[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] important DNS tuning for high volume exit relays, fix for Unbound DNS DOS problem



I believe I now understand the cause of exit relay failure when
Unbound is the resolver and GoDaddy null-routes the exit.

Both to prevent this DOS from taking out your relay if Unbound is
running and to maximize DNS performance:

with a local instance of Unbound running /etc/resolv.conf should look like

   options timeout:5 attempts:1 max-inflight:16384 max-timeouts:1000000
   nameserver 127.0.0.1

with a local instance of 'named' running /etc/resolv.conf should look like

   options timeout:5 attempts:2 max-inflight:16384 max-timeouts:1000000
   nameserver 127.0.0.1

background material for the above recommendations found at

https://trac.torproject.org/projects/tor/ticket/18580#comment:11
https://unbound.net/pipermail/unbound-users/2016-April/004301.html
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays