<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" alink="#EE0000" link="#0B6CDA" text="#000000"
vlink="#551A8B">
Following the advise I found out, while running "unbound-control
dump_requestlist", what seems to be Unbound trying to resolve IPV6
address instead IPV4.<br>
<br>
I do not have IPV6 configured on the server, and have "do-ip6: no"
explicitly in unbound.conf.
<p><font color="#999999" size="-1">thread #0<br>
# type cl name seconds module status<br>
0 A IN blade.4t2.com. - iterator wait for 217.11.57.53<br>
1 AAAA IN <a class="moz-txt-link-abbreviated" href="http://www.edicron.com">www.edicron.com</a>. 40.960788 iterator wait for
217.160.83.143<br>
2 AAAA IN <a class="moz-txt-link-abbreviated" href="http://www.edicron.com.privacychain.ch">www.edicron.com.privacychain.ch</a>. 10.932778 iterator
wait for 185.148.76.30<br>
3 AAAA IN <a class="moz-txt-link-abbreviated" href="http://www.tubetown.de">www.tubetown.de</a>. 6.024901 iterator wait for
88.198.65.232<br>
4 AAAA IN <a class="moz-txt-link-abbreviated" href="http://www.eurotubes.com">www.eurotubes.com</a>. 11.084678 iterator wait for
208.109.255.22<br>
5 AAAA IN <a class="moz-txt-link-abbreviated" href="http://www.tubemonger.com">www.tubemonger.com</a>. 10.982738 iterator wait for
69.49.191.246<br>
6 AAAA IN <a class="moz-txt-link-abbreviated" href="http://www.diyhifisupply.com">www.diyhifisupply.com</a>. 40.981773 iterator wait for
216.35.197.129<br>
7 AAAA IN <a class="moz-txt-link-abbreviated" href="http://www.diyhifisupply.com.privacychain.ch">www.diyhifisupply.com.privacychain.ch</a>. 10.954016
iterator wait for 185.148.76.30<br>
8 AAAA IN <a class="moz-txt-link-abbreviated" href="http://www.hificollective.co.uk">www.hificollective.co.uk</a>. 41.052734 iterator wait
for 212.67.202.2<br>
9 AAAA IN <a class="moz-txt-link-abbreviated" href="http://www.hificollective.co.uk.privacychain.ch">www.hificollective.co.uk.privacychain.ch</a>. 11.024719
iterator wait for 46.16.200.135</font><br>
</p>
Thank you.<br>
<br>
<div class="moz-cite-prefix">On 25/10/16 13:28, Daniel Ryšlink via
Unbound-users wrote:<br>
</div>
<blockquote
cite="mid:23f4ee00-4e92-e482-1c69-610e637e4701@dialtelecom.cz"
type="cite">For the record, I am also running the latest version
of Unbound (1.5.10) on FreeBSD 10.3 with libevent compilation
option, and I have no problems whatsoever.
<br>
<br>
Recommended things to check:
<br>
<br>
- sysctl limits for network buffers, expecially TCP buffers, since
the penetration of DNSSec means that TCP based DNS traffic is
increasing.
<br>
<br>
- in case you use stateful firewall, check limits for max number
of states, since you can run out quite easily. Stateless rules for
DNS traffic are recommended. Also limit for maximum fragmented
packet limits.
<br>
<br>
- try to monitor your system resource usage, especially memory -
do you have enough? does the system swap during peaks in traffic?
<br>
<br>
- check logs for messages concerning failures to send packets,
limits for various resources reached, etc
<br>
<br>
Also, my servers are constantly bombarded by bogus queries about
bogus domains featuring non-responsive authoritative nameservers
(targets of some DDOS attack, if I understand it correctly), and
such queries can exhaust your resources rapidly, since each
unresolved TCP query consumes a portion of memory before it times
out. Use the command "unbound-control dump_requestlist" to check
what queries are being resolved during the time the server appears
to be non-responsive/slow. I had to implement a countermeasure
that recognizes these bogus queries and replies with NXDOMAIN
RCODE immediately, saving the resolver's memory for legitimate
traffic.
<br>
<br>
I am not saying that there cannot be a problem with the newest
version of Unbound, just reporting everything is fine here and
trying to provide some tips.
<br>
<br>
</blockquote>
<br>
</body>
</html>