1- Unbound can cache NXDOMAIN responses ?
2- Unbound can change/force the TTL of NXDOMAIN as i define ??
the purpose of force/change TTL of NXDOMAIN is for a project to fight SPAM ak. SPFBL[1].
Because of the project´s success here (Brazil), i need to increase the cache of NXDOMAIN on mirror servers to lower cpu usage...
afaik, TTL of NXDOMAIN came from SOA records, but in my tests, unbound cache responses for only 4 seconds ..
if i flood with 20 queries like:
# dig @localhost 1.0.0.127.dnsbl.spfbl.net
the first query goes to 'central' server -- OK, expected (cache is empty)
the others 19 queries came from cache -- OK, expected
waiting 10 seconds, and flood again..
the first query goes to 'central' server -- NOT OK, expected come from local cache ...
How i can force the TTL of NXDOMAIN using unbound ??
What is the negative result TTL if you use this command:
dig 1.0.0.127.dnsbl.spfbl.net +trace +nodnssec
The server matrix.spfbl.net. doesn't respond from here, but using Spamhaus, the tail of the +trace command would show this:
dig 1.0.0.127.xbl.spamhaus.org +trace +nodnssec
xbl.spamhaus.org. 150 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1510250741 3600 600 432000 150
;; Received 108 bytes from 217.149.192.170#53(a.ns.spamhaus.org) in 161 ms
This tells us that the response can only be cached for 150 seconds.
i think cache-min-ttl is for 'positive' responses...
cache-min-negative-ttl sounds like that i need (but there´s no such option).
would be something like this:
if $SOA->MIN_TTL < $cfg->cache-min-negative-ttl { $SOA->MIN_TTL = $cfg->cache-min-negative-ttl; }
of course it´s a violation of the protocol... but what i need is maintain the negative responses in the cache... (because it´s a dnsbl server), a lot of queries will return negative (for good mails), latest test reached 17kk queries / second ... 90% negative responses ...
all this work is for fight spam (a lot of spam). dnsbl works inverse as the 'dns service' (negative responses is good).
thanks for the answers !!!
and.. if you like, you can contact to use/test SPFBL .. it can break 90% of spam.. and it´s open and free !!
Doesn't this control minimum TTLs on all queries, not just negative results?
At least in the context of a mail server, over-caching negative results will only cause a small amount of pain whereas over-caching positive results may cause real deliverability problems.
If this instance of Unbound only handles DNSBL traffic and nothing else, then it's possibly not-too-dangerous, at least if the minimum is kept reasonable. A handful of minutes, perhaps?
Unbound and many modern DNS cache servers do
negative caching and respect the negative cache TTL.
But the caching won't work well in some circumstances:
1. The cache size (msg-cache-size, rrset-cache-size) of
heavily-loaded Unbound should be increased.
Unbound's default cache size (4 megabytes) is
too small for such busy (17kqps) DNS cache server.
If a busy cache server is running with insufficient cache memory,
cache entries are deleted and overwritten by newer entry very quickly.
2. Negative response of a certain format won't be cached,
e.g. NXDOMAIN response which contains no SOA record
in its authority section.
If dnsbl.spfbl.net's authoritative servers generate such
bad response (I can't confirm that, since the auth server is
not reachable from me), ask operator of the server to use decent software...
