Maintained by: NLnet Labs

[Unbound-users] recently asked questions

Paul Wouters
Fri Oct 8 17:20:29 CEST 2010

On Fri, 8 Oct 2010, W.C.A. Wijngaards wrote:

> * About memory, how to configure its maximum?
> Ok. pick the limit (32-bit linux has 3Gb per process).  Then divide by
> two (for the operating system malloc overhead).  Then divide this into
> RRset, msg, and other caches.  Leave a little to spare because hitting
> the hard max is painful (server failure errors are sent to clients).
> The divide-by-two looks bad, but it is really a very sophisticated
> algorithm to even get that good.  And I do not believe unbound can do a
> better job at it than your OS can.  (if you know how to do it better, we
> may make unix systems the world over operate better).
> So, for 3Gb, about 1.5Gb to divide over caches.  Such as rrset-cache
> 600M, msg-cache 300M, key-cache 100M, neg-cache 100M, infra-numhosts
> 100000.  This leaves some space as well.  And how did I choose these
> ratios?  What I did was look at the ratios when the caches are not full
> yet but are used in normal operations.  The key and neg cache values are
> guesses to enable DNSSEC operations.  It is likely that DNSSEC's
> deployment will change this (specifically more space for key-cache and
> neg-cache).

Would any special configuration be required in the case of unusual usage?
To withstand a DOS? If you're doing lots of client lookups (eg apache log
resolving). You described the best in "regular" operation, but what is the
best for resilence?

> * Denied feature request: donotquery config per port.
> So that you can block specific port numbers.

Yeah, the OS or firewall in front of it can do a much better job of that.

I still have a feature request outstanding of: Accept UDP queries, but only
send TCP queries, to allow unbound to be used via SOCKS proxy, but allow
local unmodified (udp based) clients to query it. This is what is needed for
projects like tor, that attempt to anonymise the client and need to prevent
leaking DNS queries.