You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

86 lines
2.9 KiB

  1. OpenWrt (modification):
  2. Patch the default configuration file with the tiny memory
  3. configuration example from Unbound documentation. This is the best
  4. starting point for embedded routers if one is not going to use UCI.
  5. Index: doc/example.conf.in
  6. ===================================================================
  7. --- a/doc/example.conf.in
  8. +++ b/doc/example.conf.in
  9. @@ -15,6 +15,76 @@ server:
  10. # verbosity number, 0 is least verbose. 1 is default.
  11. verbosity: 1
  12. + ############################################################################
  13. + # MEMORY CONTROL EXAMPLE
  14. + # In the example config settings below memory usage is reduced. Some ser-
  15. + # vice levels are lower, notable very large data and a high TCP load are
  16. + # no longer supported ... are exceptional for the DNS.
  17. + # (http://unbound.net/documentation/unbound.conf.html)
  18. + ############################################################################
  19. +
  20. + # Self jail Unbound with user "unbound" to /var/lib/unbound
  21. + # The script /etc/init.d/unbound will setup the location
  22. + username: "unbound"
  23. + directory: "/var/lib/unbound"
  24. + chroot: "/var/lib/unbound"
  25. +
  26. + # The pid file is created before privleges drop so no concern
  27. + pidfile: "/var/run/unbound.pid"
  28. +
  29. + # no threads and no memory slabs for threads
  30. + num-threads: 1
  31. + msg-cache-slabs: 1
  32. + rrset-cache-slabs: 1
  33. + infra-cache-slabs: 1
  34. + key-cache-slabs: 1
  35. +
  36. + # don't be picky about interfaces but consider your firewall
  37. + interface: 0.0.0.0
  38. + interface: ::0
  39. + access-control: 0.0.0.0/0 allow
  40. + access-control: ::0/0 allow
  41. +
  42. + # this limits TCP service but uses less buffers
  43. + outgoing-num-tcp: 1
  44. + incoming-num-tcp: 1
  45. +
  46. + # use somewhat higher port numbers versus possible NAT issue
  47. + outgoing-port-permit: "10240-65335"
  48. +
  49. + # uses less memory but less performance
  50. + outgoing-range: 60
  51. + num-queries-per-thread: 30
  52. +
  53. + # exclude large responses
  54. + msg-buffer-size: 8192
  55. +
  56. + # tiny memory cache
  57. + infra-cache-numhosts: 200
  58. + msg-cache-size: 100k
  59. + rrset-cache-size: 100k
  60. + key-cache-size: 100k
  61. + neg-cache-size: 10k
  62. +
  63. + # gentle on recursion
  64. + target-fetch-policy: "2 1 0 0 0 0"
  65. + harden-large-queries: yes
  66. + harden-short-bufsize: yes
  67. +
  68. + # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
  69. + # -anchor-file:" The init script will copy root key to /var/lib/unbound.
  70. + # See package documentation for crontab entry to copy RFC5011 results back.
  71. + #module-config: "validator iterator"
  72. + #auto-trust-anchor-file: "/var/lib/unbound/root.key"
  73. +
  74. + # DNSSEC needs real time to validate signatures. If your device does not
  75. + # have power off clock (reboot), then you may need this work around.
  76. + #domain-insecure: "pool.ntp.org"
  77. +
  78. + ############################################################################
  79. + # Resume Stock example.conf.in
  80. + ############################################################################
  81. +
  82. # print statistics to the log (for every thread) every N seconds.
  83. # Set to "" or 0 to disable. Default is disabled.
  84. # statistics-interval: 0