Maintained by: NLnet Labs

[Unbound-users] Is It Correct Unbound Config as Validating DNS Server/Resolver ?

Bry8 Star
Tue May 28 04:52:39 CEST 2013


Hi Wouter,

THANK YOU.

In DNS-Server (192.168.0.10), below config lines are now changed to
have such values:

num-threads: 2
outgoing-range: 450  # when thread = 2
outgoing-num-tcp: 25
incoming-num-tcp: 25
num-queries-per-thread: 225  # when thread = 2

And after restarting Unbound DNS-Server (in Win7 computer), i'm
observing, below windows thread (under the "unbound.exe" service
program) sometime, (not always), using high CPU resources, specially
when any unsigned.tld type of sites/domains are queried/resolved:

msvcrt.dll!endthreadex+0x29

I'm observing its working much better : previously, for any type of
site/domain DNS query, CPU usage level used to jump up, now mostly
for unsigned.tld type of sites.

And when CPU usage remains at high level for around 1 or 2 minutes
(or more), then sometime only newer unsigned.tld type of sites,
SOMETIME (not always) do not get resolved, and dig shows "connection
timed out; no servers could be reached", and, if exactly then, DNS
queries are done for previously queried sites/domains, it still
works/responds correctly. So its performing better now.

The sechost.dll did not use high CPU resources anymore.

So need to find out, what can be done, so that endthreadex+0x29 from
msvcrt.dll is not used in massive rate by the unbound.exe service.

IF/WHEN YOU ARE REPLYING, PLEASE MAKE SURE TO
PLACE ONLY ONE/BELOW EMAIL ADDRESS IN THE
"TO:" FIELD/Text-Box:

unbound-users at unbound.net

Please do not send any email directly to me, Thanks.

-- Bright Star (Bry8Star).




Received from W.C.A. Wijngaards, on 2013-05-27 6:10 AM:
> Hi Bry8,
> 
> You are using a lot of TCP, you should increase the incoming-num-tcp:
> and the outgoing-num-tcp: from the default 10 to more.  Because of
> windows you may hit a max (try 20), on Linux you can have as much as
> you like.  CPU resources, you can use multiple threads (on windows)
> for more processing capacity (even if you do not have that many
> cores), to be able to make more TCP connections (num-threads:).
> 
> Unbound does not use advapi or sechost.dll itself, but uses
> openssl.dll for security and crypto functions.
> 
> Unbound on windows accesses the registry infrequently.  It checks for
> a root anchor action once in a while, and its install directory on
> startup.  The registry keys are documented in the windows doc (at the
> end) on the unbound web documentation page.
> 
> Best regards,
>    Wouter
> 
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20130527/e507ffed/attachment.sig>