fix(dns): tweak dns settingss after update

k8s/infra/network/dns/adguard/config/AdGuardHome.yaml

@@ -14,22 +14,20 @@ dns:
     - 0.0.0.0
   port: 53
   anonymize_client_ip: false
-  ratelimit: 20
+  ratelimit: 500
   ratelimit_subnet_len_ipv4: 24
   ratelimit_subnet_len_ipv6: 56
   ratelimit_whitelist: [ ]
   refuse_any: true
   upstream_dns:
     - 10.96.0.11
-    - udp://unbound.dns.svc.cluster.local:53
-    - tcp://unbound.dns.svc.cluster.local:53
   upstream_dns_file: ""
   bootstrap_dns:
-    - 10.96.0.10
+    - 10.96.0.11
   fallback_dns:
     - 1.1.1.1
     - 9.9.9.9
-  upstream_mode: fastest_addr
+  upstream_mode: parallel
   fastest_timeout: 1s
   allowed_clients: [ ]
   disallowed_clients: [ ]
@@ -105,6 +103,7 @@ filters:
 whitelist_filters: [ ]
 user_rules:
   - '@@||sdk.iad-01.braze.com^$important' # Payments?
+  - '@@||www.merchant-center-analytics.goog^$important'
 dhcp:
   enabled: false
   interface_name: ""

k8s/infra/network/dns/unbound/config/unbound.conf

@@ -23,7 +23,7 @@ server:
     log-replies: no
     log-servfail: yes
 
-    #logfile: /opt/unbound/etc/unbound/unbound.log
+    logfile: /opt/unbound/etc/unbound/unbound.log
     verbosity: 2
 
     infra-cache-slabs: 4
@@ -50,7 +50,7 @@ server:
 
     so-reuseport: yes
 
-    aggressive-nsec: yes
+    #aggressive-nsec: yes
 
     delay-close: 10000
 
@@ -60,7 +60,7 @@ server:
 
     neg-cache-size: 4M
 
-    qname-minimisation: yes
+    #qname-minimisation: yes
 
     access-control: 127.0.0.1/32 allow
     access-control: 192.168.0.0/16 allow
@@ -108,6 +108,25 @@ server:
 
     val-clean-additional: yes
 
+    # Limit on upstream queries for an incoming query and its recursion.
+    max-global-quota: 1000
+
+    # https://github.com/NLnetLabs/unbound/issues/362
+    qname-minimisation: no
+    aggressive-nsec: no
+
+    infra-keep-probing: yes
+    infra-cache-min-rtt: 1000
+    infra-cache-max-rtt: 2000
+    infra-host-ttl: 10
+
+    outbound-msg-retry: 128
+    max-sent-count: 256
+
+    udp-connect: no
+
+    #ede: yes
+
     include: /opt/unbound/etc/unbound/a-records.conf
     include: /opt/unbound/etc/unbound/srv-records.conf
 

k8s/infra/network/dns/unbound/deployment.yaml

@@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: DaemonSet
+kind: Deployment
 metadata:
   name: unbound
   namespace: dns
@@ -12,15 +12,15 @@ spec:
       labels:
         app: unbound
     spec:
-      securityContext:
-        seccompProfile:
-          type: RuntimeDefault
+      #securityContext:
+      #  seccompProfile:
+      #    type: RuntimeDefault
       containers:
         - name: unbound
           image: docker.io/mvance/unbound:1.22.0  # renovate: docker=docker.io/mvance/unbound
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: false
+          #securityContext:
+          #  allowPrivilegeEscalation: false
+          #  readOnlyRootFilesystem: false
           ports:
             - name: unbound-dns-tcp
               containerPort: 5335