Maintained by: NLnet Labs

Remote (unbound-anchor) increase CPU after unbound 1.5.8

Luiz Fernando Softov
Thu Nov 10 05:02:18 CET 2016


​​
Hi all.

I have a custom daemon
​ in C​
, that connect to unbound (remove control)
​​
and get stats
​​
, using stat_noreset.

​Using this
I can create real
​-​
time stats, in interface, like
​
​http://prntscr.com/d5cecc
​

​So, a
fter unbound 1.5.8 (eg: 1.5.9, 1.5.10)
​, using calls like unbound-control does,​
the use of CPU increase significantly.

And, it's increase de CPU of both daemons unbound and my daemon.

​I was thinking this is because SSL. Because I was using 1.0.1, and unbound
in ports (freebrs), force to install openssl 1.0.2.

​But, s
ince I'm in loopback (localhost),
​and, ​
I'm using

​
control-use-cert: no
​

​I think this problem was introduced after the version i was using before
(1.5.3).​


After some research,
​reinstall​
 openSSL
​ (this is hard, because i need to recompile a lot of daemons after this)​
,
​ my daemon (of course),
use another machine, etc.
​ ​
I found
​ this​
:

- ​
[bugzilla: 770 ]
- ​F​
ix Small subgroup attack on DH used in unix pipe on localhost if unbound
​ ​
control uses a unix local named pipe.

So, i get the source of 1.5.10, and make some changes to do like before, in
1.5.8.

I put back in daemon/remote.c the get_dh1024()
​ function ​
​(​
With some changes, if/else like in source of 1.5.10
​)​
.

Then, is work well, the cpu is 0%, with the daemon calling stat_noreset
each second.

You can try this, calling unbound-anchor stats_noreset, more than you call,
more the CPU get high.

This change
​, in ​
bugzilla 770
​,​
is really necessary?
​


I also ready the last comment.

​- ​
This is not a security issue.  The control socket is intended to be
protected only by Unix file and directory permissions.  The only
reason why the connection is encrypted is that there is no clean
separation in the code and adding support for an unencrypted control
connection would have required a huge amount of refactoring.

Since this is not a secure issue, and this can increase CPU without need.

The daemon and unbound are in the same machine, in a custom release, where
the user can't have access, and can't do anything.


Maybe a change in unbound, to get a new unbound.conf, to not use SSL at all
(i know this is hard to be done) or make it to consume less CPU, alternates
to use between 1024 or 2048. This is the first time I am reading unbound
source, and I not know much about libssl.

But, in this case, i need a way to chose between security and performance.

​ps,
I also recommend to do a if before calling SSL_CTX_set_tmp_dh
​, to check if get_dh is called right.​


​
​
    ​
dh =
​
get_dh1024();
​​

​​
if (dh == NULL) {

​
log_crypto_err("Failed to get DH params");

​
daemon_remote_delete(rc);
        return NULL;
​​
    }

​
    if(!SSL_CTX_set_tmp_dh(rc->ctx, dh)) {​





​​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20161110/17e8d550/attachment.html>