On both incoming and outgoing TCP connections, if supported and enabled in the OS. Important or interesting features for us are **highlighted in bold**. **How familiar are you with the codebase?:** I give this submission freely, and claim no ownership to its content. I accept that this submission may not be used, and the pull request closed at the will of the maintainer. I have considered, and confirmed that this submission will be valuable to others. I have checked that () for this purpose does not exist. Failure to do so will delay or deny your request*** ***Please submit all pull requests against the `development` branch. **By submitting this pull request, I confirm the following (please check boxes, … eg ) _Failure to fill the template will close your PR_:** Oh, and I wanted to take the opportunity to congratulate everybody involved in the 5.0 release. So in what cases can the "Use DNSSEC" option be really useful? Not a lot, but enough to be regularly disruptive. But in my experience with my workflow (Pi-hole -> DNS proxy -> Quad9), the Pi-hole validation also introduces some false positives, marking a certain number of requests "Bogus" when they shouldn't be. Nevertheless, enabling the option does give a really neat level of insight about the DNSSEC support of domains with the Secure/Insecure/Bogus status. Use Google, Cloudflare, DNS.WATCH, Quad9, or another DNS server which supports DNSSEC when activating DNSSEC". "If a domain fails validation or the upstream does not support DNSSEC, this setting can cause issues resolving domains. I thought this option could be useful for validating DNSSEC in the event of someone using an upstream DNS resolver not supporting DNSSEC, but the comment under the option in Settings explicitly warns against doing this: In these cases, the DNSSEC validation is always done outside of the Pi-hole. The DNSSEC validation would then be done by the local resolver (Unbound). The DNSSEC validation is still done by the upstream resolver. In this scenario, the DNSSEC validation will be done by the resolver the requests are forwarded to.įorwarding requests to an upstream DNS server that supports DNSSEC while using a local DNS proxy to enable to use of DNSCrypt/DoT/DoH. The way I see it, most of the Pi-hole workflows would most likely fall into one of these categories:įorwarding requests to an upstream DNS server that supports DNSSEC. I have trouble figuring out what is the real usage of the "Use DNSSEC" option in Settings. I'm a big fan of the work you're all doing. I ignore votes for the most part.Hi there! First time poster. I hope your not one of those down voting legit input/concerns in this topic, not sure what is going on here. The steps taken by unbound will be shown in the log you have specified in the unbound configuration. Wait until the IP has exited cache, and query again. If you are running unbound, you can see this process in action. The new request will still be shown as a cache miss in unbound, but unbound gets the result quite quickly anyway. When the IP for the requested domain exits cache in 300 seconds, unbound will go back to the final nameserver and get the IP again (assuming it has not pre-fetched the IP already). Now Pi-hole has the info for the first two nameserver levels in cache for the next 24 hours. In the case of, the recursive process is shown here, for example: On the first recursive lookup with an empty cache, unbound traverses the entire process. If you look at the TTL's for the various nameserver levels, they are quite long (typically 24 hours). It only needs to go to one level in many cases. When a domain has left the unbound cache, that does not mean that to obtain that IP again unbound has to go through the entire recursive process again. Your local instance of unbound likely needs to go to a single nameserver for the same answer (again due to caching), which should take about the same amount of time. That is true, but there is also some delay in going out over the internet to get those cached results from the upstream DNS server. It is way more likely for a bigger upstream DNS used by thousands of users to have your request cached than for a local one.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |