|
OpenWrt (modification):
|
|
Patch the default configuration file with the tiny memory
|
|
configuration example from Unbound documentation. This is the best
|
|
starting point for embedded routers if one is not going to use UCI.
|
|
|
|
--- a/doc/example.conf.in
|
|
+++ b/doc/example.conf.in
|
|
@@ -19,6 +19,76 @@ server:
|
|
# verbosity number, 0 is least verbose. 1 is default.
|
|
verbosity: 1
|
|
|
|
+ ############################################################################
|
|
+ # MEMORY CONTROL EXAMPLE
|
|
+ # In the example config settings below memory usage is reduced. Some ser-
|
|
+ # vice levels are lower, notable very large data and a high TCP load are
|
|
+ # no longer supported ... are exceptional for the DNS.
|
|
+ # (http://unbound.net/documentation/unbound.conf.html)
|
|
+ ############################################################################
|
|
+
|
|
+ # Self jail Unbound with user "unbound" to /var/lib/unbound
|
|
+ # The script /etc/init.d/unbound will setup the location
|
|
+ username: "unbound"
|
|
+ directory: "/var/lib/unbound"
|
|
+ chroot: "/var/lib/unbound"
|
|
+
|
|
+ # The pid file is created before privleges drop so no concern
|
|
+ pidfile: "/var/run/unbound.pid"
|
|
+
|
|
+ # no threads and no memory slabs for threads
|
|
+ num-threads: 1
|
|
+ msg-cache-slabs: 1
|
|
+ rrset-cache-slabs: 1
|
|
+ infra-cache-slabs: 1
|
|
+ key-cache-slabs: 1
|
|
+
|
|
+ # don't be picky about interfaces but consider your firewall
|
|
+ interface: 0.0.0.0
|
|
+ interface: ::0
|
|
+ access-control: 0.0.0.0/0 allow
|
|
+ access-control: ::0/0 allow
|
|
+
|
|
+ # this limits TCP service but uses less buffers
|
|
+ outgoing-num-tcp: 1
|
|
+ incoming-num-tcp: 1
|
|
+
|
|
+ # use somewhat higher port numbers versus possible NAT issue
|
|
+ outgoing-port-permit: "10240-65335"
|
|
+
|
|
+ # uses less memory but less performance
|
|
+ outgoing-range: 60
|
|
+ num-queries-per-thread: 30
|
|
+
|
|
+ # exclude large responses
|
|
+ msg-buffer-size: 8192
|
|
+
|
|
+ # tiny memory cache
|
|
+ infra-cache-numhosts: 200
|
|
+ msg-cache-size: 100k
|
|
+ rrset-cache-size: 100k
|
|
+ key-cache-size: 100k
|
|
+ neg-cache-size: 10k
|
|
+
|
|
+ # gentle on recursion
|
|
+ target-fetch-policy: "2 1 0 0 0 0"
|
|
+ harden-large-queries: yes
|
|
+ harden-short-bufsize: yes
|
|
+
|
|
+ # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
|
|
+ # -anchor-file:" The init script will copy root key to /var/lib/unbound.
|
|
+ # See package documentation for crontab entry to copy RFC5011 results back.
|
|
+ #module-config: "validator iterator"
|
|
+ #auto-trust-anchor-file: "/var/lib/unbound/root.key"
|
|
+
|
|
+ # DNSSEC needs real time to validate signatures. If your device does not
|
|
+ # have power off clock (reboot), then you may need this work around.
|
|
+ #domain-insecure: "pool.ntp.org"
|
|
+
|
|
+ ############################################################################
|
|
+ # Resume Stock example.conf.in
|
|
+ ############################################################################
|
|
+
|
|
# print statistics to the log (for every thread) every N seconds.
|
|
# Set to "" or 0 to disable. Default is disabled.
|
|
# statistics-interval: 0
|