Unbound - Authoritative Recursive Caching DNS Server

[SolluxCaptor]

It is reported in your link.

unbound-control -c /opt/var/lib/unbound/unbound.conf stats_noreset | egrep 'total.num|cache.count

Ah! I will have to wait, changing cache-max-negative-ttl: (to) 0 reset my stats. Used rl command after editing conf. Will report back after more requests go through.

 

[SolluxCaptor]

It is reported in your link. In the installer script there is also the report option

unbound-control -c /opt/var/lib/unbound/unbound.conf stats_noreset | egrep 'total.num|cache.count

Do you use Diversion?

Yes, over 1 million domains blocked (only reason I keep it), well that and HTTPS ad-blocking (and seeing no "ad" placeholder breaking my webpages)...and honestly I don't see anything but an increase in page loading and general performance (if there's a hit I cannot perceive it).

 

[rgnldo]

Yes

I believe you will not get a good report.

over 1 million domains blocked

Over time you will notice that this does not resolve and that wildcard domains boil down. In addition to that usually break any DNS resolver.

 

[SolluxCaptor]

I believe you will not get a good report.

Over time you will notice that this does not resolve and that wildcard domains boil down. In addition to that usually break any DNS resolver.

I don't know what you mean, so far I have not had anything broken with Diversion + Unbound. Sorry I wasn't taking a shot at alternatives, I just like the features. Keep in mind I am not using upstream DNS, I prefer to get the answers from the source with stock Unbound, as DNSSEC would prevent tampering anyway as all root DNS servers require it to be implemented.

Snooping I do not care about, as my ISP would do deep packet inspection anyway even if I use DoT or others. End result IP still goes thru my ISP. For other stuff, VPN

 

[rgnldo]

had anything broken

I referred to the big lists, you mentioned

1 million domains blocked

 

[SolluxCaptor]

I referred to the big lists, you mentioned

Ah, so you mean within it, it may break something going forward. Sorry, I misunderstood you! It came from Skynet when you pair them together. It downloads the "plus" blocklist which is >1M. Not from another party, just from Diversion + Skynet combined. List comes from Diversion/Skynet team

 

[SolluxCaptor]

Also, that beer is coming! I get paid tomorrow

 

[Martineau]

Unbound Installer v1.18 available

NOTE: After upgrading and unbound is ACTIVE, you MUST use

i  = Update ('/opt/var/lib/unbound/') unbound Configuration

to refresh the '/init.d/S61unbound' script, as this now contains the critical POSTCMD="service restart_dnsmasq" to ensure the successful operation of unbound/dnsmasq.

Option to enable or disable DoH in Firefox, the script should prompt the user for the option. Uncommenting the include option and downloading the file.

#########################################
# Adblock blacklist
#include: /opt/var/lib/unbound/adblock/adservers
#include: /opt/var/lib/unbound/adblock/firefox_DOH
#########################################

add on cron update root server's /jffs/scripts/services-start

cru a root_servers  "0 2 */15 * * curl -o /opt/var/lib/unbound/root.hints https://www.internic.net/domain/named.cache"

It will be removed from the adlbock script . If the user does not want to install native adblock.

Add the cron job to download the InterNIC root DNS Server list every 15th day @02:00
Add Option to implement DISABLING Firefox DNS-over-HTTPS (DoH) for USA users

Check
[✔] Enable STOP-DNS-REBIND support=NO
I suggest that this configuration pre-reqs information is right at the opening of the script. The script will parse router configuration pre-reqs before installing unbound.

The recommended pre-reqs stats is now displayed prior to Installing/Updating the unbound environment, and the user can decide to continue or ABORT the Installation/Update:

i  = Begin unbound Installation Process ('/opt/var/lib/unbound/')
z  = Remove Existing unbound Installation
?  = About Configuration


e  = Exit Script


Option ==> i


    Router Configuration recommended pre-reqs status:

    [✔] Swapfile=262140 kB
    [✖] ***ERROR DNS Filter is OFF!                                             see http://192.168.1.1/DNSFilter.asp LAN->DNSFilter Enable DNS-based Filtering
    [✖] ***ERROR WAN: Use local caching DNS server as system resolver=YES       see http://192.168.1.1/Tools_OtherSettings.asp ->Advanced Tweaks and Hacks
    [✖] ***ERROR Enable local NTP server=NO                                     see http://192.168.1.1/Advanced_System_Content.asp ->Basic Config
    [✔] Enable DNS Rebind protection=NO
    [✖] Warning Enable DNSSEC support=YES                                       see http://192.168.1.1/Advanced_WAN_Content.asp ->WAN DNS Setting


    The router does not currently meet ALL of the recommended pre-reqs as shown above.
    However, whilst they are recommended, you may proceed with the unbound INSTALL
    as the recommendations are NOT usually FATAL.

    Press Y to continue unbound INSTALL  or press ENTER to ABORT

The pre-reqs together with the implemented options can be displayed on-demand

Option ==> ?


    Version=1.18
    Local                               md5=0352f367927819a15e3038e28b09e1e3
    Github                              md5=0c61efb14df7930b374d075affbdb5f6
    /jffs/scripts/unbound_installer.md5 md5=0c61efb14df7930b374d075affbdb5f6

    Router Configuration recommended pre-reqs status:

    [✔] Swapfile=262140 kB
    [✖] ***ERROR DNS Filter is OFF!                                             see http://192.168.1.1/DNSFilter.asp LAN->DNSFilter Enable DNS-based Filtering
    [✖] ***ERROR WAN: Use local caching DNS server as system resolver=YES       see http://192.168.1.1/Tools_OtherSettings.asp ->Advanced Tweaks and Hacks
    [✖] ***ERROR Enable local NTP server=NO                                     see http://192.168.1.1/Advanced_System_Content.asp ->Basic Config
    [✔] Enable DNS Rebind protection=NO
    [✖] Warning Enable DNSSEC support=YES                                       see http://192.168.1.1/Advanced_WAN_Content.asp ->WAN DNS Setting

    Options:

    [✔] Unbound CPU/Memory Performance tweaks
    [✔] Stubby Integration
    [✔] Ad and Tracker Blocking
    [✔] Firefox DNS-over-HTTPS (DoH) DISABLER/Blocker

Renamed menu options 'i' and 'z' but the original options '1'/'2' are still available but will be deprecated in a later release.
Add menu options 's+' and 's-' to turn Extended Statistics On/Off (Without Extended Statistics option 's' won't report cache metrics.

i  = Update ('/opt/var/lib/unbound/') unbound Configuration             l  = Show unbound LIVE log entries (lx=Disable Logging)
z  = Remove Existing unbound Installation                               v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit; vh=View Example Configuration)
?  = About Configuration                                                rl = Reload unbound Configuration (Doesn't interrupt/halt unbound)
                                                                        oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
rs = Restart (or Start) unbound                                         s  = Display unbound statistics (s=Summary Totals; sa=All; s{+|-}=Extended Statistics On/Off)


e  = Exit Script

 

[Jumpstarter]

Unbound Installer v1.18 available


Add the cron job to download the InterNIC root DNS Server list every 15th day @02:00
Add Option to implement DISABLING Firefox DNS-over-HTTPS (DoH) for USA users


The recommended pre-reqs stats is now displayed prior to Installing/Updating the unbound environment, and the user can decide to continue or ABORT the Installation/Update:

i  = Begin unbound Installation Process ('/opt/var/lib/unbound/')
z  = Remove Existing unbound Installation
?  = About Configuration


e  = Exit Script


Option ==> i


    Router Configuration recommended pre-reqs status:

    [✔] Swapfile=262140 kB
    [✖] ***ERROR DNS Filter is OFF!                                             see http://192.168.1.1/DNSFilter.asp LAN->DNSFilter Enable DNS-based Filtering
    [✖] ***ERROR WAN: Use local caching DNS server as system resolver=YES       see http://192.168.1.1/Tools_OtherSettings.asp ->Advanced Tweaks and Hacks
    [✖] ***ERROR Enable local NTP server=NO                                     see http://192.168.1.1/Advanced_System_Content.asp ->Basic Config
    [✔] Enable DNS Rebind protection=NO
    [✖] Warning Enable DNSSEC support=YES                                       see http://192.168.1.1/Advanced_WAN_Content.asp ->WAN DNS Setting


    The router does not currently meet ALL of the recommended pre-reqs as shown above.
    However, whilst they are recommended, you may proceed with the unbound INSTALL
    as the recommendations are NOT usually FATAL.

    Press Y to continue unbound INSTALL  or press ENTER to ABORT

The pre-reqs together with the implemented options can be displayed on-demand

Option ==> ?


    Version=1.18
    Local                               md5=0352f367927819a15e3038e28b09e1e3
    Github                              md5=0c61efb14df7930b374d075affbdb5f6
    /jffs/scripts/unbound_installer.md5 md5=0c61efb14df7930b374d075affbdb5f6

    Router Configuration recommended pre-reqs status:

    [✔] Swapfile=262140 kB
    [✖] ***ERROR DNS Filter is OFF!                                             see http://192.168.1.1/DNSFilter.asp LAN->DNSFilter Enable DNS-based Filtering
    [✖] ***ERROR WAN: Use local caching DNS server as system resolver=YES       see http://192.168.1.1/Tools_OtherSettings.asp ->Advanced Tweaks and Hacks
    [✖] ***ERROR Enable local NTP server=NO                                     see http://192.168.1.1/Advanced_System_Content.asp ->Basic Config
    [✔] Enable DNS Rebind protection=NO
    [✖] Warning Enable DNSSEC support=YES                                       see http://192.168.1.1/Advanced_WAN_Content.asp ->WAN DNS Setting

    Options:

    [✔] Unbound CPU/Memory Performance tweaks
    [✔] Stubby Integration
    [✔] Ad and Tracker Blocking
    [✔] Firefox DNS-over-HTTPS (DoH) DISABLER/Blocker

Renamed menu options 'i' and 'z' but the original options '1'/'2' are still available but will be deprecated in a later release.
Add menu options 's+' and 's-' to turn Extended Statistics On/Off (Without Extended Statistics option 's' won't report cache metrics.

i  = Update ('/opt/var/lib/unbound/') unbound Configuration             l  = Show unbound LIVE log entries (lx=Disable Logging)
z  = Remove Existing unbound Installation                               v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit; vh=View Example Configuration)
?  = About Configuration                                                rl = Reload unbound Configuration (Doesn't interrupt/halt unbound)
                                                                        oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
rs = Restart (or Start) unbound                                         s  = Display unbound statistics (s=Summary Totals; sa=All; s{+|-}=Extended Statistics On/Off)


e  = Exit Script

this looks like it is going to be AMTUNBOUND so many options. when are you guys going to dive into IPSet rules and some advanced unbound features to make this an actual game changer.

 

[SolluxCaptor]

Ah! I will have to wait, changing cache-max-negative-ttl: (to) 0 reset my stats. Used rl command after editing conf. Will report back after more requests go through.

Here is my result as of tonight, will report back after reset-neg-cache expires (apologies for format, the command you linked to view cache stats did not work for me for some reason):

thread0.num.queries=5235 thread0.requestlist.current.user=0 total.requestlist.max=44
thread0.num.queries_ip_ratelimited=0 thread0.recursion.time.avg=0.211089 total.requestlist.overwritten=0
thread0.num.cachehits=3243 thread0.recursion.time.median=0.0726139 total.requestlist.exceeded=0
thread0.num.cachemiss=1992 thread0.tcpusage=0 total.requestlist.current.all=0
thread0.num.prefetch=1392 total.num.queries=5235 total.requestlist.current.user=0
thread0.num.zero_ttl=1435 total.num.queries_ip_ratelimited=0 total.recursion.time.avg=0.211089
thread0.num.recursivereplies=1992 total.num.cachehits=3243 total.recursion.time.median=0.0726139
thread0.requestlist.avg=2.47015 total.num.cachemiss=1992 total.tcpusage=0
thread0.requestlist.max=44 total.num.prefetch=1392 time.now=1578614759.345245
thread0.requestlist.overwritten=0 total.num.zero_ttl=1435 time.up=41532.320379
thread0.requestlist.exceeded=0 total.num.recursivereplies=1992 time.elapsed=41532.320379
thread0.requestlist.current.all=0 total.requestlist.avg=2.47015

 

[rgnldo]

Diversion + Unbound

Although possible to live with, I do not recommend. Diversion + dnsmasq is adequate.

It downloads the "plus" blocklist which is >1M. Not from another party, just from Diversion + Skynet combined. List comes from Diversion/Skynet team

Over time I came to consider Steven Black an oracle. It goes for me, what matters is not the number of domains, but the efficiency of wildcards. I am currently focused on this, on CNAME's and CDN's. I'm almost in for something good for unbound.

 

[rgnldo]

total.num.prefetch=1392

Excellent performance. Have to see the security balance against DNS poisoning. Too much cached time is not safe. Let's calculate carefully.

 

[rgnldo]

Hey again all, I read up on some interesting features of Unbound config - namely "serve-expired: yes" which if you live in a home / location with repetitive queries, is extremely helpful. It does NOT keep cached queries forever, but rather once TTL reaches 0 and a client asks for the cached response again, Unbound will fetch a brand new recursive response immediately after, and store it for next use in cache. There is also an option to limit how long this would be acceptable.

I am seeing massive performance gains with this, but as with all configs, your mileage may vary.

In addition, it seems prefetch will only work when there is only 10% of TTL time left. Found the info here: https://forum.netgate.com/topic/142561/serve-expired-clearification/5 where the author of that Unbound feature explains it in the comments. See below:

Spoiler

The issue with the prefetch feature is it only works if you do a DNS lookup when less than 10% of the TTL is left, so basically with a 30 secs TTL, if you dont do another lookup within the last 3 seconds of the TTL, then prefetch isnt providing you any benefit. Its operating scope is too narrow.

So unbound implemented serve expired, what it does is when a record is expired, it will stay in the cache with the TTL value as 0, if another lookup comes in from the LAN (or to whatever networks your unbound is serving), then it will be served as a cached record for performance. However at the same time a new lookup is initiated from unbound to the authoritative server, so when there is a newer lookup later, it will server a newer record.

So its important to note the same expired record isnt served forever, its only served once, then a new one is fetched.

Now, yes, I saw the picture. Excellent performance. Let's study properly and safely. We all appreciate your feedback.

 

[rgnldo]

Report 30 minutes with unbound with these options.

serve-expired: yes
serve-expired-ttl-reset: yes
serve-expired-ttl: 3600
cache-max-negative-ttl: 60

unbound-control -c /opt/var/lib/unbound/unbound.conf stats_noreset | grep total.num

total.num.queries=1785
total.num.queries_ip_ratelimited=0
total.num.cachehits=1281
total.num.cachemiss=504
total.num.prefetch=147
total.num.zero_ttl=123
total.num.recursivereplies=504

Next step with this

serve-expired: yes
serve-expired-ttl-reset: yes
serve-expired-ttl: 900
cache-max-negative-ttl: 60

 

[Martineau]

Unbound Installer v1.19 available.

This release is for users that wish to quickly test different 'unbound.conf' settings, and provides enhanced functionality for

rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')

The unbound configuration files should be stored in '/opt/var/share/unbound/configs/' (moved from '/jffs/configs/')

During the install, two 'backup' config files are created:

• '/opt/var/share/unbound/configs/reset.conf' (The original configuration downloaded from GitHub)
• '/opt/var/share/unbound/configs/user.conf' (The custom configuration which contains the Optional user mods depending on the Options selected or auto-IPV6 etc.)

So to recover from a bad configuration

Spoiler: rl - Loading a syntactically incorrect unbound configuration

Option ==> rl bad

Reloading 'unbound.conf' <<== /opt/share/unbound/configs/bad.conf status=/opt/var/lib/unbound/unbound.conf:123: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
[1578656423] unbound-control[8341:0] fatal error: could not read config file

/opt/var/lib/unbound/unbound.conf:123: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
[1578656423] unbound-control[8373:0] fatal error: could not read config file
/opt/var/lib/unbound/unbound.conf:123: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
[1578656423] unbound-control[8377:0] fatal error: could not read config file
[: 86400: unknown operand
/opt/bin/unbound_installer: line 1270: arithmetic syntax error
/opt/var/lib/unbound/unbound.conf:123: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
[1578656423] unbound-control[8382:0] fatal error: could not read config file
 uptime: (#SomewhereovertheRainbow Version=?.??)
u  = Push to Github PENDING for (Minor) unbound_installer >>>> v1.18
/opt/var/lib/unbound/unbound.conf:123: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
[1578656423] unbound-control[8410:0] fatal error: could not read config file
/opt/var/lib/unbound/unbound.conf:123: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
[1578656423] unbound-control[8412:0] fatal error: could not read config file
/opt/var/lib/unbound/unbound.conf:123: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
[1578656423] unbound-control[8421:0] fatal error: could not read config file


i  = Update ('/opt/var/lib/unbound/') unbound Configuration     l  = Show unbound log entries (lo=Enable Logging)
z  = Remove Existing unbound Installation                       v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit; vh=View Example Configuration)
?  = About Configuration                                        rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
                                                                oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
rs = Restart (or Start) unbound                                 s  = Show unbound statistics (s=Summary Totals; sa=All; s+=Enable Extended Stats)
e  = Exit Script

Option ==>

Enter either 'rl reset' or 'rl user' to quickly recover

e.g. Load the configuration file that was generated by the user's responses to the install Option prompts or auto-IPv6 mods.

Option ==> rl user

Reloading 'unbound.conf' <<== /opt/share/unbound/configs/user.conf status=ok

unbound (pid 3113) is running... uptime: 0 Days, 01:01:48 version: 1.9.3 (# rgnldo User Install Custom Version vx.xx (Date Loaded by unbound_installer Fri Jan 10 11:43:15 GMT 2020))

i  = Update ('/opt/var/lib/unbound/') unbound Configuration     l  = Show unbound log entries (lo=Enable Logging)
z  = Remove Existing unbound Installation                       v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit; vh=View Example Configuration)
?  = About Configuration                                        rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
                                                                oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
rs = Restart (or Start) unbound                                 s  = Show unbound statistics (s=Summary Totals; sa=All; s+=Enable Extended Stats)
e  = Exit Script

Option ==>

As an aid to identifying which configuration is ACTIVE, the script will assume the first line of a config will have a 'Version' comment in the form:

# xxxxxxxxxxx Version xxxxxxx  (Date Loaded xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)

i.e. if the word 'Version' (case insensitive) is found, then the line will be displayed

If the literal '(Date Loaded' is found, then the script will replace it with '(Date Loaded (Date Loaded by unbound_installer ddd mmm dd hh:mm:ss zzz yyyy)
e.g.

unbound (pid 3113) is running... uptime: 0 Days, 01:01:48 version: 1.9.3 (# rgnldo User Install Custom Version vx.xx (Date Loaded by unbound_installer Fri Jan 10 11:43:15 GMT 2020))

It is recommended that you backup any custom configuration to say '/opt/var/share/unbound/mycustomtweaks.conf' then run

i  = Update ('/opt/var/lib/unbound/') unbound Configuration

to create the two recovery files '/opt/var/share/unbound/user.conf' and '/opt/var/share/unbound/reset.conf', then you can quickly reload your custom configuration

Option ==> rl mycustomtweaks

 

[rgnldo]

During the install, two 'backup' config files are created:

• '/opt/var/share/unbound/configs/reset.conf' (The original configuration downloaded from GitHub)
• '/opt/var/share/unbound/configs/user.conf' (The custom configuration which contains the Optional user mods depending on the Options selected or auto-IPV6 etc.)

I was just thinking about this possibility right now. Good thing you managed to organize it.

 

[SolluxCaptor]

Report 30 minutes with unbound with these options.

serve-expired: yes
serve-expired-ttl-reset: yes
serve-expired-ttl: 3600
cache-max-negative-ttl: 60

unbound-control -c /opt/var/lib/unbound/unbound.conf stats_noreset | grep total.num

total.num.queries=1785
total.num.queries_ip_ratelimited=0
total.num.cachehits=1281
total.num.cachemiss=504
total.num.prefetch=147
total.num.zero_ttl=123
total.num.recursivereplies=504

Next step with this

serve-expired: yes
serve-expired-ttl-reset: yes
serve-expired-ttl: 900
cache-max-negative-ttl: 60

Top setting set, had to restart Unbound to clear stats. (Used rl command on conf but didn't reset my stats this time). Will report back in 30 mins

 

[Martineau]

...had to restart Unbound to clear stats

For convenience, there is a 'hidden' unbound_installer menu Option (flush stats)

Option ==> fs

ok

 

[rgnldo]

serve-expired: yes
serve-expired-ttl-reset: yes
serve-expired-ttl: 172800

My strong personal preference is to have short (less than 1 hour/3600 seconds) DNS TTLs. In particular, considering that queries are on edge. You can view the path of each query and verify. I am not a fan of long caches.

@MBPrgnldo % nslookup -type=cname -debug github.com    

Server: 2804:4474:206:6300::1

Address: 2804:4474:206:6300::1#53


------------

    QUESTIONS:

github.com, type = CNAME, class = IN

    ANSWERS:

    AUTHORITY RECORDS:

    ->  github.com

origin = ns1.p16.dynect.net

mail addr = hostmaster.github.com

serial = 1578590735

refresh = 3600

retry = 600

expire = 604800

minimum = 60

ttl = 900

    ADDITIONAL RECORDS:

------------

Non-authoritative answer:

*** Can't find github.com: No answer


Authoritative answers can be found from:

github.com

origin = ns1.p16.dynect.net

mail addr = hostmaster.github.com

serial = 1578590735

refresh = 3600

retry = 600

expire = 604800

minimum = 60

So far, the safest option, considering prefetch, is this:

cache-max-ttl: 86400
serve-expired: yes
serve-expired-ttl-reset: yes
serve-expired-ttl: 3600

I added a security option:

ip-ratelimit: 100

Used against attacks and flooding of virus-infected users. The limits set here are for each user and not the total, ie if 1 user exceeds the specified request volume the excess will be discarded, so if you set the limit to 100 requests per second and a virus infected user makes 130 requests per second, this will be limited to 100 requests and the last 30 overruns, treating the limitation individually.

 

[SolluxCaptor]

My strong personal preference is to have short (less than 1 hour/3600 seconds) DNS TTLs. In particular, considering that queries are on edge. You can view the path of each query and verify. I am not a fan of long caches.

@MBPrgnldo % nslookup -type=cname -debug github.com

Server: 2804:4474:206:6300::1

Address: 2804:4474:206:6300::1#53


------------

    QUESTIONS:

github.com, type = CNAME, class = IN

    ANSWERS:

    AUTHORITY RECORDS:

    ->  github.com

origin = ns1.p16.dynect.net

mail addr = hostmaster.github.com

serial = 1578590735

refresh = 3600

retry = 600

expire = 604800

minimum = 60

ttl = 900

    ADDITIONAL RECORDS:

------------

Non-authoritative answer:

*** Can't find github.com: No answer


Authoritative answers can be found from:

github.com

origin = ns1.p16.dynect.net

mail addr = hostmaster.github.com

serial = 1578590735

refresh = 3600

retry = 600

expire = 604800

minimum = 60

So far, the safest option, considering prefetch, is this:

cache-max-ttl: 86400
serve-expired: yes
serve-expired-ttl-reset: yes
serve-expired-ttl: 3600

I added a security option:

ip-ratelimit: 100

Used against attacks and flooding of virus-infected users. The limits set here are for each user and not the total, ie if 1 user exceeds the specified request volume the excess will be discarded, so if you set the limit to 100 requests per second and a virus infected user makes 130 requests per second, this will be limited to 100 requests and the last 30 overruns, treating the limitation individually.

Definitely agree on cache limiting. My 48 hour value there was for testing, I was reading though, best TTL practice for most websites / applications is 24 hours to avoid constant authoritative lookups (but some content providers may use less): https://support.rackspace.com/how-to/about-ttl-best-practices/

Generally, we recommend a TTL of 24 hours (86,400 seconds). However, if you are planning to make DNS changes, you should lower the TTL to 5 minutes (300 seconds) at least 24 hours in advance of making the changes. After the changes are made, increase the TTL back to 24 hours.