DNS Resolver Advanced Options¶
pfSense provides a GUI to configure some of the more common advanced options
unbound. The options below are documented as found in the
unbound.conf man page.
- Hide Identity
When set, attempts to query the server identity (
hostname.bind) are refused.
- Hide Version
When set, attempts to query the server version (
version.bind) are refused.
- Prefetch Support
When enabled, message cache elements are prefetched before they expire to help keep the cache up to date. This option can cause an increase of around 10% more DNS traffic and load on the server, but frequently requested items will not expire from the cache.
- Prefetch DNS Key Support
When enabled, DNSKEYs are fetched earlier in the validation process when a Delegation Signer record is encountered. This helps lower the latency of requests but utilizes a little more CPU, and requires the cache to be set above zero.
- Harden DNSSEC Data
If this option is disabled and no DNSSEC data is received, then the zone is made insecure. DNSSEC data is required for trust-anchored zones. If such data is absent, the zone becomes bogus.
- Message Cache Size
The message cache stores DNS response codes and validation statuses. The resource record set (RRSet) cache will automatically be set to twice this amount. The RRSet cache contains the actual resource record data. The default is 4 MB.
- Outgoing TCP Buffers
The number of outgoing TCP buffers to allocate per thread. The default value is 10. If set to 0, TCP queries will not be sent to authoritative servers.
- Incoming TCP Buffers
The number of incoming TCP buffers to allocate per thread. The default value is 10. If set to 0, TCP queries will not be accepted from clients.
- EDNS Buffer Size
Number of bytes size to advertise as the EDNS reassembly buffer size. This value is placed in UDP datagrams sent to peers. RFC recommendation is 4096 (the default). If fragmentation reassembly problems occur, usually observed as timeouts, then a value of 1480 may help. The 512 value bypasses most MTU path problems, but it is excessive and can generate an excessive amount of TCP fallback.
- Number of Queries per Thread
The number of queries that every thread will service simultaneously. If additional queries arrive that need to be serviced, and no queries can be jostled out, the new queries are dropped
- Jostle Timeout
Timeout used when the server is very busy. This protects against denial of service by slow queries or high query rates. The default value is 200 milliseconds. Set to a value that approximates the round-trip time to the authority servers. As new queries arrive, 50% are allowed to run and 50% are replaced by new queries if they are older than the stated timeout.
- Maximum TTL for RRsets and Messages
The Maximum Time to Live (TTL) for RRsets and messages in the cache, specified in seconds. The default is
86400seconds (1 day). When the internal TTL expires the cache item is expired. This can be configured to force the resolver to query for data more often and not trust (very large) TTL values
- Minimum TTL for RRsets and Messages
The Minimum Time to Live for RRsets and messages in the cache, specified in seconds. The default is
0seconds. If a record has a TTL lower than the configured minimum value, data can be cached for longer than the domain owner intended, and thus less queries are made to look up the data. The
0value ensures the data in the cache is not kept longer than the domain owner intended. High values can lead to trouble as the data in the cache may not match up with the actual data if it changes.
- TTL for Host Cache Entries
Time to Live, in seconds, for entries in the infrastructure host cache. The infrastructure host cache contains round trip timing, lameness, and EDNS support information for DNS servers. The default value is 15 minutes.
- Number of Hosts to Cache
Number of infrastructure hosts for which information is cached. The default is 10,000.
- Unwanted Reply Threshold
If enabled, a total number of unwanted replies is tracked in every thread. When the threshold is reached, a defensive action is taken and a warning is printed to the log file. The defensive action is to clear the RRSet and message caches, hopefully flushing away any poison. The default is disabled, but if enabled a value of 10 million is suggested.
- Log Level
Select the log verbosity. Default is Level 1.
- Level 0
No verbosity, only errors.
- Level 1
- Level 2
Detailed operational information.
- Level 3
Query level information, output per query.
- Level 4
Algorithm level information.
- Level 5
Logs client identification for cache misses.
- Disable Auto-added Access Control
Disables the automatically-added access control entries. By default, IPv4 and IPv6 networks residing on internal interfaces of this firewall are permitted. Allowed networks must be manually configured on the Access Lists tab if when checked.
- Experimental Bit 0x20 Support
Use 0x20-encoded random bits in the DNS query to foil spoofing attempts. See the implementation draft dns-0x20 for more information: