From 833852009729269b06b8970f3bb61adf16e38bd3 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Sat, 12 May 2018 16:59:22 +0200 Subject: [PATCH] Change suggested unbound documentation as discussed in https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 Signed-off-by: DL6ER --- docs/guides/unbound.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/guides/unbound.md b/docs/guides/unbound.md index bad3cb0..dde1c9a 100644 --- a/docs/guides/unbound.md +++ b/docs/guides/unbound.md @@ -85,13 +85,13 @@ server: # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS harden-dnssec-stripped: yes - # Use Capitalization randomization - # This is an experimental resilience method which uses upper and lower case letters - # in the question hostname to obtain randomness. Two names with the same spelling - # but different case should be treated as identical. Attackers hoping to poison a - # DNS cache must guess the mixed-case encoding of the query. This increases the - # difficulty of such an attack significantly - use-caps-for-id: yes + # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes + # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details + use-caps-for-id: no + + # Reduce EDNS reassembly buffer size. + # Suggested by the unbound man page to reduce fragmentation reassembly problems + edns-buffer-size: 1472 # TTL bounds for cache cache-min-ttl: 3600 @@ -133,4 +133,4 @@ Finally, configure Pi-hole to use your recursive DNS server: ![screenshot at 2018-04-18](../images/RecursiveResolver.png) -(don't forget to hit Return or click on `Save`) \ No newline at end of file +(don't forget to hit Return or click on `Save`)