Ensure that AD bit is reset on answers from `-address=//`. This fix passes cache entries back from the TCP child process to the main server process, and fixes the problem. With the coming of DNSSEC, it's now the case that some DNSSEC queries have answers which spill to TCP, and if, for instance, this applies to the keys for the root then those never get cached, and performance is very bad. A side-effect of this is that any DNS queries answered from TCP connections are not cached: when TCP connections were rare, this was not a problem. **Improve cache behavior for TCP connections.**įor ease of implementation, we always forked a new process to handle each incoming TCP connection. Add DHCPv6 ntp-server (56) option handling Add tag filtering of `dhcp-host` directives Support prefixed ranges of IPv6 addresses in `dhcp-host` Support DHCP option 150 (TFTP server address, RFC 5859)
#Local dns vs upstream dns nxfilter Patch#
The root cause is probably a buggy operating system/configuration of devices, but this patch adds a configuration workaround on server side when fixing clients is impossible. In our production environment, we discovered that some devices are using 'client identifier' not unique at all, resulting on IP addresses conflicts between several devices (we saw up to four devices using same IP address). List: always-ignore-client-identifier#post4 The idea of this option was already discussed years ago on the mailing **Add `dhcp-ignore-clid` configuration option** This enables allocation of addresses the DHCP server in subnets where the server (or relay) doesn't have an interface on the network in that subnet. On both incoming and outgoing TCP connections, if supported and enabled in the OS. Important or interesting features for us are **highlighted in bold**. **How familiar are you with the codebase?:** I give this submission freely, and claim no ownership to its content.
I accept that this submission may not be used, and the pull request closed at the will of the maintainer. I have considered, and confirmed that this submission will be valuable to others. I have checked that () for this purpose does not exist. Failure to do so will delay or deny your request*** ***Please submit all pull requests against the `development` branch. **By submitting this pull request, I confirm the following (please check boxes, … eg ) _Failure to fill the template will close your PR_:** Oh, and I wanted to take the opportunity to congratulate everybody involved in the 5.0 release. So in what cases can the "Use DNSSEC" option be really useful? Not a lot, but enough to be regularly disruptive. But in my experience with my workflow (Pi-hole -> DNS proxy -> Quad9), the Pi-hole validation also introduces some false positives, marking a certain number of requests "Bogus" when they shouldn't be. Nevertheless, enabling the option does give a really neat level of insight about the DNSSEC support of domains with the Secure/Insecure/Bogus status. Use Google, Cloudflare, DNS.WATCH, Quad9, or another DNS server which supports DNSSEC when activating DNSSEC". "If a domain fails validation or the upstream does not support DNSSEC, this setting can cause issues resolving domains. I thought this option could be useful for validating DNSSEC in the event of someone using an upstream DNS resolver not supporting DNSSEC, but the comment under the option in Settings explicitly warns against doing this: In these cases, the DNSSEC validation is always done outside of the Pi-hole.
The DNSSEC validation would then be done by the local resolver (Unbound). The DNSSEC validation is still done by the upstream resolver. In this scenario, the DNSSEC validation will be done by the resolver the requests are forwarded to.įorwarding requests to an upstream DNS server that supports DNSSEC while using a local DNS proxy to enable to use of DNSCrypt/DoT/DoH.
The way I see it, most of the Pi-hole workflows would most likely fall into one of these categories:įorwarding requests to an upstream DNS server that supports DNSSEC. I have trouble figuring out what is the real usage of the "Use DNSSEC" option in Settings. I'm a big fan of the work you're all doing.
0 kommentar(er)
