yes

--- a/k8s/infra/network/dns/unbound/svc.yaml
+++ b/k8s/infra/network/dns/unbound/svc.yaml
@@ -3,8 +3,10 @@ kind: Service
 metadata:
  name: unbound
  namespace: dns
+  annotations:
+    io.cilium/lb-ipam-ips: 192.168.1.252
 spec:
-  type: ClusterIP
+  type: LoadBalancer
  # https://kubernetes.io/docs/concepts/services-networking/cluster-ip-allocation/
  clusterIP: 10.96.0.11
  ports: