Maintained by: NLnet Labs

[Unbound-users] README says "By default 16 ports are used"

W.C.A. Wijngaards
Fri May 29 10:49:16 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Matthew,

Thank you for reporting the (doc)-bug.  The readme is wrong.
New text:

* You can use libevent if you want. libevent is useful when using
  many (10000) outgoing ports. By default max 256 ports are opened at
  the same time and the builtin alternative is equally capable and a
  little faster.

Some explanation because you ask about source-port randomization and
query capacity.  Those are split up into different issues and can be
configured separately.  Below I discuss port-numbers, max-sockets,
query-capacity and then go into how those settings could be used.

The port numbers to perform source-port randomization over. This could
be 0-65535; except unbound tries to avoid 0..1023 and IANA allocated
numbers above that and a couple of (256 size) windows in the
unix(linux,solaris,BSD) dynamic range (so that your debug scp can still
find a free port number to use).  This is configured with statements
outgoing-port-permit and outgoing-port-avoid, if you want to change it
from the defaults. With outgoing-port-avoid you can make it avoid a port
number in use by another daemon on the same server, which could be a
problem if unbound were to grab it during reboot before the other daemon
starts.  Otherwise unbound has no problem with other processes grabbing
ports in its port range, it'll use another one.  This leaves unbound
with a random selection from about 60000 port numbers in total (a little
less even, IANA keeps allocating those port numbers: 59733 today).

Then there is the number of open file descriptors.  A process is limited
in the max number of open file descriptors, both by ulimit and because
select is limited.  You can set the tcp file descriptors in the config
file if you want.  The max number of file descriptors unbound opens for
UDP usage are set with outgoing-range.  This value is 256 by default
(and this is what the README has to refer to).  The limit in open file
descriptors can be a bottleneck (depending on the number of port numbers
for randomization and the number of pending queries of course); hence
the talk about using libevent in the README.

The number of queries that are serviced at the same time.  Cache-hits
are not included here.  Cache-misses are capped at a maximum.  Set this
to protect against being overloaded, or increase it to have more
capacity. This is num-queries-per-thread in the config file.  It is 1024
by default.  It can be set to any value you desire.

With these configuration statements you can control what unbound is
going to do, for capacity, source port randomisation and for the socket
usage on the operating system.

Ways to configure it are:
* very little port numbers. say only 2048 (outgoing-port-avoid: 0-65535
outgoing-port-permit: 10000-12047). Combined with outgoing-range: 2048
(and libevent compiled to support that).  This gives behaviour that is a
bit like other vendor software has, that only uses 1000-2500 source port
numbers.  After opening 2048 ports unbound will reuse existing open
ports (because it drew a random number that is already open).
This is empathically not the default. It is much less secure. You need
to pick those port numbers out of the largest possible set of numbers to
gain more entropy.
* not enough sockets.  Say outgoing-range: 16 if you can only open few
sockets. Leaving the rest as is can cause this to be a big bottleneck.
Perhaps lower the num-queries-per-thread for this.
* lots of capacity. outgoing-range: 4096  num-queries-per-thread: 4096
and libevent compiled to support the large number of open sockets with
epoll.  Set num-threads: 8, on a 8-core box for a lot of fun.
* other.  Please tell me what works well for you, then I can document it
on the unbound website for others.

The reason I want to talk about libevent in the README is that it can be
used for capacity gain and this is what people want to tinker with at
compile time (and not bother with the other stuff).

Best regards,
   Wouter

Matthew Dempsky wrote:
> Can someone clarify for me what this line in the README[1] means?
> 
>   * You can use libevent if you want. libevent is useful when using
>      many (10000) outgoing ports. By default 16 ports are used and the
>      builtin alternative is equally capable and a little faster.
> 
> In particular, what does it mean by "16 ports are used"?
> 
> According to [2], Unbound uses per-query source-port randomization.
> Is this entry outdated, or does it limit the number of concurrent
> queries to 16 or something?
> 
> Thanks.
> 
> [1] http://unbound.nlnetlabs.nl/svn/trunk/README
> [2] http://www.unbound.net/documentation/patch_announce102.html
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkofoYwACgkQkDLqNwOhpPjxfwCdFEr71QvwYl/CAtBfrX7sJsOt
BIQAn3DQPaYMc84MStncPNesHx4f/CR0
=Ah0y
-----END PGP SIGNATURE-----