On pfSense 2.2.6, I switched from dnsmasq to unbound. Resolver/unbound is configured for DNSSEC (i.e., no forwarding) and has about 150 overrides to function as our internal/split DNS (with 5 domain overrides for internal/private-address reverse lookups). The "Network Interfaces" setting has only the LANs selected and the "Outgoing Interfaces" setting has only the WAN interface selected. There are no DNS servers configured via "General Setup". With this setup, I understand that unbound is using multiple root servers instead of a small number of caching servers.
All internal systems are configured to use only pfSense as the DNS. DNS resolution works fine. With dnsmasq, the number of filter states was typically around 125 but with unbound, it's now typically around 450 where nearly all the states are (pfSense's) port 53/DNS connections. In addition, the number of states shown via the 1-day RRD graph shows an overall escalation from about 200 filter states to over 600 filter states. QUESTIONs: --- Is it normal to have this kind of increase in the number of UDP DNS-port states when moving to unbound with this kind of configuration? Is it normal to have the number of UDP DNS-port states continuously escalate and triple over a 1-day period? Can anyone suggest something I may have configured incorrectly? _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
