Maintained by: NLnet Labs

[Unbound-users] Unbound periodically stops responding

Bry8 Star
Fri Aug 31 11:28:26 CEST 2012

I will try to help myself & others.

The "iterator validator" option will not work/validate.

Below config file gave me better result (on Windows XP), you may try
this out and suit to your need:

- - - - - - - - - - - - - - - -
# BEGIN of service.conf / unbound.conf file
# Last Modified 2012-08-31 01:30
# Copyright (C) 2012 Bry8Star. (bry8 star a.t ya hoo d.o.t c om)
verbosity: 1 # logs errors & operational info
#verbosity: 0 # logs errors
statistics-interval: 0
statistics-cumulative: "no"
extended-statistics: "no"
num-threads: 1
interface: # My Network Adapter's IP adrs
interface: ::1
interface-automatic: "no"
port: 53
outgoing-range: 950
outgoing-port-permit: 52000-56096
outgoing-num-tcp: 25
incoming-num-tcp: 25
so-rcvbuf: 8m
so-sndbuf: 8m
edns-buffer-size: 4096
msg-buffer-size: 65552
msg-cache-size: 48m
msg-cache-slabs: 1
num-queries-per-thread: 475
jostle-timeout: 200
rrset-cache-size: 96m
rrset-cache-slabs: 1
cache-min-ttl: 0
cache-max-ttl: 21600 # 6 hours
infra-host-ttl: 900
infra-cache-slabs: 1
infra-cache-numhosts: 10000
do-ip4: "yes"
do-ip6: "no" # for now
do-udp: "yes"
do-tcp: "yes"
tcp-upstream: "no"
do-daemonize: "yes"
access-control: refuse
access-control: ::0/0 refuse
access-control: allow
access-control: allow
access-control: ::1 allow
logfile: "C:\Program Files\Unbound\unbound.log"
use-syslog: "no"
log-time-ascii: "yes"
log-queries: "no"
root-hints: "C:\Program Files\Unbound\named.cache"
hide-identity: "yes"
hide-version: "yes"
identity: "DNS"
version: "1.0.0"
target-fetch-policy: "0 0 0 0 0 0"
harden-short-bufsize: "no"
harden-large-queries: "no"
harden-glue: "yes"
harden-dnssec-stripped: "yes"
harden-below-nxdomain: "no"
harden-referral-path: "no"
use-caps-for-id: "no"
unwanted-reply-threshold: 8000
prefetch: "yes"
prefetch-key: "yes"
rrset-roundrobin: "yes"
minimal-responses: "no"
module-config: "validator iterator"
dlv-anchor-file: "C:\Program Files\Unbound\"
# Downloaded from
# DLV, DNS Lookaside Validation, for the root
auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"
#domain-insecure: "TLD" # TLDs from various TLD providers
val-bogus-ttl: 60
val-sig-skew-max: 86400
val-clean-additional: "yes"
val-permissive-mode: "no"
ignore-cd-flag: "yes"
val-log-level: 1 # log validation failed queries
#val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
key-cache-size: 48m
key-cache-slabs: 1
neg-cache-size: 36m
# Blocking below TLDs, can also be used to block sites
local-zone: "onion." refuse # disallow to go via public route
local-zone: "i2p." refuse # suppose to go via proxy route
control-enable: "no"
# stub-zones SZ, for TLDs from other TLD providers (root opr)
# Forward zones FZ, if used hostname/namesrvr in stub-zones
# Default Forward Root Zone:
#name: "."
# You may use your ISP dns, for bit faster results.
#forward-addr: i.p.adrs.1 # ISP DNS / Recursive/Caching
#forward-addr: i.p.adrs.2 # ISP DNS / Recursive/Caching
# Or use other root caching or recursive dns servers.
# END of service.conf / unbound.conf file
- - - - - - - - - - - - - - - -

I express thanks to various users from various IRC channels who has
helped with various suggestions.

If you have better performing config file, then please share, thanks in

And use this below technique to run the 'Unbound DNS Validator' with
"Below Normal" Priority, so it does not affect other processes, it is
temporary fix.
(1) Start Windows Task Manager like this:
ntsd -c qd taskmgr.exe
(2) goto "Processes" tab > select "Show Processes from All Users".
(3) find 'Unbound.exe" in the process list. Right click on it > Set
Priority > select "BelowNormal". Ok.
(4) close Task manager.
There are script/batch file as well to do automatically like above when
windows starts up. Dont know of a registry hack to do that. If any1
knows, then please share.

-- Bry8Star.

On 8/29/2012 8:08 PM, Bry8 Star wrote:
> I'm using 'Unbound' v1.4.18 on Windows XP SP3 4GB RAM 32bit Dual Core
> AMD CPU. Unbound is configured with "validator iterator" mode.
> "target-fetch-policy" is currently "2 1 0 0 0 0". DLV option is enabled.
> It stops responding periodically in my side as well :-(
> I installed windows process monitoring tools like, Process Hacker,
> Process Explorer, etc and also have firewall able to show, warn, block
> any active network connections. Nothing is blocked for unbound in
> firewall, only set to show messages/info on what unbound is doing.
> Firewall is also set to show message/info what app is trying to
> communicate (send DNS query) with local resolver (the unbound).
> When user like me tries to do a ping or do a nslookup or do a DiG on an
> internet host, or when a web-browser or any other internet service
> client app tries to send DNS query via unbound (working on udp
> port 53), then at first attempt, unbound internally does its query very
> slowly (or sometime does not work), then query sender app shows server
> could not be reached or servfail, etc error/result. 'Unbound' starts to
> use around 98% or more cpu resources at that point. So other apps, mouse
> becomes non or less responsive. After about 1 min or 2 mins, cpu usage
> goes down to normal level. And then, if 2nd attempt is done on the same
> internet site or host, then 'unbound' usually sends the answer back very
> quickly and can reach sites.
> If a different fetch policy is used then how will it affect? We need a
> better fetch policy. Even when i specified it to use 1 Thread, it
> sometime uses even 3 or 4 threads. If "iterator validator" is used, then
> will it work better ? then what fetch policy will be better ?
> -- Bry8Star.
> On 8/29/2012 5:40 PM, Will Roberts wrote:
>> On 04/06/2011 02:06 AM, W.C.A. Wijngaards wrote:
>>> Well it should respond to the unbound-control utility.  If it does not
>>> this means it is somehow no longer processing the main loop, or that
>>> network traffic does not reach it.
>> To add some resolution to this issue, this is clearly not unbound's
>> fault. When this situation is triggered I cannot locally ping any of the
>> IPv4 addresses on the machine, so clearly the communication to unbound
>> as a DNS lookup or via unbound-control are going to fail. I'm at a loss
>> as to explain why this happens :)
>> Regards,
>> --Will
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at