DNS Resolver Advanced Options

pfSense® software provides a GUI to configure some of the more common advanced options available in the DNS Resolver (Unbound).

See also

The options below are documented as found in the unbound.conf man page.

Advanced Privacy Options

Hide Identity

Controls whether or not Unbound will allow queries for the server identity. This offers extra privacy.

When set, Unbound rejects queries for id.server and hostname.bind.

Hide Version

Controls whether or not Unbound will allow queries for the server version. This offers extra privacy.

When set, Unbound rejects queries for version.server and version.bind.

Query Name Minimization

Controls whether or not Unbound attempts to minimize the amount of data sent with a query for extra privacy. Default is unchecked.

When set, Unbound only sends the minimum required labels of the QNAME and sets QTYPE to A when possible.

Note

This is a best effort approach; Unbound sends the full QNAME and original QTYPE when an upstream server replies with an RCODE other than NOERROR, except when receiving NXDOMAIN from a DNSSEC signed zone.

See also

Refer to RFC 7816 for in-depth information on Query Name Minimization.

Strict Query Name Minimization

Controls whether Unbound performs Query Name Minimization in a strict manner for even stronger privacy at the expense of potentially failing to resolve a large number of queries. Default is unchecked.

When set, enables QNAME minimization in strict mode, which does not fall back to sending the full QNAME and original QTYPE to potentially broken name servers.

This option requires Query Name Minimization.

Warning

Use with extreme caution. A significant number of domains will fail to resolve when this option in enabled.

Advanced Resolver Options

Prefetch Support

Controls whether or not Unbound prefetches message cache elements before they expire to help keep the cache up to date.

This option can cause an increase of around 10% more DNS traffic and load on the server, but frequently requested items will not expire from the cache.

Prefetch DNS Key Support

Controls whether or not Unbound fetches DNSKEYs earlier in the validation process when a Delegation Signer record is encountered.

This helps lower the latency of requests but utilizes a little more CPU, and requires the cache to be set above zero.

Harden DNSSEC Data

Controls whether or not Unbound requires DNSSEC data for trust-anchored zones.

When checked (default), if DNSSEC data is absent in a response for a trust-anchored zone, the zone becomes bogus.

If unchecked and Unbound does not receive DNSSEC data then Unbound behaves as if the zone had no trust anchor; the zone is marked insecure but the data is still used. This can work around issues with receiving DNSSEC data, but also opens up the results to a potential downgrade attack.

Serve Expired

Controls whether or not Unbound will serve cache records with a TTL of 0.

When enabled, allows Unbound to serve a query even with a TTL of 0. If the TTL is 0 then a new record will be requested in the background when the cache is served to ensure that the cache is updated without adding latency to the client DNS request.

Drop Old UDP Queries

Timeout in seconds before dropping UDP queries waiting in the socket buffer. Queries that have waited for a long time don’t need to be processed and can be dropped. A value of 3 should be safe in most setups.

Aggressive NSEC

Controls how aggressively Unbound attempts to predict negative responses based on the contents of the DNSSEC NSEC chain.

When enabled, Unbound uses the DNSSEC NSEC chain to synthesize NXDOMAIN and other denials, using information from previous NXDOMAIN answers. This helps to reduce the query rate towards targets with high nonexistent name lookup rates.

Message Cache Size

Controls the amount of memory used to cache DNS response codes and validation statuses. The default is 4 MB.

Note

The resource record set (RRSet) cache will automatically be set to twice this amount. The RRSet cache contains the actual resource record data.

Outgoing TCP Buffers

The number of outgoing TCP buffers to allocate per thread. The default value is 10.

If set to 0, TCP queries will not be sent to authoritative servers.

Incoming TCP Buffers

The number of incoming TCP buffers to allocate per thread. The default value is 10.

If set to 0, TCP queries will not be accepted from clients.

EDNS Buffer Size

Number of bytes size to advertise as the EDNS reassembly buffer size. This value is placed in UDP datagrams sent to peers.

The default is Automatic and is calculated based on the MTU values of active interfaces. A variety of other common values are provided in a drop-down list.

Automatic mode sets optimal buffer size by using the smallest MTU of active interfaces and subtracting the IPv4/IPv6 header size. If fragmentation reassembly problems occur, usually seen as timeouts, then try a value of 1432.

The 512, 1220, and 1232 values bypass most IPv4 and IPv6 MTU path problems but can generate an excessive amount of TCP fallback.

Number of Queries per Thread

The number of queries that every Unbound thread will service simultaneously. The default value is 512.

If additional queries arrive that need to be serviced, and no queries can be jostled out, the new queries are dropped

Jostle Timeout

Timeout in milliseconds used when the server is very busy. This protects against denial of service by slow queries or high query rates. The default value is 200 milliseconds.

Set to a value that approximates the round-trip time to the authority servers. As new queries arrive, 50% are allowed to run and 50% are replaced by new queries if they are older than the stated timeout.

Maximum TTL for RRsets and Messages

The Maximum Time to Live (TTL) for RRsets and messages in the cache, specified in seconds. The default is 86400 seconds (1 day).

When the internal TTL expires the cache item is expired. This can be configured to force the resolver to query for data more often and not trust very large TTL values

Minimum TTL for RRsets and Messages

The Minimum Time to Live for RRsets and messages in the cache, specified in seconds. The default is 0 seconds.

If a record has a TTL lower than the configured minimum value, data can be cached for longer than the domain owner intended, and thus less queries are made to look up the data. The 0 value ensures the data in the cache is not kept longer than the domain owner intended.

Warning

High values can lead to trouble as the data in the cache may not match up with the actual data if it changes.

TTL for Host Cache Entries

Time to Live, in minutes, for entries in the infrastructure host cache. The default value is 15 minutes.

The infrastructure host cache contains round trip timing, lameness, and EDNS support information for DNS servers.

Number of Hosts to Cache

Number of infrastructure hosts for which information is cached. The default is 10,000.

Unwanted Reply Threshold

Controls whether or not Unbound tracks the total number of unwanted replies in every thread. The default is disabled

When the threshold is reached, a defensive action is taken and a warning is printed to the log file. The defensive action is to clear the RRSet and message caches, hopefully flushing away any poison.

If enabled, the a value of 10 million is the best starting value.

Log Level

Controls the verbosity of data logged by Unbound. Default is Level 1.

Level 0

No logging, only errors.

Level 1

Basic operational information.

Level 2

Detailed operational information.

Level 3

Query level information, output per query.

Level 4

Algorithm level information.

Level 5

Logs client identification for cache misses.

Disable Auto-added Access Control

Controls whether or not Unbound uses automatic access control entries. The default is unchecked.

The automatic access control entries permit queries from IPv4 and IPv6 networks residing on internal interfaces of this firewall, and on certain known subnets used for VPNs.

When checked, networks from which queries are allowed must be manually configured on the Access Lists tab.

Disable Auto-added Host Entries

Controls whether or not Unbound registers primary IPv4 and IPv6 addresses of this firewall as records for the system domain as configured in System > General Setup.

When checked, these automatic entries are omitted from the configuration.

Experimental Bit 0x20 Support

Use 0x20 encoded random bits in the DNS query to foil spoofing attempts. See the implementation draft dns-0x20 for more information:

DNS64 Support

Controls whether or not Unbound enables support for DNS64 (RFC 6147).

DNS64 is used with an IPv6/IPv4 translator to enable client-server communication between an IPv6-only client and an IPv4-only servers.