-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 06/19/2016 09:59 PM, pa011 wrote:
Or are there better working solutions?
I do have only 127.0.0.1 set in my resolv.conf and do use dnsmasq together with strict DNSSEC. works like a charm and DNSSEC is really a good thing IMO.
The configuration is straight forward:
# grep -v -e '#' -e'^$' /etc/dnsmasq.conf conf-file=/usr/share/dnsmasq/trust-anchors.conf dnssec dnssec-check-unsigned no-resolv server=<snip> server=<snip> server=<snip> server=<snip> server=<snip> server=<snip> cache-size=10000
Furthermore it reduces the load to upstream DNS servers by 1/3 :
# pkill -SIGUSR1 dnsmasq; sleep 1; tail /var/log/messages | grep dnsmasq Jun 19 22:14:49 ms-magpie dnsmasq[1442]: time 1466367289 Jun 19 22:14:49 ms-magpie dnsmasq[1442]: cache size 10000, 91142/4075150 cache insertions re-used unexpired cache entries. Jun 19 22:14:49 ms-magpie dnsmasq[1442]: queries forwarded 1665387, queries answered locally 695441 Jun 19 22:14:49 ms-magpie dnsmasq[1442]: DNSSEC memory in use 174384, max 311808, allocated 999984
- -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7