Maintained by: NLnet Labs

Unbound: slow issues.

Daniel Ryšlink
Tue Oct 25 17:28:53 CEST 2016


For the record, I am also running the latest version of Unbound (1.5.10) 
on FreeBSD 10.3 with libevent compilation option, and I have no problems 
whatsoever.

Recommended things to check:

- sysctl limits for network buffers, expecially TCP buffers, since the 
penetration of DNSSec means that TCP based DNS traffic is increasing.

- in case you use stateful firewall, check limits for max number of 
states, since you can run out quite easily. Stateless rules for DNS 
traffic are recommended. Also limit for maximum fragmented packet limits.

- try to monitor your system resource usage, especially memory - do you 
have enough? does the system swap during peaks in traffic?

- check logs for messages concerning failures to send packets, limits 
for various resources reached, etc

Also, my servers are constantly bombarded by bogus queries about bogus 
domains featuring non-responsive authoritative nameservers (targets of 
some  DDOS attack, if I understand it correctly), and such queries can 
exhaust your resources rapidly, since each unresolved TCP query consumes 
a portion of memory before it times out. Use the command 
"unbound-control dump_requestlist" to check what queries are being 
resolved during the time the server appears to be non-responsive/slow. I 
had to implement a countermeasure that recognizes these bogus queries 
and replies with NXDOMAIN RCODE immediately, saving the resolver's 
memory for legitimate traffic.

I am not saying that there cannot be a problem with the newest version 
of Unbound, just reporting everything is fine here and trying to provide 
some tips.

-- 
S pozdravem,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
daniel.ryslink at dialtelecom.cz
-----------------------------------------------
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
-----------------------------------------------

On 25.10.2016 16:55, tailings--- via Unbound-users wrote:
> Please, let me add I am using LibreSSL instead OpenSSL.
>
> Thank you.
>
>
> On 23/10/16 20:25, tailings--- via Unbound-users wrote:
>> Hello,
>>
>> I am running Unbound on FreeBSD, initially 10.3 and now 11, I tried 
>> the one on the FreeBSD Base, and now the Port (unbound-1.5.10) 
>> compiled with libevent support.
>>
>> The problem I am experiencing is, from time to time unbound become 
>> utterly slow or do not resolve anything, or almost anything.
>>
>> I did several changes on unbound.conf file and the problem now return 
>> about one time a day when just me (one user) is using Unbound as 
>> resolver. If a second user begin to using Unbound at same time it 
>> became slow as described until it have just one user again.
>>
>> I opened a post on FreeBSD forum, what have more information:
>>
>> https://forums.freebsd.org/threads/57493/
>>
>> I need to add I also tried without success to disable PF firewall 
>> looking for any kind of firewall related issue. Also, this is my 
>> current unbound.conf:
>>
>>
>> # This file was generated by local-unbound-setup.
>> # Modifications will be overwritten.
>> server:
>>         port: 53
>>         username: unbound
>>         directory: /usr/local/etc/unbound
>>         chroot: /usr/local/etc/unbound
>>         pidfile: /usr/local/etc/unbound/unbound.pid
>>         auto-trust-anchor-file: /usr/local/etc/unbound/root.key
>>         root-hints: "/usr/local/etc/unbound/root.hints"
>>
>>         logfile: log/unbound.log
>>         log-time-ascii: yes
>>         val-log-level: 2
>>
>>         do-ip6: no
>>         do-tcp: yes
>>
>>         interface: 127.0.0.2
>>         interface: 192.168.0.220
>>
>>         access-control: 127.0.0.2/16 allow
>>         access-control: 192.168.0.0/24 allow
>>
>>         private-address: 192.168.0.0/24
>>         private-domain: mydomain.com
>>
>>         qname-minimisation: yes
>>         minimal-responses: no
>>         hide-identity: yes
>>         hide-version: yes
>>         do-not-query-localhost: no
>>         val-clean-additional: yes
>>
>>         harden-glue: yes
>>         harden-dnssec-stripped: yes
>>
>>         unwanted-reply-threshold: 10000
>>
>>         prefetch: yes
>>         prefetch-key: yes
>>
>>         cache-min-ttl: 3600
>>         cache-max-ttl: 86400
>>
>>         num-threads: 4
>>         msg-cache-slabs: 8
>>         rrset-cache-slabs: 8
>>         infra-cache-slabs: 8
>>         key-cache-slabs: 8
>>         rrset-cache-size: 100m
>>         msg-cache-size: 50m
>>         outgoing-range: 8192
>>         num-queries-per-thread: 4096
>>         so-rcvbuf: 1m
>>         so-sndbuf: 1m
>>
>>         unblock-lan-zones: yes
>>         insecure-lan-zones: yes
>>
>> include: /usr/local/etc/unbound/conf.d/*.conf
>>
>> #forward-zone:
>> #       name: .
>> #       forward-addr: 189.38.95.95
>> #       forward-addr: 189.38.95.96
>>
>> remote-control:
>>         control-enable: yes
>>         control-interface: /usr/local/etc/unbound/unbound.ctl
>>         control-use-cert: no
>>
>>
>> Thank you!
>> Alex.
>