DNS Resolver Advanced Options¶
pfSense® software provides a GUI to configure some of the more common advanced options available in the DNS Resolver (Unbound).
The options below are documented as found in the unbound.conf man page.
Advanced Privacy Options¶
- Hide Identity
Controls whether or not Unbound will allow queries for the server identity. This offers extra privacy.
When set, Unbound rejects queries for
- Hide Version
Controls whether or not Unbound will allow queries for the server version. This offers extra privacy.
When set, Unbound rejects queries for
- Query Name Minimization
Controls whether or not Unbound attempts to minimize the amount of data sent with a query for extra privacy. Default is unchecked.
When set, Unbound only sends the minimum required labels of the
This is a best effort approach; Unbound sends the full
QTYPEwhen an upstream server replies with an
NOERROR, except when receiving
Refer to RFC 7816 for in-depth information on Query Name Minimization.
- Strict Query Name Minimization
Controls whether Unbound performs Query Name Minimization in a strict manner for even stronger privacy at the expense of potentially failing to resolve a large number of queries. Default is unchecked.
When set, enables
QNAMEminimization in strict mode, which does not fall back to sending the full
QTYPEto potentially broken name servers.
This option requires Query Name Minimization.
Use with extreme caution. A significant number of domains will fail to resolve when this option in enabled.
Advanced Resolver Options¶
- Prefetch Support
Controls whether or not Unbound prefetches message cache elements before they expire to help keep the cache up to date.
This option can cause an increase of around 10% more DNS traffic and load on the server, but frequently requested items will not expire from the cache.
- Prefetch DNS Key Support
Controls whether or not Unbound fetches DNSKEYs earlier in the validation process when a Delegation Signer record is encountered.
This helps lower the latency of requests but utilizes a little more CPU, and requires the cache to be set above zero.
- Harden DNSSEC Data
Controls whether or not Unbound requires DNSSEC data for trust-anchored zones.
When checked (default), if DNSSEC data is absent in a response for a trust-anchored zone, the zone becomes bogus.
If unchecked and Unbound does not receive DNSSEC data then Unbound behaves as if the zone had no trust anchor; the zone is marked insecure but the data is still used. This can work around issues with receiving DNSSEC data, but also opens up the results to a potential downgrade attack.
- Serve Expired
Controls whether or not Unbound will serve cache records with a TTL of
When enabled, allows Unbound to serve a query even with a TTL of
0. If the TTL is
0then a new record will be requested in the background when the cache is served to ensure that the cache is updated without adding latency to the client DNS request.
- Aggressive NSEC
Controls how aggressively Unbound attempts to predict negative responses based on the contents of the DNSSEC NSEC chain.
When enabled, Unbound uses the DNSSEC NSEC chain to synthesize
NXDOMAINand other denials, using information from previous
NXDOMAINanswers. This helps to reduce the query rate towards targets with high nonexistent name lookup rates.
- Message Cache Size
Controls the amount of memory used to cache DNS response codes and validation statuses. The default is 4 MB.
The resource record set (RRSet) cache will automatically be set to twice this amount. The RRSet cache contains the actual resource record data.
- Outgoing TCP Buffers
The number of outgoing TCP buffers to allocate per thread. The default value is 10.
If set to 0, TCP queries will not be sent to authoritative servers.
- Incoming TCP Buffers
The number of incoming TCP buffers to allocate per thread. The default value is 10.
If set to 0, TCP queries will not be accepted from clients.
- EDNS Buffer Size
Number of bytes size to advertise as the EDNS reassembly buffer size. This value is placed in UDP datagrams sent to peers.
The default is Automatic and is calculated based on the MTU values of active interfaces. A variety of other common values are provided in a drop-down list.
Automatic mode sets optimal buffer size by using the smallest MTU of active interfaces and subtracting the IPv4/IPv6 header size. If fragmentation reassembly problems occur, usually seen as timeouts, then try a value of
1232values bypass most IPv4 and IPv6 MTU path problems but can generate an excessive amount of TCP fallback.
- Number of Queries per Thread
The number of queries that every Unbound thread will service simultaneously. The default value is 512.
If additional queries arrive that need to be serviced, and no queries can be jostled out, the new queries are dropped
- Jostle Timeout
Timeout in milliseconds used when the server is very busy. This protects against denial of service by slow queries or high query rates. The default value is 200 milliseconds.
Set to a value that approximates the round-trip time to the authority servers. As new queries arrive, 50% are allowed to run and 50% are replaced by new queries if they are older than the stated timeout.
- Maximum TTL for RRsets and Messages
The Maximum Time to Live (TTL) for RRsets and messages in the cache, specified in seconds. The default is
86400seconds (1 day).
When the internal TTL expires the cache item is expired. This can be configured to force the resolver to query for data more often and not trust very large TTL values
- Minimum TTL for RRsets and Messages
The Minimum Time to Live for RRsets and messages in the cache, specified in seconds. The default is
If a record has a TTL lower than the configured minimum value, data can be cached for longer than the domain owner intended, and thus less queries are made to look up the data. The
0value ensures the data in the cache is not kept longer than the domain owner intended.
High values can lead to trouble as the data in the cache may not match up with the actual data if it changes.
- TTL for Host Cache Entries
Time to Live, in minutes, for entries in the infrastructure host cache. The default value is 15 minutes.
The infrastructure host cache contains round trip timing, lameness, and EDNS support information for DNS servers.
- Number of Hosts to Cache
Number of infrastructure hosts for which information is cached. The default is 10,000.
- Unwanted Reply Threshold
Controls whether or not Unbound tracks the total number of unwanted replies in every thread. The default is disabled
When the threshold is reached, a defensive action is taken and a warning is printed to the log file. The defensive action is to clear the RRSet and message caches, hopefully flushing away any poison.
If enabled, the a value of 10 million is the best starting value.
- Log Level
Controls the verbosity of data logged by Unbound. Default is Level 1.
- Level 0
No logging, only errors.
- Level 1
Basic operational information.
- Level 2
Detailed operational information.
- Level 3
Query level information, output per query.
- Level 4
Algorithm level information.
- Level 5
Logs client identification for cache misses.
- Disable Auto-added Access Control
Controls whether or not Unbound uses automatic access control entries. The default is unchecked.
The automatic access control entries permit queries from IPv4 and IPv6 networks residing on internal interfaces of this firewall, and on certain known subnets used for VPNs.
When checked, networks from which queries are allowed must be manually configured on the Access Lists tab.
- Disable Auto-added Host Entries
Controls whether or not Unbound registers primary IPv4 and IPv6 addresses of this firewall as records for the system domain as configured in System > General Setup.
When checked, these automatic entries are omitted from the configuration.
- Experimental Bit 0x20 Support
0x20encoded random bits in the DNS query to foil spoofing attempts. See the implementation draft dns-0x20 for more information:
- DNS64 Support
Controls whether or not Unbound enables support for DNS64 (RFC 6147).
DNS64 is used with an IPv6/IPv4 translator to enable client-server communication between an IPv6-only client and an IPv4-only servers.