Maintained by: NLnet Labs

[Unbound-users] Is It Correct Unbound Config as Validating DNS Server/Resolver ?

Bry8 Star
Tue May 28 07:43:39 CEST 2013


When "num-threads: 2" then total thread used by unbound.exe was 6.

Tested further, in DNS-Server (192.168.0.10), with these modified lines:

num-threads: 4
outgoing-range: 225  # when thread = 4
outgoing-num-tcp: 25
incoming-num-tcp: 25
num-queries-per-thread: 110  # when thread = 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4

With such as above config options, now unbound.exe service is using
total 8 threads.

Below process thread under the unbound.exe still using very high CPU
resources, frequently, and specially when unsigned.tld type of DNS
queries are attempted:

msvcrt.dll!endthreadex+0x29

Sometime it uses so much CPU that Network interface's tray icon
changes, and shows yellow triangle with exclamation mark, so network
adapter stops working!

So, by using "Process Hacker" or "Process Explorer", i have changed
Priority of "unbound.exe" service from "Normal" (8) into "Below
Normal" (6), and after that, when CPU usage jumps up at-least
Network Interface itself does not get disabled, most times.

And i observed over longer time period, network interface gets
disabled bit more when "num-threads: 4", so i've reverted back to
using "num-threads: 2".

So now unbound service.conf file has such configuration:

num-threads: 2
outgoing-range: 450  # when thread = 2
outgoing-num-tcp: 35
incoming-num-tcp: 35
num-queries-per-thread: 225  # when thread = 2
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
target-fetch-policy: "3 2 1 1 1 1"

DNS-Server is running on a computer which has:

AMD processor 64 bit, 2.2 GHz, ( 1 CPU with
single core, SSE1, SSE2),
Realtek RTL8139/810x Family Fast Ethernet NIC,
nVidia chipset based Mobo,
2GB DDR RAM,
Windows 7 64 bit,
It's average RAM usage is around ~35%, at max ~60%,
unbound.exe 32 bit.

And DNS-Server now running better, but occasional high cpu usage
problem still remained when unsigned sites are queried.

In client side computers, unbound resolvers are now configured to
use 2 threads and running better, though they were running just fine
with 1 thread as well.

IF/WHEN YOU ARE REPLYING, PLEASE MAKE SURE TO
PLACE ONLY ONE/BELOW EMAIL ADDRESS IN THE
"TO:" FIELD/Text-Box:

unbound-users at unbound.net

Please do not send any email directly to me, Thanks.

-- Bright Star (Bry8Star).



Received from Bry8 Star, on 2013-05-27 7:52 PM:
> Hi Wouter,
> 
> THANK YOU.
> 
> In DNS-Server (192.168.0.10), below config lines are now changed to
> have such values:
> 
> num-threads: 2
> outgoing-range: 450  # when thread = 2
> outgoing-num-tcp: 25
> incoming-num-tcp: 25
> num-queries-per-thread: 225  # when thread = 2
> 
> And after restarting Unbound DNS-Server (in Win7 computer), i'm
> observing, below windows thread (under the "unbound.exe" service
> program) sometime, (not always), using high CPU resources, specially
> when any unsigned.tld type of sites/domains are queried/resolved:
> 
> msvcrt.dll!endthreadex+0x29
> 
> I'm observing its working much better : previously, for any type of
> site/domain DNS query, CPU usage level used to jump up, now mostly
> for unsigned.tld type of sites.
> 
> And when CPU usage remains at high level for around 1 or 2 minutes
> (or more), then sometime only newer unsigned.tld type of sites,
> SOMETIME (not always) do not get resolved, and dig shows "connection
> timed out; no servers could be reached", and, if exactly then, DNS
> queries are done for previously queried sites/domains, it still
> works/responds correctly. So its performing better now.
> 
> The sechost.dll did not use high CPU resources anymore.
> 
> So need to find out, what can be done, so that endthreadex+0x29 from
> msvcrt.dll is not used in massive rate by the unbound.exe service.
> 
> IF/WHEN YOU ARE REPLYING, PLEASE MAKE SURE TO
> PLACE ONLY ONE/BELOW EMAIL ADDRESS IN THE
> "TO:" FIELD/Text-Box:
> 
> unbound-users at unbound.net
> 
> Please do not send any email directly to me, Thanks.
> 
> -- Bright Star (Bry8Star).
> 
> 
> 
> 
> Received from W.C.A. Wijngaards, on 2013-05-27 6:10 AM:
>> Hi Bry8,
>>
>> You are using a lot of TCP, you should increase the incoming-num-tcp:
>> and the outgoing-num-tcp: from the default 10 to more.  Because of
>> windows you may hit a max (try 20), on Linux you can have as much as
>> you like.  CPU resources, you can use multiple threads (on windows)
>> for more processing capacity (even if you do not have that many
>> cores), to be able to make more TCP connections (num-threads:).
>>
>> Unbound does not use advapi or sechost.dll itself, but uses
>> openssl.dll for security and crypto functions.
>>
>> Unbound on windows accesses the registry infrequently.  It checks for
>> a root anchor action once in a while, and its install directory on
>> startup.  The registry keys are documented in the windows doc (at the
>> end) on the unbound web documentation page.
>>
>> Best regards,
>>    Wouter
>>
>>
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>>
> 
> 
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20130527/8e658123/attachment-0001.sig>