- OpenWrt (modification):
- Patch the default configuration file with the tiny memory
- configuration example from Unbound documentation. This is the best
- starting point for embedded routers if one is not going to use UCI.
-
- --- a/doc/example.conf.in
- +++ b/doc/example.conf.in
- @@ -19,6 +19,76 @@ server:
- # verbosity number, 0 is least verbose. 1 is default.
- verbosity: 1
-
- + ############################################################################
- + # MEMORY CONTROL EXAMPLE
- + # In the example config settings below memory usage is reduced. Some ser-
- + # vice levels are lower, notable very large data and a high TCP load are
- + # no longer supported ... are exceptional for the DNS.
- + # (http://unbound.net/documentation/unbound.conf.html)
- + ############################################################################
- +
- + # Self jail Unbound with user "unbound" to /var/lib/unbound
- + # The script /etc/init.d/unbound will setup the location
- + username: "unbound"
- + directory: "/var/lib/unbound"
- + chroot: "/var/lib/unbound"
- +
- + # The pid file is created before privleges drop so no concern
- + pidfile: "/var/run/unbound.pid"
- +
- + # no threads and no memory slabs for threads
- + num-threads: 1
- + msg-cache-slabs: 1
- + rrset-cache-slabs: 1
- + infra-cache-slabs: 1
- + key-cache-slabs: 1
- +
- + # don't be picky about interfaces but consider your firewall
- + interface: 0.0.0.0
- + interface: ::0
- + access-control: 0.0.0.0/0 allow
- + access-control: ::0/0 allow
- +
- + # this limits TCP service but uses less buffers
- + outgoing-num-tcp: 1
- + incoming-num-tcp: 1
- +
- + # use somewhat higher port numbers versus possible NAT issue
- + outgoing-port-permit: "10240-65335"
- +
- + # uses less memory but less performance
- + outgoing-range: 60
- + num-queries-per-thread: 30
- +
- + # exclude large responses
- + msg-buffer-size: 8192
- +
- + # tiny memory cache
- + infra-cache-numhosts: 200
- + msg-cache-size: 100k
- + rrset-cache-size: 100k
- + key-cache-size: 100k
- + neg-cache-size: 10k
- +
- + # gentle on recursion
- + target-fetch-policy: "2 1 0 0 0 0"
- + harden-large-queries: yes
- + harden-short-bufsize: yes
- +
- + # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
- + # -anchor-file:" The init script will copy root key to /var/lib/unbound.
- + # See package documentation for crontab entry to copy RFC5011 results back.
- + #module-config: "validator iterator"
- + #auto-trust-anchor-file: "/var/lib/unbound/root.key"
- +
- + # DNSSEC needs real time to validate signatures. If your device does not
- + # have power off clock (reboot), then you may need this work around.
- + #domain-insecure: "pool.ntp.org"
- +
- + ############################################################################
- + # Resume Stock example.conf.in
- + ############################################################################
- +
- # print statistics to the log (for every thread) every N seconds.
- # Set to "" or 0 to disable. Default is disabled.
- # statistics-interval: 0
|