Maintained by: NLnet Labs

[Unbound-users] Unbound performance and firewal issues

CHABOISSEAU Samuel
Thu Mar 6 14:30:30 CET 2014


Hi,

We want to migrate our BIND servers to Unbound.
We just install a single VM for testing purposes. Both Unbound and BIND are installed as DNS resolvers (Internet by default and local authorities).

A single server is using this DNS resolver and everything work fine.  Now to have a valuable test for performance, we choose to proceed a Web stats report with awstats from an Nginx huge LogFile (thousands IP addresses to resolves).

When Unbound is started, stats are 5 times longer to produce than with BIND.  Is it normal  ??

Second point, a firewall is installed on the VM and *only with Unbound* I notice some reject on the firewall as follow :
TESTDNS kernel: [541975.554683] OUTPUT DFLT REJECT IN= OUT=eth0 SRC=192.168.100.177 DST=192.168.100.79 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=8206 PROTO=UDP SPT=53 DPT=4
It's like some hazardous packets are not kept in the conntrack table!!


Thanks for your help.


Here is our Unbound configuration file :

server:
        # The following line will configure unbound to perform cryptographic
        # DNSSEC validation using the root trust anchor.
        dlv-anchor-file: "dlv.isc.org.key"
        val-permissive-mode:yes
        interface: 0.0.0.0
        interface-automatic: yes
        do-ip4: yes
        do-ip6: no
        do-udp: yes
        do-tcp: yes
        pidfile: "/var/run/unbound.pid"

# Access list
        access-control: 192.168.100.0/24 allow

        chroot: "/etc/unbound"

        root-hints: "/etc/unbound/db.root"

        # Log
        verbosity: 1
        val-log-level: 2
        use-syslog: no
        logfile: /var/log/unbound.log

        # Stats for munin
        statistics-cumulative: no
        extended-statistics: yes
        statistics-interval: 0

        hide-identity: yes
        hide-version: yes
        harden-dnssec-stripped: yes
        harden-glue: yes
        use-caps-for-id: yes
        do-not-query-localhost: no

        #
        # Optimisation
        #
        num-threads: 4
        msg-cache-slabs: 1
        rrset-cache-slabs: 1
        infra-cache-slabs: 1
        key-cache-slabs: 1

        rrset-cache-size: 512m
        msg-cache-size: 256m

        outgoing-range: 1024
        num-queries-per-thread: 512
        so-rcvbuf: 32m
        #
        # /Optimisation
        #


        #
        # CACHE
        #

        # Time to live MAX for RRsets and messages ine the cache (in sec)
        cache-max-ttl: 300

        # Time to live for entries in the host cache (in sec)
        infra-host-ttl: 300

        # Message cache elements are prefetched before they expire
        prefetch: yes

        #
        # /CACHE
        #


        # ARPA
        local-zone: "10.in-addr.arpa" nodefault
        local-zone: "16.172.in-addr.arpa" nodefault
        local-zone: "30.172.in-addr.arpa" nodefault
        local-zone: "31.172.in-addr.arpa" nodefault
        local-zone: "168.192.in-addr.arpa" nodefault

        # Non DNSSEC local domaines
        domain-insecure: "key.coe.int"
        domain-insecure: "ilo.coe.int"

python:
remote-control:
        control-enable: yes
        control-interface: 127.0.0.1
        control-interface: 192.168.100.177


#
# STUB Zones
#

# ARPA
stub-zone:
        name: "10.in-addr.arpa"
        stub-addr: 192.168.100.157
        stub-addr: 192.168.100.158
stub-zone:
        name: "100.168.192.in-addr.arpa"
        stub-addr: 192.168.100.157
        stub-addr: 192.168.100.158

stub-zone:
        name: "16.172.in-addr.arpa"
        stub-addr: 192.168.100.157
        stub-addr: 192.168.100.158

stub-zone:
        name: "30.172.in-addr.arpa"
        stub-addr: 192.168.100.157
        stub-addr: 192.168.100.158

stub-zone:
        name: "1.31.172.in-addr.arpa"
        stub-addr: 192.168.100.157
        stub-addr: 192.168.100.158


# ZONES
stub-zone:
        name: "coe.int"
        stub-addr: 192.168.100.157
        stub-addr: 192.168.100.158

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20140306/bcd25346/attachment-0001.html>