Created
April 16, 2025 18:21
-
-
Save jult/8f9ec7aeca296e09c11eb1f39cfd4226 to your computer and use it in GitHub Desktop.
compiling unbound on debian with redis cache
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| While compiling my own unbound, with redis cache support, I bumped into this: | |
| configure: error: Cannot find 'python' in your system path. You can use the environment variable 'PYTHON_VERSION=version_number' for an explicit version. | |
| So I did: | |
| PYTHON_VERSION=3 ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --with-pythonmodule --with-pyunbound --enable-subnet --enable-dnstap --enable-systemd --with-libnghttp2 --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --disable-rpath --with-pidfile=/run/unbound.pid --with-libevent --enable-tfo-client --with-libhiredis --with-rootkey-file=/var/lib/unbound/root.key --disable-flto --enable-cachedb --enable-tfo-server | |
| which worked. | |
| I now run blocky, unbound and redis-server with the following config: | |
| blocky: | |
| connectIPVersion: v4 | |
| upstreams: | |
| strategy: strict | |
| groups: | |
| default: | |
| - 127.0.0.1:5335 | |
| blocking: | |
| blockTTL: 4h | |
| denylists: | |
| ads: | |
| - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/light.txt | |
| - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/fake.txt | |
| - https://v.firebog.net/hosts/Prigent-Crypto.txt | |
| - https://phishing.army/download/phishing_army_blocklist_extended.txt | |
| # - https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts | |
| # https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/popupads.txt | |
| special: | |
| # - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts | |
| allowlists: | |
| ads: | |
| - https://jult.net/whitelist.txt | |
| - https://raw.githubusercontent.com/hroyer/pihole-lists/refs/heads/master/lists/allowlist.txt | |
| - https://raw.githubusercontent.com/m0zgen/dns-hole/master/whitelist.txt | |
| - https://raw.githubusercontent.com/m0zgen/dns-hole/master/vendors-wl/microsoft.txt | |
| - https://raw.githubusercontent.com/m0zgen/dns-hole/master/vendors-wl/google.txt | |
| - https://raw.githubusercontent.com/m0zgen/dns-hole/master/regex/common-wl.txt | |
| - cdn.optimizely.com | |
| - api2.branch.io | |
| - s.shopify.com | |
| - cdn.shopify.com | |
| clientGroupsBlock: | |
| default: | |
| - ads | |
| ports: | |
| dns: 53 | |
| http: 4000 | |
| bootstrapDns: | |
| - upstream: 193.78.240.12 | |
| - upstream: 8.8.8.8 | |
| - upstream: 208.67.222.222 | |
| caching: | |
| minTime: 90m | |
| maxTime: 16h | |
| prefetching: true | |
| prefetchExpires: 4h | |
| prefetchThreshold: 10 | |
| log: | |
| level: error | |
| customDNS: | |
| customTTL: 48h | |
| # filterUnmappedTypes: true | |
| # rewrite: | |
| # home: lan | |
| # replace-me.com: with-this.com | |
| mapping: | |
| my.lan.domain 192.168.1.xx | |
| etc. | |
| unbound: | |
| server: | |
| verbosity: 0 | |
| interface: 127.0.0.1 | |
| port: 5335 | |
| do-ip4: yes | |
| do-udp: yes | |
| do-tcp: yes | |
| # do-ip6: no | |
| prefer-ip6: no | |
| root-hints: "/var/lib/unbound/root.hints" | |
| auto-trust-anchor-file: "/var/lib/unbound/root.key" | |
| num-threads: 8 | |
| use-caps-for-id: no | |
| edns-buffer-size: 1232 | |
| so-rcvbuf: 1m | |
| private-address: 192.168.0.0/16 | |
| private-address: 169.254.0.0/16 | |
| private-address: 172.16.0.0/12 | |
| private-address: 10.0.0.0/8 | |
| private-address: fd00::/8 | |
| private-address: fe80::/10 | |
| harden-large-queries: yes | |
| rrset-roundrobin: yes | |
| cache-min-ttl: 0 | |
| cache-max-ttl: 86400 | |
| prefetch: yes | |
| prefetch-key: yes | |
| serve-expired: yes | |
| serve-expired-reply-ttl: 0 | |
| harden-glue: yes | |
| harden-large-queries: yes | |
| harden-dnssec-stripped: yes | |
| harden-algo-downgrade: no | |
| harden-short-bufsize: yes | |
| identity: "Server" | |
| hide-identity: yes | |
| hide-version: yes | |
| do-daemonize: no | |
| neg-cache-size: 8m | |
| qname-minimisation: yes | |
| deny-any: yes | |
| minimal-responses: yes | |
| so-reuseport: yes | |
| so-rcvbuf: 4m | |
| so-sndbuf: 4m | |
| unwanted-reply-threshold: 100000 | |
| # Enable DNS64 | |
| dns64-prefix: 64:ff9b::/96 | |
| local-data: "dns.stro.men A 192.168.1.1" | |
| msg-cache-slabs: 8 | |
| rrset-cache-slabs: 8 | |
| infra-cache-slabs: 8 | |
| key-cache-slabs: 8 | |
| # rrset-cache-size should be twice of msg-cache-size | |
| msg-cache-size: 64m | |
| rrset-cache-size: 128m | |
| # Harden against algorithm downgrade when multiple algorithms are advertised in the DS record | |
| # harden-algo-downgrade: yes | |
| # Ignore very small EDNS buffer sizes from queries. | |
| harden-short-bufsize: yes | |
| # |Logging| | |
| # Verbosity: Default is 1 | |
| # 0 No verbosity, only errors | |
| # 1 Operational information | |
| # 2 Detailed operational information | |
| # 3 Query level information, output per query | |
| # 4 Algorithm level information | |
| # 5 Client identification for cache misses | |
| verbosity: 0 | |
| # Prints one line per query to the log | |
| log-queries: no | |
| # Prints one line per reply to the log | |
| log-replies: no | |
| # Print log lines that say why queries return SERVFAIL to clients | |
| log-servfail: no | |
| # Print log lines to inform about local zone actions. Shows blocked domains | |
| log-local-actions: no | |
| log-time-ascii: yes | |
| # If this option is given, the use-syslog is option is set to "no" | |
| #logfile: /dev/null | |
| # Rotates RRSet order in response (the pseudo-random number is taken from | |
| # the query ID, for speed and thread safety) | |
| rrset-roundrobin: yes | |
| # Control which clients are allowed to make (recursive) queries to this | |
| # server. By default everything is refused, except for localhost | |
| access-control: 127.0.0.0/8 allow | |
| access-control: 192.168.1.0/24 allow | |
| module-config: 'dns64 validator cachedb iterator' | |
| # Cache DB Module Options | |
| cachedb: | |
| # Backend db name. Default db is in-memory backend named "testframe". Use redis | |
| backend: redis | |
| # Seed to calculate hash value from query information. Default is "default" | |
| #secret-seed: "unbound-config" | |
| # |Redis| | |
| # IP address of redis server. Default is 127.0.0.1 | |
| redis-server-host: 127.0.0.1 | |
| # TCP port number of redis server. Default is 6379 | |
| redis-server-port: 6379 | |
| # Period until unbound waits for response from redis sever. Default is 100ms | |
| redis-timeout: 100 | |
| # Redis record expiration. If yes, unbound sets timeout for redis records so | |
| # that redis can evict expired keys automatically. If unbound is configured | |
| # with serve-expired this option internally reverts to no. Default is no | |
| redis-expire-records: no | |
| redis: | |
| # Redis configuration file | |
| # | |
| # Redis must be started with the file path as first argument: | |
| # | |
| # ./redis-server /path/to/redis.conf | |
| ################################## NETWORK ##################################### | |
| bind 127.0.0.1 -::1 | |
| protected-mode yes | |
| port 6379 | |
| tcp-backlog 511 | |
| timeout 0 | |
| tcp-keepalive 300 | |
| ################################# GENERAL ##################################### | |
| daemonize no | |
| supervised systemd | |
| pidfile /run/redis/redis-server.pid | |
| # Log verbosity level (debug, verbose, notice, warning) | |
| loglevel warning | |
| #logfile /var/log/redis/redis-server.log | |
| syslog-enabled yes | |
| # Set the number of databases | |
| databases 1 | |
| always-show-logo no | |
| ################################ SNAPSHOTTING ################################ | |
| # RDB (Redis Database) Persistence | |
| # | |
| # Save the DB to disk - "save <seconds> <changes> [<seconds> <changes> ...]" | |
| # Below option will save the DB: | |
| # * After 43200 secs (12 hrs) if at least 1 change was performed | |
| # * After 7200 secs (2 hrs) if at least 100 changes were performed | |
| # save "" - Disable snapshotting with empty string | |
| save 43200 1 7200 100 | |
| # By default Redis will stop accepting writes if RDB snapshots are enabled and | |
| # the latest background save failed | |
| stop-writes-on-bgsave-error no | |
| # By default compression is enabled. If you want to save some CPU in the saving | |
| # child set it to 'no' | |
| rdbcompression no | |
| # Checksum is placed at the end of the file. Makes it resistant to corruption | |
| # but has performance hit (around 10%) when saving and loading RDB files. It | |
| # can be disabled for maximum performances | |
| rdbchecksum no | |
| # The filename where to dump the DB | |
| dbfilename dump.rdb | |
| # Remove RDB files used by replication in instances without persistence | |
| # enabled. Default is disabled. It ONLY WORKS in instances that have both AOF | |
| # and RDB persistence disabled, otherwise is completely ignored. | |
| rdb-del-sync-files no | |
| # The working directory. DB will be written inside this dir, with the filename | |
| # specified above using dbfilename directive. The Append Only File will also be | |
| # created inside this directory. | |
| dir /var/lib/redis | |
| ################################# REPLICATION ################################# | |
| replica-serve-stale-data yes | |
| replica-read-only yes | |
| repl-diskless-sync yes | |
| repl-diskless-sync-delay 5 | |
| repl-diskless-load disabled | |
| repl-disable-tcp-nodelay no | |
| replica-priority 100 | |
| ################################## SECURITY ################################### | |
| # The ACL Log tracks failed commands and authentication events associated with | |
| # ACLs. ACL Log is stored in memory. Define max entry length of ACL Log below | |
| acllog-max-len 128 | |
| ############################## MEMORY MANAGEMENT ################################ | |
| # Memory usage limit. When limit is reached Redis will try to remove keys based | |
| # on selected eviction policy | |
| maxmemory 16mb | |
| # Maxmemory policy decides how Redis will select what to remove when maxmemory | |
| # is reached. LRU means Least Recently Used | |
| maxmemory-policy allkeys-lru | |
| # LRU, LFU and minimal TTL sample size. Default of 5 produces good enough | |
| # results. 10 Approximates very closely true LRU but costs more CPU. 3 is | |
| # faster but not very accurate. | |
| maxmemory-samples 4 | |
| ############################# LAZY FREEING #################################### | |
| lazyfree-lazy-eviction no | |
| lazyfree-lazy-expire no | |
| lazyfree-lazy-server-del no | |
| replica-lazy-flush no | |
| lazyfree-lazy-user-del no | |
| lazyfree-lazy-user-flush no | |
| ############################ KERNEL OOM CONTROL ############################## | |
| oom-score-adj no | |
| oom-score-adj-values 0 200 800 | |
| #################### KERNEL transparent hugepage CONTROL ###################### | |
| disable-thp yes | |
| ############################## APPEND ONLY MODE ############################### | |
| # AOF (Append Only File) Persistence | |
| # | |
| appendonly no | |
| appendfilename "appendonly.aof" | |
| appenddirname "appendonlydir" | |
| appendfsync everysec | |
| no-appendfsync-on-rewrite no | |
| auto-aof-rewrite-percentage 100 | |
| auto-aof-rewrite-min-size 64mb | |
| aof-load-truncated yes | |
| aof-use-rdb-preamble yes | |
| aof-timestamp-enabled no | |
| ################################## SLOW LOG ################################### | |
| slowlog-log-slower-than 10000 | |
| slowlog-max-len 16 | |
| ################################ LATENCY MONITOR ############################## | |
| # Default is disabled | |
| latency-monitor-threshold 0 | |
| ############################# EVENT NOTIFICATION ############################## | |
| # Default is disabled | |
| notify-keyspace-events "" | |
| ############################### ADVANCED CONFIG ############################### | |
| hash-max-ziplist-entries 512 | |
| hash-max-ziplist-value 64 | |
| list-max-ziplist-size -2 | |
| list-compress-depth 0 | |
| set-max-intset-entries 512 | |
| zset-max-ziplist-entries 128 | |
| zset-max-ziplist-value 64 | |
| hll-sparse-max-bytes 3000 | |
| stream-node-max-bytes 4096 | |
| stream-node-max-entries 100 | |
| activerehashing yes | |
| client-output-buffer-limit normal 0 0 0 | |
| client-output-buffer-limit replica 256mb 64mb 60 | |
| client-output-buffer-limit pubsub 32mb 8mb 60 | |
| hz 4 | |
| dynamic-hz yes | |
| aof-rewrite-incremental-fsync yes | |
| rdb-save-incremental-fsync yes | |
| ########################### ACTIVE DEFRAGMENTATION ####################### | |
| # Jemalloc background thread for purging will be enabled by default | |
| jemalloc-bg-thread yes | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment