Unbound Caching Resolver

I’ve become a big fan of the unbound caching resolver for FreeBSD.  It’s included in the base distribution, but is not enabled by default.  I’ve found that it reduces my DNS lookup time from an average of 300 milli-seconds to about 4 milli-seconds. The setup is almost trivial.

It’s probably a surpise to most people how much time is wasted doing DNS lookups. If you multiply 300 milli-seconds by the 15-20 domains typically listed on a page, then that’s what kind of time savings?  Six seconds.  OK, there’s not a coffee break in that short duration, but why wait if you don’t need to wait?

I have a FreeBSD powered WiFi assess point.  It’s a triple routed, double firewalled hostapd + dhcp + unbound setup.  I have the unbound interfaces config set to – so all the WiFi clients also benefit from 4 milli-second DNS response times.  That is nice!  Another nice thing about running my own access point is that I can log selected traffic in a much better way than an ordinary router from the ISP.

I look around, and see that more than half of the WiFi access points are set to WPA (wpa=1 in hostapd parlance), which has been shown to be air-crack crackable. TKIP is considered insecure. So, to avert this situation, my access points are now all configured to use WPA2 (wpa=2 in hostapd parlance) and CCMP instead of TKIP, via the following details put into the hostapd.conf file:

  • wpa=2
  • wpa_key_mgmt=WPA-PSK
  • wpa_pairwise=CCMP

I have other things in the config file as well as what’s shown, but don’t want to give away all my secrets. Note that some config details are dependent on other config details, and the wrong combination may not work, or may work in an unexpected way.  Hence, don’t use the snippets (above) as any kind of cookie recipe. It’s just what I do, but others must do differently.  Other than WPA2, I don’t enable any other connection methods, as most of them (as far as I have read) have “issues”. A wpa=1 config was likely used for the air-crackable plain jane WPA setups that I see on slightly more than half the access points around me when I look at my ap connection list.

No, I’m not cracking them! This kind of data is presented in the “advertising” that is sent from all AP nodes, such that clients will know how to connect to them. But, the security on these ~50 percent devices seems lax to say the least. They ought to upgrade, in my non-expert opinion. That’s not to say that WPA2 isn’t crackable.  I’m not the expert to say for sure, but it seems prudent to run the WPA2 config anyway.  Caveat Emptor (yer takes yer chances).

FreeBSD is a trademark of the FreeBSD foundation, and they are not affiliated with this author or site in any way.  Note: the author does not have a recent, applicable background in circuit building, or battery related issues, so this is presented as the work of a hobbyist, and is not meant for duplication by others. Readers should look elsewhere for design advice and info.