From eb74b5baff594cfc40ad94a91d4c37aedebbcdcf Mon Sep 17 00:00:00 2001 From: Vegard Hagen Date: Thu, 5 Dec 2024 22:09:59 +0100 Subject: [PATCH] fix(dns): tweak dns settingss after update --- .../dns/adguard/config/AdGuardHome.yaml | 9 +++---- .../network/dns/unbound/config/unbound.conf | 25 ++++++++++++++++--- k8s/infra/network/dns/unbound/deployment.yaml | 14 +++++------ 3 files changed, 33 insertions(+), 15 deletions(-) diff --git a/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml b/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml index 7d3aa27..e693edc 100644 --- a/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml +++ b/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml @@ -14,22 +14,20 @@ dns: - 0.0.0.0 port: 53 anonymize_client_ip: false - ratelimit: 20 + ratelimit: 500 ratelimit_subnet_len_ipv4: 24 ratelimit_subnet_len_ipv6: 56 ratelimit_whitelist: [ ] refuse_any: true upstream_dns: - 10.96.0.11 - - udp://unbound.dns.svc.cluster.local:53 - - tcp://unbound.dns.svc.cluster.local:53 upstream_dns_file: "" bootstrap_dns: - - 10.96.0.10 + - 10.96.0.11 fallback_dns: - 1.1.1.1 - 9.9.9.9 - upstream_mode: fastest_addr + upstream_mode: parallel fastest_timeout: 1s allowed_clients: [ ] disallowed_clients: [ ] @@ -105,6 +103,7 @@ filters: whitelist_filters: [ ] user_rules: - '@@||sdk.iad-01.braze.com^$important' # Payments? + - '@@||www.merchant-center-analytics.goog^$important' dhcp: enabled: false interface_name: "" diff --git a/k8s/infra/network/dns/unbound/config/unbound.conf b/k8s/infra/network/dns/unbound/config/unbound.conf index 29d9a0a..c3ad9e7 100644 --- a/k8s/infra/network/dns/unbound/config/unbound.conf +++ b/k8s/infra/network/dns/unbound/config/unbound.conf @@ -23,7 +23,7 @@ server: log-replies: no log-servfail: yes - #logfile: /opt/unbound/etc/unbound/unbound.log + logfile: /opt/unbound/etc/unbound/unbound.log verbosity: 2 infra-cache-slabs: 4 @@ -50,7 +50,7 @@ server: so-reuseport: yes - aggressive-nsec: yes + #aggressive-nsec: yes delay-close: 10000 @@ -60,7 +60,7 @@ server: neg-cache-size: 4M - qname-minimisation: yes + #qname-minimisation: yes access-control: 127.0.0.1/32 allow access-control: 192.168.0.0/16 allow @@ -108,6 +108,25 @@ server: val-clean-additional: yes + # Limit on upstream queries for an incoming query and its recursion. + max-global-quota: 1000 + + # https://github.com/NLnetLabs/unbound/issues/362 + qname-minimisation: no + aggressive-nsec: no + + infra-keep-probing: yes + infra-cache-min-rtt: 1000 + infra-cache-max-rtt: 2000 + infra-host-ttl: 10 + + outbound-msg-retry: 128 + max-sent-count: 256 + + udp-connect: no + + #ede: yes + include: /opt/unbound/etc/unbound/a-records.conf include: /opt/unbound/etc/unbound/srv-records.conf diff --git a/k8s/infra/network/dns/unbound/deployment.yaml b/k8s/infra/network/dns/unbound/deployment.yaml index 6f9309c..fb4f91c 100644 --- a/k8s/infra/network/dns/unbound/deployment.yaml +++ b/k8s/infra/network/dns/unbound/deployment.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: DaemonSet +kind: Deployment metadata: name: unbound namespace: dns @@ -12,15 +12,15 @@ spec: labels: app: unbound spec: - securityContext: - seccompProfile: - type: RuntimeDefault + #securityContext: + # seccompProfile: + # type: RuntimeDefault containers: - name: unbound image: docker.io/mvance/unbound:1.22.0 # renovate: docker=docker.io/mvance/unbound - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + #securityContext: + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: false ports: - name: unbound-dns-tcp containerPort: 5335