Maintained by: NLnet Labs

[Unbound-users] forwarders problem

Will Yardley
Fri Jul 11 01:07:07 CEST 2014


I'm setting up Unbound for a new group of mail systems. The systems have
rbldnsd running on port 3768. I'm having trouble configuring the
forwarders statements. Additionally, uncached queries (whether to the
local rbldnsd or to external DNS servers) seem to take a bit of time.

This is the default unbound RPM for RHEL6: 1.4.21.1.el6 

main pertinent performance related configs are:
server:
        num-threads: 16
        outgoing-range: 8192
        so-rcvbuf: 4m
        so-sndbuf: 4m
        msg-cache-slabs: 16
        num-queries-per-thread: 4096
        rrset-cache-size: 100m
        rrset-cache-slabs: 16

(system has 2x 8 cores @ 2.60 GHz, 15k disks in RAID 10).

My config lists the forward address and alternate port as so (I've tried
changing the indenting, putting double-quotes around the forward-addr
statement, etc.).

# tail -4 /etc/unbound/unbound.conf 
forward-zone:
	name: "zen.spamhaus.org."
	forward-addr: 127.0.0.1 at 3768

Even though the forwarder seems to be listed (list_forwards doesn't seem
to print the alternate port information even when it's configured and
working: see below):
# unbound-control list_forwards 
zen.spamhaus.org. IN forward: 127.0.0.1

I get SERVFAIL when trying to do a lookup:
# dig @localhost 2.0.0.127.zen.spamhaus.org 

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @localhost 2.0.0.127.zen.spamhaus.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54375
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org.	IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jul 10 15:50:55 2014
;; MSG SIZE  rcvd: 44

However, the alternate port can resolve it quite quickly:
# time dig @localhost -p 3768 2.0.0.127.zen.spamhaus.org +short
127.0.0.2
127.0.0.10
127.0.0.4

real	0m0.005s
user	0m0.000s
sys	0m0.003s


However, if I add the forwarder using unbound-control, it then works,
however, the query time is quite long:

# unbound-control forward_add zen.spamhaus.org 127.0.0.1 at 3768
ok

# unbound-control list_forwards 
zen.spamhaus.org. IN forward: 127.0.0.1

# dig @localhost 2.0.0.127.zen.spamhaus.org

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @localhost 2.0.0.127.zen.spamhaus.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9595
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org.	IN	A

;; ANSWER SECTION:
2.0.0.127.zen.spamhaus.org. 300	IN	A	127.0.0.10
2.0.0.127.zen.spamhaus.org. 300	IN	A	127.0.0.4
2.0.0.127.zen.spamhaus.org. 300	IN	A	127.0.0.2

;; Query time: 1029 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jul 10 15:51:25 2014
;; MSG SIZE  rcvd: 92

Any suggestions (and any performance tuning tips; I did try to follow
http://unbound.net/documentation/howto_optimise.html) would be helpful.