Tweaks + adding explicit no log directives

Enabling TCP Fast Open on DoH frontend
2025-07-17 22:56:28 +02:00 · 2025-07-07 20:32:19 +02:00
2 changed files with 27 additions and 19 deletions
--- a/etc/dnsdist/dnsdist.conf
+++ b/etc/dnsdist/dnsdist.conf
@@ -1,6 +1,6 @@
 -- /etc/dnsdist/dnsdist.conf: dndist conf. file for cantal
 -- 
-- Last edition : 2025-07-06
+-- Last edition : 2025-07-07
 -- Last editor : @Campanu
 -- 
@@ -58,7 +58,8 @@ addDOHLocal(
        minTLSVersion = "tls1.2",
        ciphers = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384",
        ciphersTLS13 = "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384",
-        customResponseHeaders={["link"]="<https://cantal.luc-geo.fr/#dns> rel=\"service-meta\";type=\"text/html\""}
+        customResponseHeaders={["link"]="<https://cantal.luc-geo.fr/#dns> rel=\"service-meta\";type=\"text/html\""},
        tcpFastOpenQueueSize = 256
    }
 )
--- a/etc/unbound/unbound.conf
+++ b/etc/unbound/unbound.conf
@@ -1,6 +1,6 @@
 # /etc/unbound/unbound.conf : unbound conf. file for cantal
 #
-# Last edition : 2025-07-06
+# Last edition : 2025-07-17
 # Last editor : @Campanu
 #
@@ -31,7 +31,7 @@ server:
 	## Root hints file
 	root-hints: "/etc/unbound/root.hints"
-
+	
 	# Security & privacy
 	harden-algo-downgrade: yes 
 	harden-glue: yes
@@ -39,23 +39,26 @@ server:
 	hide-version: yes
 	qname-minimisation: yes
 	val-clean-additional: yes
-
+	
 	# DNSSEC
 	harden-below-nxdomain: yes
 	harden-dnssec-stripped: yes
 	auto-trust-anchor-file: "/etc/unbound/dnssec/root.key"
-
+	
 	## Disabling capitalization randomization to avoid DNSSEC issues
 	use-caps-for-id: no
-
+	
 	## RFC 8198: Aggressive Use of DNSSEC-Validated Cache
 	aggressive-nsec: yes
-
+	
 	# Tweaks
 	num-threads: 2
 	so-reuseport: yes
 	so-rcvbuf: 4m
 	so-sndbuf: 4m
 	prefetch: yes
 	prefetch-key: yes
@@ -66,34 +69,38 @@ server:
 	rrset-cache-slabs: 2
 	infra-cache-slabs: 2
 	key-cache-slabs: 2
-
+	
 	neg-cache-size: 4m
 	key-cache-size: 16m
-	msg-cache-size: 128m
+	msg-cache-size: 64m
-	rrset-cache-size: 256m
+	rrset-cache-size: 128m
-
+	
 	infra-cache-numhosts: 100000
-
+	
 	## TTL
 	cache-min-ttl: 60
 	cache-max-ttl: 86400
-
+	
 	# RFC 8914: Extended DNS Errors
 	ede: yes
 	ede-serve-expired: yes
-
+	
-    # RFC 8767: Serving Stale Data
+	# RFC 8767: Serving Stale Data
-    serve-expired: yes
+	serve-expired: yes
 	serve-expired-ttl: 86400
 	serve-expired-ttl-reset: no
 	serve-expired-reply-ttl: 30
 	serve-expired-client-timeout: 1800
-
+	
 	# Logging
 	use-syslog: no
 	logfile: "/var/log/unbound.log"
 	verbosity: 1
 	log-time-ascii: yes
 	log-queries: no
 	log-replies: no
 	log-servfail: no
 	log-local-actions: no
 remote-control:
 	control-enable: no
Author	SHA1	Message	Date
Lucas MATHIEU	ad5de49d26	Tweaks + adding explicit no log directives	2025-07-17 22:56:28 +02:00
Lucas MATHIEU	f8b323cbb2	Enabling TCP Fast Open on DoH frontend	2025-07-07 20:32:19 +02:00