DEV Community

Cover image for Stop manually tuning Unbound DNS: How I built an auto-tuning DNS Firewall
Devair Fernandes
Devair Fernandes

Posted on

Stop manually tuning Unbound DNS: How I built an auto-tuning DNS Firewall

If you've ever managed a DNS server at scale (like for an ISP or a large corporate network), you know that standard configurations don't cut it. You have to dive deep into kernel TCP/UDP buffers, slab sizes, and thread allocations.

I got tired of doing this manually, so I built an open-source appliance called Sentinel DNS to solve it.

The Problem

When you run unbound, the default settings are meant for a small office. If you throw 10,000 queries per second (QPS) at it, it chokes. You drop packets, latency spikes, and users complain.

The Solution: Dynamic Auto-Tuning

In Sentinel DNS, I wrote a boot script that reads /proc/cpuinfo and /proc/meminfo. Instead of static config files, the system dynamically generates the Unbound configuration.

If you boot the ISO on a VM with 2 vCPUs and 4GB RAM, it allocates resources accordingly. If you move it to a bare-metal server with 16 cores and 32GB RAM, the script recalculates the msg-cache-size, rrset-cache-size, and num-threads on the next boot, maximizing performance without running out of memory.

Zero-Cold Start

Another big issue was cache loss during reboots. Sentinel handles this by hooking into the shutdown process, dumping the Unbound cache to the NVMe disk, and reloading it on startup. Resolution stays at 0ms.

Check out the full architecture and the NOC dashboard UI we built for it here:
🔗 Sentinel DNS Official Site

Let me know what you think of this approach!

Top comments (0)