Maintained by: NLnet Labs

[Unbound-users] Is It Correct Unbound Config as Validating DNS Server/Resolver ?

Bry8 Star
Tue May 28 14:09:52 CEST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Further Tests:

I have removed all stub & forwarding zones, and tested DNS-Server again.
But problem remains. So stub or forwarding zones were not a factor.

So i've added back all type of stub and forwarding zones, and
related configurations.

PROBLEM(s) SOLVED: :)

Changed config option "tcp-upstream:", from "yes" into "no" in
DNS-Server (192.168.0.10).

And client-side computers are still using "tcp-upstream: yes".

CPU resource usage is not jumping up unfairly anymore in DNS-Server
computer, even when any unsigned.tld type of sites/domain-names are
attempted for DNS resolving from any client-side computers.

If i were to place Unbound DNS-Server (configured as previous posts)
in an online/internet server, and connect with it via directly, or,
via SSH tunnel, or, via Socks5-proxy tunnel, it suppose to work
fine. In such case, I will reduce "outgoing-num-tcp:" &
"incoming-num-tcp:" option, from "20" into "6" or "8", or even
lesser in client-side computers, until i find which is working
better for the tunnel which i will be using to connect with the
remote online Unbound.

:)

Thanks, to users who have helped on this.

IF/WHEN YOU ARE REPLYING, PLEASE MAKE SURE TO
PLACE ONLY ONE/BELOW EMAIL ADDRESS IN THE
"TO:" FIELD/Text-Box:

unbound-users at unbound.net

Please do not send any email directly to me, Thanks.

- -- Bright Star (Bry8Star).




Received from Bry8 Star, on 2013-05-27 10:43 PM:
> When "num-threads: 2" then total thread used by unbound.exe was 6.
> 
> Tested further, in DNS-Server (192.168.0.10), with these modified lines:
> 
> num-threads: 4
> outgoing-range: 225  # when thread = 4
> outgoing-num-tcp: 25
> incoming-num-tcp: 25
> num-queries-per-thread: 110  # when thread = 4
> msg-cache-slabs: 4
> rrset-cache-slabs: 4
> infra-cache-slabs: 4
> key-cache-slabs: 4
> 
> With such as above config options, now unbound.exe service is using
> total 8 threads.
> 
> Below process thread under the unbound.exe still using very high CPU
> resources, frequently, and specially when unsigned.tld type of DNS
> queries are attempted:
> 
> msvcrt.dll!endthreadex+0x29
> 
> Sometime it uses so much CPU that Network interface's tray icon
> changes, and shows yellow triangle with exclamation mark, so network
> adapter stops working!
> 
> So, by using "Process Hacker" or "Process Explorer", i have changed
> Priority of "unbound.exe" service from "Normal" (8) into "Below
> Normal" (6), and after that, when CPU usage jumps up at-least
> Network Interface itself does not get disabled, most times.
> 
> And i observed over longer time period, network interface gets
> disabled bit more when "num-threads: 4", so i've reverted back to
> using "num-threads: 2".
> 
> So now unbound service.conf file has such configuration:
> 
> num-threads: 2
> outgoing-range: 450  # when thread = 2
> outgoing-num-tcp: 35
> incoming-num-tcp: 35
> num-queries-per-thread: 225  # when thread = 2
> msg-cache-slabs: 2
> rrset-cache-slabs: 2
> infra-cache-slabs: 2
> key-cache-slabs: 2
> target-fetch-policy: "3 2 1 1 1 1"
> 
> DNS-Server is running on a computer which has:
> 
> AMD processor 64 bit, 2.2 GHz, ( 1 CPU with
> single core, SSE1, SSE2),
> Realtek RTL8139/810x Family Fast Ethernet NIC,
> nVidia chipset based Mobo,
> 2GB DDR RAM,
> Windows 7 64 bit,
> It's average RAM usage is around ~35%, at max ~60%,
> unbound.exe 32 bit.
> 
> And DNS-Server now running better, but occasional high cpu usage
> problem still remained when unsigned sites are queried.
> 
> In client side computers, unbound resolvers are now configured to
> use 2 threads and running better, though they were running just fine
> with 1 thread as well.
> 
> IF/WHEN YOU ARE REPLYING, PLEASE MAKE SURE TO
> PLACE ONLY ONE/BELOW EMAIL ADDRESS IN THE
> "TO:" FIELD/Text-Box:
> 
> unbound-users at unbound.net
> 
> Please do not send any email directly to me, Thanks.
> 
> -- Bright Star (Bry8Star).
> 
> 
> 
> Received from Bry8 Star, on 2013-05-27 7:52 PM:
>> Hi Wouter,
>>
>> THANK YOU.
>>
>> In DNS-Server (192.168.0.10), below config lines are now changed to
>> have such values:
>>
>> num-threads: 2
>> outgoing-range: 450  # when thread = 2
>> outgoing-num-tcp: 25
>> incoming-num-tcp: 25
>> num-queries-per-thread: 225  # when thread = 2
>>
>> And after restarting Unbound DNS-Server (in Win7 computer), i'm
>> observing, below windows thread (under the "unbound.exe" service
>> program) sometime, (not always), using high CPU resources, specially
>> when any unsigned.tld type of sites/domains are queried/resolved:
>>
>> msvcrt.dll!endthreadex+0x29
>>
>> I'm observing its working much better : previously, for any type of
>> site/domain DNS query, CPU usage level used to jump up, now mostly
>> for unsigned.tld type of sites.
>>
>> And when CPU usage remains at high level for around 1 or 2 minutes
>> (or more), then sometime only newer unsigned.tld type of sites,
>> SOMETIME (not always) do not get resolved, and dig shows "connection
>> timed out; no servers could be reached", and, if exactly then, DNS
>> queries are done for previously queried sites/domains, it still
>> works/responds correctly. So its performing better now.
>>
>> The sechost.dll did not use high CPU resources anymore.
>>
>> So need to find out, what can be done, so that endthreadex+0x29 from
>> msvcrt.dll is not used in massive rate by the unbound.exe service.
>>
>> IF/WHEN YOU ARE REPLYING, PLEASE MAKE SURE TO
>> PLACE ONLY ONE/BELOW EMAIL ADDRESS IN THE
>> "TO:" FIELD/Text-Box:
>>
>> unbound-users at unbound.net
>>
>> Please do not send any email directly to me, Thanks.
>>
>> -- Bright Star (Bry8Star).
>>
>>
>>
>>
>> Received from W.C.A. Wijngaards, on 2013-05-27 6:10 AM:
>>> Hi Bry8,
>>>
>>> You are using a lot of TCP, you should increase the incoming-num-tcp:
>>> and the outgoing-num-tcp: from the default 10 to more.  Because of
>>> windows you may hit a max (try 20), on Linux you can have as much as
>>> you like.  CPU resources, you can use multiple threads (on windows)
>>> for more processing capacity (even if you do not have that many
>>> cores), to be able to make more TCP connections (num-threads:).
>>>
>>> Unbound does not use advapi or sechost.dll itself, but uses
>>> openssl.dll for security and crypto functions.
>>>
>>> Unbound on windows accesses the registry infrequently.  It checks for
>>> a root anchor action once in a while, and its install directory on
>>> startup.  The registry keys are documented in the windows doc (at the
>>> end) on the unbound web documentation page.
>>>
>>> Best regards,
>>>    Wouter
>>>
>>>
>>> _______________________________________________
>>> Unbound-users mailing list
>>> Unbound-users at unbound.net
>>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>>>
>>
>>
>>
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>>
> 
> 
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRpJ6QAAoJEID2ikYfWSP6bbMP/jzVnMnktB3r0cqfgBtc/S/x
dU+E3XOYGLAIaSdg47qAib+4iJiBZXm+vEZXTkKkRtKyg39QA/hc9jtyacwrI8qb
1AP9J0FdS7osL0VhDygL2vePIZ4Ev5Fgw/cvnvaSaDOzPvfDwlEmq1lBvoZ+gT3C
Cwh/EYsNh7WUWcx5gcSo2nS0CHNj1yQNBguSOFWS81xrXOBmEWX5HBPBYskhfCYb
ZkrWJIWehmCAbEqBuB1KRPYVm+BZTqztYUBSwA1nmY68TnEc7ACLSKpMYMnPDGh/
Rs92FPFKSMtRpGt0558dQFtGLyHNwoqb5CmIZ7xZ9OTBcgfbjFZKy+NneWDl5gOO
ypDgu1z8WZtX2g5Sk6JjR6BQKRqSDsgEXD662/43nWmjeQDawSfO6AeoyEnRfPO1
5yW6VxPisP8uDq33pc2WyjSrHT+ZWywY3e6LgTcnc61NvG5r94W4R3Q+3HER3sHi
Y1l/efMqL0JnCV5i1ajdwUMjrrIxEv30d6dHv9H8W3ipcacufL0gffWColXsRRLS
ovPTFg23KckoAkOQyyc/F7gXNEDIS3F2t9wF0FBVT4jnIjR/09K0rVuqHtdfurYg
gY3DSF4KjR0zL3twGCfNu8GishxSzXQsZxWyBZE4CXv1h9gF43C532FJvExy3kha
7hMC61e+ucCeAQf5JMai
=6eBF
-----END PGP SIGNATURE-----