<div dir="ltr"><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Thanks for your reply. </div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">This is indeed true. There are no complaints from clients about queries being dropped and in reality it's a small number of requests per second currently which is expected as you say. </div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Either clients retry and get success or stop trying for a while. Either way, unbound seems to be operating normally. </div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">I was just doing some due diligence from my side before updating our fleet of unbound servers. I did look at release notes in unbound github but In hindsight I should have also checked the change logs on ubuntu side. Thanks for pointing that out. </div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Just to be 100% I have compiled unbound 1.20.0 on one ubuntu 20 VM and I can see the non-zero values for requestlist exceeded. It appears that Ubuntu did not backport this fix for any other unbound versions and just compiling 1.13.1 on ubuntu 20 does not implement the fix for the DNS BOMB CVE of course. For ubuntu 20 we need to run 1.20.0 compiled or upgrade to ubuntu 22 and run 1.13.1 from the package distro which has the backported fix. </div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">I will try to find a ratio between queries answered vs queries dropped to set up some meaningful alerts. The previous non-zero alert does not make sense. </div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Once again thank you for taking the time to reply. Appreciate it! </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 24 Jul 2024 at 23:31, Olivier Benghozi via Unbound-users <<a href="mailto:unbound-users@lists.nlnetlabs.nl">unbound-users@lists.nlnetlabs.nl</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Very simple.<div><br></div><div>As you can see here:</div><div><a href="https://changelogs.ubuntu.com/changelogs/pool/main/u/unbound/unbound_1.13.1-1ubuntu5.5/changelog" target="_blank">https://changelogs.ubuntu.com/changelogs/pool/main/u/unbound/unbound_1.13.1-1ubuntu5.5/changelog</a><br></div><div><br></div><div>... Unbuntu has backported to 1.13.1 the CVE-2024-33655 / DNSBomb patch from Unbound 1.20.0, described in their own release notes here:</div><div><a href="https://www.nlnetlabs.nl/projects/unbound/download/#unbound-1-20-0" target="_blank">https://www.nlnetlabs.nl/projects/unbound/download/#unbound-1-20-0</a><br></div><div><br></div><div><br></div><div>This fix basically kills the requests queued that are waiting for a recursive resolution, for which there's nothing know in the cache, and that have been waiting for way too long ; that is, the attempt to resolve in a proper amount of time, compatible with the usual DNS clients timeouts, is failing – maybe because the authoritative DNS servers are not answering.</div><div><br></div><div>Answering to these requests would have been useless anyway as the client is not waiting for an answer anymore after a few seconds (because of its own timeout). </div><div><br></div><div>Therefore, you now see dropped queries counters incrementing, and it's expected (as you always will have a few authoritative servers not responding).</div><div><br></div><div>Shorter: all is fine.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le mer. 24 juil. 2024 à 22:27, Shanmuga Rao via Unbound-users <<a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank">unbound-users@lists.nlnetlabs.nl</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:"trebuchet ms",sans-serif"><div>Our ubuntu 20 vms run unbound version 1.9.4 </div><div>received new ubuntu 22 vms and installed unbound version 1.13.1 via package manager. I have started noticing that on the ubuntu 22 machines, the <b>total.requestlist.exceeded</b> stat started getting non-zero values. unbound v1.9.4 in ubuntu 20, always shows 0. </div><div><br></div><div>The queries received by each node looks to be at most 20k or less and are distributed equally. All sysctl parameters are identical between ubuntu 20 and ubuntu 22 vms. Unbound config is identical on both. Most unbound.conf parameters are left to defaults, the following are the important ones I believe influence unbound performance. </div><div><br></div><div> num-threads: 8</div><div> outgoing-range: 60000<br></div><div> num-queries-per-thread: 30000<br></div><div> so-reuseport: yes</div><div> module-config: "iterator"<br></div><div> msg-cache-slabs: 2<br> rrset-cache-slabs: 2<br> infra-cache-slabs: 2<br> key-cache-slabs: 2<br> rrset-cache-size: 512m<br> msg-cache-size: 256m<br> so-rcvbuf: 4m<br> so-sndbuf: 4m<br></div><div><br></div><div>Unbound service starts and occupies available ports and FDs. CPU and memory utilisation on both are very minimal. less than 25% </div><div># ulimit -n<br>1048576</div><div>unbound[764890:0] debug: total of 59463 outgoing ports available</div><div><b>Ubuntu 20 stats_noreset: </b></div><div>total.num.queries=15979<br><b>total.requestlist.max=5<br></b><b>total.requestlist.exceeded=0</b><br><b>total.requestlist.current.all=9<br>total.requestlist.current.user=7</b><br><br></div><div><b>Ubuntu22 </b><b>stats_noreset</b><b>: </b></div><div>total.num.queries=9157<br><b>total.requestlist.max=5<br></b><b>total.requestlist.exceeded=3<br>total.requestlist.current.all=3<br>total.requestlist.current.user=3</b><br><br></div><div>ubuntu 22 systems constantly have non-zero values. Ubuntu 20 systems and even Centos7 ( unbound version 1.7.1) always have zero. As per my understanding of the config parameters, the system itself has enough resources available to handle atleast 2x the current traffic. </div><div><br></div><div>As a test I have compiled version 1.13.1 on a ubuntu 20 VM and still the request list exceeded stat is zero. On Ubuntu 22 I have also compiled and installed the latest unbound version 1.20.0 and it's still the same - non zero values. </div><div><br></div><div>I can see that the queries dropped is less than 1 req/s but it's still confusing since its only seen on ubuntu 22 vms with little resource utilisation.</div><div><br></div><div>Has anyone run into something similar ? Do you know if any ubuntu 22 specific parameters should be modified ? Happy to provide more information if needed. </div></div></div>
</blockquote></div></div>
<br>
<div><i>Ce message et toutes les pièces jointes (ci-après le "message") sont établis à l’intention exclusive des destinataires désignés. Il contient des informations confidentielles et pouvant être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de détruire le message. Toute utilisation de ce message non conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse de l'émetteur</i></div></blockquote></div>