On 12/20/2015 04:11 PM, Jesse V wrote: > On 12/20/2015 03:47 PM, Green Dream wrote: >>> Weasel and velope on #tor-project suggested that I remove DNSCrypt >>> entirely and let Unbound be a recursive resolver against the root DNS >>> servers, which I have now done. >> >> Jesse would you mind sharing how you configured this? > > Certainly. My configuration files are here: > https://gist.github.com/Jesse-V/66fe794bf1b9e4ccf852 For some reason, the original configuration I listed there caused Unbound to take 10-15 seconds to resolve queries that it didn't have in its cache. I suspect some of the hardening flags or perhaps some of the other restrictions. This horrible performance was triggering warnings in my Tor log and many notifications in syslog. I did notice that Unbound was querying more servers than seemed necessary, which may have had something to do with it. After several hours of trying to diagnose the issue, I replaced the configuration with the performance-enhanced one recommended in http://wiki.sysadminblog.net/Unbound and applied some of the optimization tips suggested in https://unbound.net/documentation/howto_optimise.html. I've updated the Gist to reflect the current, working, and fast configuration. Unbound now takes about 650 ms to resolve something not in its cache! -- Jesse V
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays