<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<pre>
</pre>
<div class="moz-cite-prefix">
<pre>On 6/15/19 1:56 PM, Ronald F. Guilmette via Unbound-users wrote:</pre>
</div>
<blockquote type="cite"
cite="mid:20935.1560632165@segfault.tristatelogic.com">
<pre class="moz-quote-pre" wrap="">In message <a class="moz-txt-link-rfc2396E" href="mailto:20190615154602.3BD08201591C0B@ary.qy"><20190615154602.3BD08201591C0B@ary.qy></a>,
John Levine <a class="moz-txt-link-rfc2396E" href="mailto:johnl@taugh.com"><johnl@taugh.com></a> wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">In article <a class="moz-txt-link-rfc2396E" href="mailto:8edb08ac-5f86-04b7-7b7e-8bf1eb25386c@gmail.com"><8edb08ac-5f86-04b7-7b7e-8bf1eb25386c@gmail.com></a> you write:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">You may not need a "cloudish sort of place." It really depends your user
count. A residence or small business doesn't generate that many "new"
domain queries in 24 hours.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
I'm pretty sure that when Ron said 64K outstanding queries, he meant
it. It's not just family members looking at Facebook.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Well, to be clear, I never said 64+K queries all "outstanding" (and as
yet unanswered) at any given moment. In fact, my hope and believe is
that my worst case for simultaneously open/pending queries would likely
be smaller than that. However I have been known to do a million or
so DNS queries in an afternoon, and depending on how the SOHO router
maintains it's table of connection-ish 4-tuples, doing that from behind
some such router might indeed cause the thing to catch fire, metaphorically
speaking.
A lot of this depends on one's defintition of an "outstanding" DNS query
also. If I do a million queries, to all sorts of things scattered all
over the place... which is something that I do routinely... then it's very
typical that as much as a quarter or more of thoes DNS queries will go
entirely unanswered due to dead delegations. So if I send out 1 million
queries over the space of, say, 3 hours, at the end of those 3 hours we
mighy say that 250,000 queries are still "outstanding" because no response
whatsoever has been received. So obviously, if the router is going to
cling onto and keep each 4-tuple that is associated with each of those, for
hours on end, and not do garbage collection early and often, then that's
going to be a problem.
To bring this back, at least vaguely, to being on topic, what is Unbound's
approach to this problem? Has anyone tried to shove a few gazllion queries
through it over a very short period of time, just to see if it could be
made to explode? If not, doing so might be entertaining.
(Memories of various videos I've seen which involve the combination of
Mentos and Diet Coke are springing immediately to mind. :-)
Regards,
rfg</pre>
</blockquote>
<pre>It's pretty much a question of kernel tuning, be it direct queries
or those going through NAT.
Many SOHO all-in-one routers are running Linux kernels.
30-60 seconds is typical. The sysctls involved might be
(from a SOHO all-in-one router with 128 MB RAM, Linux 4.19)
net.netfilter.nf_conntrack_udp_timeout = 60
net.nf_conntrack_max = 16384
depending on kernel, version, and how they manage their
stateful firewall (conntrack, being "free", is common).
16384 / 60 ~ 200 per second, with some headroom left.
> 1 million queries over [...] 3 hours < 100 per second
Of course, if you're really running that kind of DNS volume
and the TCP traffic that would usually go with it, you're
probably not using a SOHO-grade SoC for your router with
only 128 MB of RAM.
Jeff
</pre>
<pre>
</pre>
</body>
</html>