docs: Add DNS tuning guide #1601

stratself · 2026-04-01T05:33:33Z

stratself commented

2026-04-01 05:33:33 +00:00

This pull request adds a DNS tuning guide page for Continuwuity, targetting Unbound. It recommends best practices.

You can see a preview of it here:

TODOS:

Rewrite the troubleshooting page section to simplify wording and reflink to this new page.
Link other pages (e.g. Docker next steps, performance tuning) to this page (in other PRs)

Pull request checklist:

This pull request targets the main branch, and the branch is named something other than
main.
I have written an appropriate pull request title and my description is clear.
I understand I am responsible for the contents of this pull request.
I have followed the contributing guidelines:
- My contribution follows the code style, if applicable.
- I ran pre-commit checks before opening/drafting this pull request.
- I have tested my contribution (or proof-read it for documentation-only changes)
  myself, if applicable. This includes ensuring code compiles.
- My commit messages follow the commit message format and are descriptive.
- I have written a news fragment for this PR, if applicable.

This pull request adds a DNS tuning guide page for Continuwuity, targetting Unbound. It recommends best practices. You can see a preview of it here: - https://muc.muoi.me/advanced/dns.html - https://muc.muoi.me/troubleshooting.html#dns-issues TODOS: - [x] Rewrite the [troubleshooting page section](https://continuwuity.org/troubleshooting#dns-issues) to simplify wording and reflink to this new page. - [ ] Link other pages (e.g. Docker next steps, performance tuning) to this page (in other PRs)     **Pull request checklist:**  - [x] This pull request targets the `main` branch, and the branch is named something other than `main`. - [x] I have written an appropriate pull request title and my description is clear. - [x] I understand I am responsible for the contents of this pull request. - I have followed the [contributing guidelines][c1]: - [x] My contribution follows the [code style][c2], if applicable. - [x] I ran [pre-commit checks][c1pc] before opening/drafting this pull request. - [x] I have [tested my contribution][c1t] (or proof-read it for documentation-only changes) myself, if applicable. This includes ensuring code compiles. - [x] My commit messages follow the [commit message format][c1cm] and are descriptive. - [x] I have written a [news fragment][n1] for this PR, if applicable.  [c1]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md [c2]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/docs/development/code_style.mdx [c1pc]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#pre-commit-checks [c1t]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#running-tests-locally [c1cm]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#commit-messages [n1]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments

theSuess reviewed

2026-04-01 15:00:24 +00:00

theSuess left a comment

Only checked for technical input for now since I know that drive-by reviews by external people can be annoying for maintainers 😅

One option that could also be useful for tuning (esp. on kubernetes) is ndots as having a high value here will cause lookups of external domains with the search domain appended (e.g matrix.org -> matrix.org.my.network)

If you want to, I can take a look at the wording and instruction text as well (I often do this as part of my dayjob) but I didn't want to spam this without asking first :)

Only checked for technical input for now since I know that drive-by reviews by external people can be annoying for maintainers 😅 One option that could also be useful for tuning (esp. on kubernetes) is [ndots](https://www.man7.org/linux/man-pages/man5/resolv.conf.5.html#:~:text=see%20resolver%283%29%29%2E-,ndots%3A) as having a high value here will cause lookups of external domains with the search domain appended (e.g `matrix.org` -> `matrix.org.my.network`) If you want to, I can take a look at the wording and instruction text as well (I often do this as part of my dayjob) but I didn't want to spam this without asking first :)

docs/advanced/dns.mdx Outdated

					
				@ -0,0 +18,4 @@

				### For Docker users

				Docker bridge networks uses a non-performant resolver to intercept and respond to container hostnames, and **this should also be avoided**. Instead, mount a custom `/etc/resolv.conf` file into the container, and hardcode a resolver address to bypass Docker's.

Docker supports adhoc generation of resolv.conf. This can also be done using docker compose which removes the need for a volume mount/extra file to manage:
https://docs.docker.com/reference/compose-file/services/#dns

Docker supports adhoc generation of `resolv.conf`. This can also be done using docker compose which removes the need for a volume mount/extra file to manage: https://docs.docker.com/reference/compose-file/services/#dns

This doesn't seem doable with custom bridge networks

~$ docker network create testing
<some-long-id>
~$ docker run --rm -it --net testing --dns 1.1.1.1 alpine cat /etc/resolv.conf

$ docker run --rm -it --net testing --dns 1.1.1.1 alpine cat /etc/resolv.conf
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver 127.0.0.11
options use-vc ndots:0

# Based on host file: '/etc/resolv.conf' (internal resolver)
# ExtServers: [1.1.1.1]
# Overrides: [nameservers]
# Option ndots from: internal

Same behavior with Podman, though they have the --disable-dns flag. It probably relates to this longstanding issue. Hence the resolv.conf mount workaround

Do let me know if you find alternative solutions to this tho. It will also help #1594

This doesn't seem doable with custom bridge networks ``` ~$ docker network create testing <some-long-id> ~$ docker run --rm -it --net testing --dns 1.1.1.1 alpine cat /etc/resolv.conf $ docker run --rm -it --net testing --dns 1.1.1.1 alpine cat /etc/resolv.conf # Generated by Docker Engine. # This file can be edited; Docker Engine will not make further changes once it # has been modified. nameserver 127.0.0.11 options use-vc ndots:0 # Based on host file: '/etc/resolv.conf' (internal resolver) # ExtServers: [1.1.1.1] # Overrides: [nameservers] # Option ndots from: internal ``` Same behavior with Podman, though they have the `--disable-dns` flag. It probably relates to this longstanding [issue](https://github.com/moby/moby/issues/19474). Hence the resolv.conf mount workaround Do let me know if you find alternative solutions to this tho. It will also help #1594

docs/advanced/dns.mdx Outdated

					
				@ -0,0 +147,4 @@

				## Testing

				As a rough stress test, you can issue `!admin query resolver flush-cache -a` or `!admin server clear-caches` to trigger a netburst of DNS queries. If your resolver can handle these loads without problem, then it should be ready for regular Continuwuity activity.

As you already mentioned in chat, these commands would be great in the troubleshooting guide

👍 1

I added them to latest commit. Here's a rendered version

Not sure if the docs structure is optimal, let me know

I added them to [latest commit](https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1601/commits/928ac8d9c542b65c46aeb51aa16acdbca2c78672). Here's a [rendered version](https://muc.muoi.me/troubleshooting.html#intermittent-federation-failures-to-a-specific-server) Not sure if the docs structure is optimal, let me know

stratself commented

2026-04-01 17:22:04 +00:00

@theSuess Many thanks for looking over the PR, I'm also just another drive-by contributor who wanna help with docs, so feel free to nag me for improvements over your free time :D

stratself changed title from ~~WIP: docs: Add DNS tuning guide~~ to docs: Add DNS tuning guide

2026-04-04 11:38:39 +00:00

Ghost reviewed

2026-04-04 13:12:31 +00:00

stratself commented

2026-04-04 13:26:45 +00:00

There are concerns with recommending any specific forwarder over recursion. I'd like users to explore forwarder options because they're 1. Generally faster due to CDNing and less requests, 2. Supported by more software, and 3. Has encryption options. But single-provider dependency and ratelimits are the costs. Better wording is needed

Henry-Hiles requested changes

2026-04-04 14:28:50 +00:00

Dismissed

Henry-Hiles left a comment

Mostly great, just a nitpick.

docs/advanced/dns.mdx Outdated

					
				@ -0,0 +131,4 @@

				### None

				If you can't install a local DNS caching resolver for some reason, you may still configure your machine to talk directly to public resolvers:

I don't see why you wouldn't be able to add a resolver, and you lose caching from this, is it worth covering?

I removed the section

stratself marked this conversation as resolved

stratself referenced this pull request

2026-04-04 18:52:16 +00:00

docs: Add performance tuning guide #1498

nex

2026-04-05 13:26:10 +00:00

added the
Documentation

Enhancement

Matrix/Administration
labels
requested review from nex

stratself requested review from Owners

2026-04-06 06:54:29 +00:00

stratself force-pushed stratself/docs-dns from 3e8a196cf1

Documentation / Build and Deploy Documentation (pull_request) Has been skipped

Details

Check Changelog / Check for changelog (pull_request_target) Successful in 11s

Details

Checks / Prek / Pre-commit & Formatting (pull_request) Failing after 3m7s

Details

Checks / Prek / Clippy and Cargo Tests (pull_request) Successful in 13m22s

Details

to c347fe5061

Documentation / Build and Deploy Documentation (pull_request) Has been skipped

Details

Check Changelog / Check for changelog (pull_request_target) Successful in 10s

Details

Checks / Prek / Pre-commit & Formatting (pull_request) Failing after 3m6s

Details

Checks / Prek / Clippy and Cargo Tests (pull_request) Successful in 16m8s

Details

2026-04-08 07:44:16 +00:00

Compare

Henry-Hiles requested changes

2026-04-08 16:48:44 +00:00

Dismissed

docs/advanced/dns.mdx Outdated

					
				@ -0,0 +120,4 @@

				[Dnsproxy][dnsproxy] and its sister product [AdGuard Home][adguard-home] are known to work with Continuwuity and has an official Docker image. They have support for DNS-over-HTTPS as well as DNS-over-QUIC, but not recursion.

				To best utilise dnsproxy, you should enable proper caching with `--cache` and set `--cache-size` to something bigger, like `64M`.

s/64M/64000000

This argument accepts a number of bytes, only an int, no unit. Otherwise, it fails to launch.

s/64M/64000000 This argument accepts a number of bytes, only an int, no unit. Otherwise, it fails to launch.

❤️ 1

stratself marked this conversation as resolved

stratself added 1 commit

2026-04-10 05:34:34 +00:00

fix(docs,dns): Correct value for dnsproxy option, and a word

Documentation / Build and Deploy Documentation (pull_request) Has been skipped

Details

Check Changelog / Check for changelog (pull_request_target) Successful in 10s

Details

Update flake hashes / update-flake-hashes (pull_request) Successful in 1m51s

Details

Checks / Prek / Pre-commit & Formatting (pull_request) Failing after 2m11s

Details

Checks / Prek / Clippy and Cargo Tests (pull_request) Failing after 2m0s

Details

353d9d17a7

stratself requested review from Henry-Hiles

2026-04-11 16:12:52 +00:00

Henry-Hiles requested changes

2026-04-11 16:58:17 +00:00

Dismissed

Henry-Hiles left a comment

just some small grammar fixes

docs/advanced/dns.mdx Outdated

					
				@ -0,0 +76,4 @@

				### Using a forwarder (optional)

				Unbound by default employs recursive resolution and contact many servers around the world. If this is not performant enough, consider forwarding your queries to public resolvers to benefit from their CDNs and get faster responses.

s/contact/contacts

stratself marked this conversation as resolved

docs/advanced/dns.mdx Outdated

					
				@ -0,0 +80,4 @@

				However, most popular upstreams (such as Google DNS or Quad9) employ IP ratelimiting, so a generous cache is still needed to avoid making too many queries.

				DNS-over-TLS forwarders may also be used should you need on-the-wire encryption, but TLS overhead would incur some speed penalties.

s/would incur some small/causes some small

stratself marked this conversation as resolved

docs/advanced/dns.mdx Outdated

					
				@ -0,0 +127,4 @@

				### dnsmasq

				[dnsmasq][arch-linux-dnsmasq] can possibly work with Continuwuity, though it only support forwarding rather than recursion. Increase the `cache-size` to something like `20000` for better caching performance.

s/support/supports

stratself marked this conversation as resolved

docs/advanced/dns.mdx Outdated

					
				@ -0,0 +142,4 @@

				## Testing

				As a rough stress test, you can issue `!admin query resolver flush-cache -a` or `!admin server clear-caches` to trigger a netburst of DNS queries. If your resolver can handle these loads without problem, then it should be ready for regular Continuwuity activity.

s/issue/run

imo it's simpler

s/issue/run imo it's simpler

stratself marked this conversation as resolved

docs/advanced/dns.mdx Outdated

					
				@ -0,0 +146,4 @@

				To test connectivity against a specific server, use `!admin debug ping <SERVER_NAME>` and `!admin debug resolve-true-destination <SERVER_NAME>`.

				Note that it is expected that not all servers will be resolved, as some of them may be temporarily offline, has broken DNS and/or discovery configuration, or have been decommissioned.

s/has/have

stratself marked this conversation as resolved

docs/troubleshooting.mdx Outdated

					
				@ -52,2 +50,2 @@

				performance issues with Docker's built-in resolver, this can cause DNS queries

				to take a long time to resolve, resulting in federation issues.

				- Spurious log entries with "DNS No connections available", "mismatching responding nameservers", or "error sending request"

				- Excessively long room joins (30+ minutes)

in my experience this can also be !779

Reworded to say it's a slow S2S join as seen from server logs, as !779 relates to C2S not sending new info

👍 1

stratself marked this conversation as resolved

docs/troubleshooting.mdx Outdated

					
				@ -114,3 +69,1 @@

				If your DNS server supports it, some users have reported enabling

				`query_over_tcp_only` to force only TCP querying by default has improved DNS

				reliability at a slight performance cost due to TCP overhead.

				You may also use `!admin server clear-caches` or `!admin query resolver flush-cache -a` to clear all server/resolver caches, in case of failures with many domains. However, note this would significantly increase your server load for a short period.