[Unbound-users] Unbound periodically stops responding
wouter at nlnetlabs.nl
Mon Sep 3 07:25:07 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 09/01/2012 11:11 AM, Bry8 Star wrote:
> I have done few more tests and what i observed are mentioned
> By using 'Process Hacker' type of windows process manipulation and
> management tool:
> Can 'Unbound' be re-coded ? to use its own DLL and
> CryptVerifySignatureW function calls on windows for DNSSEC
Unbound only starts one thread on windows (unless you configure
num-threads differently), from unbound.exe. Unbound does not use the
windows-api-CryptVerifySignatureW. Unbound uses OpenSSL for
verification, and this happens inside its thread.
advapi32.dll is some part of the windows API. Unbound makes use of
few OS calls (start the service, simple read/write files, network stuff).
Thus, Unbound is already re-coded, and it uses OpenSSL routines for
verification of DNSSEC signatures. I do not know where this other
thread came from.
> -- Bry8Star.
> On 8/31/2012 6:27 PM, Bry8 Star wrote:
>> By using "Process Explorer" or "Process Hacker" tool, i can see
>> that, unbound.exe windows service is using two threads: (1)
>> advapi32.dll!CryptVerifySignatureW+0x17 (2) unbound.exe And this
>> 1st thread, uses high amount of CPU resource periodically and
>> when any app is requesting DNS queries.
>> What can be done to lower the cpu usage of that thread or
>> improve performance ?
>> If i were to change thread priority of that to BelowNormal, will
>> it affect only Unbound Validator windows service, or, will affect
>> the entire Windows system ?
>> -- Bry8Star.
>> On 8/31/2012 2:28 AM, Bry8 Star wrote:
>>> I will try to help myself & others.
>>> The "iterator validator" option will not work/validate.
>>> Below config file gave me better result (on Windows XP), you
>>> may try this out and suit to your need:
>>> - - - - - - - - - - - - - - - - # BEGIN of service.conf /
>>> unbound.conf file # Last Modified 2012-08-31 01:30 # Copyright
>>> (C) 2012 Bry8Star. (bry8 star a.t ya hoo d.o.t c om) server:
>>> verbosity: 1 # logs errors & operational info #verbosity: 0 #
>>> logs errors statistics-interval: 0 statistics-cumulative: "no"
>>> extended-statistics: "no" num-threads: 1 interface: 127.0.0.1
>>> interface: 192.168.0.10 # My Network Adapter's IP adrs
>>> interface: ::1 interface-automatic: "no" port: 53
>>> outgoing-interface: 192.168.0.10 outgoing-range: 950
>>> outgoing-port-permit: 52000-56096 outgoing-port-avoid:
>>> incoming-num-tcp: 25 so-rcvbuf: 8m so-sndbuf: 8m
>>> edns-buffer-size: 4096 msg-buffer-size: 65552 msg-cache-size:
>>> 48m msg-cache-slabs: 1 num-queries-per-thread: 475
>>> jostle-timeout: 200 rrset-cache-size: 96m rrset-cache-slabs: 1
>>> cache-min-ttl: 0 cache-max-ttl: 21600 # 6 hours infra-host-ttl:
>>> 900 infra-cache-slabs: 1 infra-cache-numhosts: 10000 do-ip4:
>>> "yes" do-ip6: "no" # for now do-udp: "yes" do-tcp: "yes"
>>> tcp-upstream: "no" do-daemonize: "yes" access-control:
>>> 0.0.0.0/0 refuse access-control: ::0/0 refuse access-control:
>>> 127.0.0.0/8 allow access-control: 192.168.0.10/24 allow
>>> access-control: ::1 allow logfile: "C:\Program
>>> Files\Unbound\unbound.log" use-syslog: "no" log-time-ascii:
>>> "yes" log-queries: "no" root-hints: "C:\Program
>>> Files\Unbound\named.cache" hide-identity: "yes" hide-version:
>>> "yes" identity: "DNS" version: "1.0.0" target-fetch-policy: "0
>>> 0 0 0 0 0" harden-short-bufsize: "no" harden-large-queries:
>>> "no" harden-glue: "yes" harden-dnssec-stripped: "yes"
>>> harden-below-nxdomain: "no" harden-referral-path: "no"
>>> use-caps-for-id: "no" unwanted-reply-threshold: 8000 prefetch:
>>> "yes" prefetch-key: "yes" rrset-roundrobin: "yes"
>>> minimal-responses: "no" module-config: "validator iterator"
>>> dlv-anchor-file: "C:\Program Files\Unbound\dlv.isc.org.key" #
>>> Downloaded from http://ftp.isc.org/www/dlv/dlv.isc.org.key #
>>> DLV, DNS Lookaside Validation, for the root
>>> auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"
>>> #domain-insecure: "TLD" # TLDs from various TLD providers
>>> val-bogus-ttl: 60 val-sig-skew-max: 86400 val-clean-additional:
>>> "yes" val-permissive-mode: "no" ignore-cd-flag: "yes"
>>> val-log-level: 1 # log validation failed queries
>>> #val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
>>> key-cache-size: 48m key-cache-slabs: 1 neg-cache-size: 36m #
>>> Blocking below TLDs, can also be used to block sites
>>> local-zone: "onion." refuse # disallow to go via public route
>>> local-zone: "i2p." refuse # suppose to go via proxy route
>>> remote-control: control-enable: "no" # stub-zones SZ, for TLDs
>>> from other TLD providers (root opr) # Forward zones FZ, if used
>>> hostname/namesrvr in stub-zones # Default Forward Root Zone:
>>> #forward-zone: #name: "." # You may use your ISP dns, for bit
>>> faster results. #forward-addr: i.p.adrs.1 # ISP DNS /
>>> Recursive/Caching #forward-addr: i.p.adrs.2 # ISP DNS /
>>> Recursive/Caching # Or use other root caching or recursive dns
>>> servers. # END of service.conf / unbound.conf file - - - - - -
>>> - - - - - - - - - -
>>> I express thanks to various users from various IRC channels who
>>> has helped with various suggestions.
>>> If you have better performing config file, then please share,
>>> thanks in advance.
>>> And use this below technique to run the 'Unbound DNS Validator'
>>> with "Below Normal" Priority, so it does not affect other
>>> processes, it is temporary fix. (1) Start Windows Task Manager
>>> like this: ntsd -c qd taskmgr.exe (2) goto "Processes" tab >
>>> select "Show Processes from All Users". (3) find 'Unbound.exe"
>>> in the process list. Right click on it > Set Priority > select
>>> "BelowNormal". Ok. (4) close Task manager. There are
>>> script/batch file as well to do automatically like above when
>>> windows starts up. Dont know of a registry hack to do that. If
>>> any1 knows, then please share.
>>> -- Bry8Star.
>>> On 8/29/2012 8:08 PM, Bry8 Star wrote:
>>>> I'm using 'Unbound' v1.4.18 on Windows XP SP3 4GB RAM 32bit
>>>> Dual Core AMD CPU. Unbound is configured with "validator
>>>> iterator" mode. "target-fetch-policy" is currently "2 1 0 0 0
>>>> 0". DLV option is enabled. It stops responding periodically
>>>> in my side as well :-( I installed windows process monitoring
>>>> tools like, Process Hacker, Process Explorer, etc and also
>>>> have firewall able to show, warn, block any active network
>>>> connections. Nothing is blocked for unbound in firewall, only
>>>> set to show messages/info on what unbound is doing. Firewall
>>>> is also set to show message/info what app is trying to
>>>> communicate (send DNS query) with local resolver (the
>>>> unbound). When user like me tries to do a ping or do a
>>>> nslookup or do a DiG on an internet host, or when a
>>>> web-browser or any other internet service client app tries to
>>>> send DNS query via unbound (working on 127.0.0.1 udp port
>>>> 53), then at first attempt, unbound internally does its query
>>>> very slowly (or sometime does not work), then query sender
>>>> app shows server could not be reached or servfail, etc
>>>> error/result. 'Unbound' starts to use around 98% or more cpu
>>>> resources at that point. So other apps, mouse becomes non or
>>>> less responsive. After about 1 min or 2 mins, cpu usage goes
>>>> down to normal level. And then, if 2nd attempt is done on the
>>>> same internet site or host, then 'unbound' usually sends the
>>>> answer back very quickly and can reach sites. If a different
>>>> fetch policy is used then how will it affect? We need a
>>>> better fetch policy. Even when i specified it to use 1
>>>> Thread, it sometime uses even 3 or 4 threads. If "iterator
>>>> validator" is used, then will it work better ? then what
>>>> fetch policy will be better ? -- Bry8Star.
>>>> On 8/29/2012 5:40 PM, Will Roberts wrote:
>>>>> On 04/06/2011 02:06 AM, W.C.A. Wijngaards wrote:
>>>>>> Well it should respond to the unbound-control utility.
>>>>>> If it does not this means it is somehow no longer
>>>>>> processing the main loop, or that network traffic does
>>>>>> not reach it.
>>>>> To add some resolution to this issue, this is clearly not
>>>>> unbound's fault. When this situation is triggered I cannot
>>>>> locally ping any of the IPv4 addresses on the machine, so
>>>>> clearly the communication to unbound as a DNS lookup or via
>>>>> unbound-control are going to fail. I'm at a loss as to
>>>>> explain why this happens :)
>>>>> Regards, --Will
>>>>> Unbound-users mailing list Unbound-users at unbound.net
>>>> _______________________________________________ Unbound-users
>>>> mailing list Unbound-users at unbound.net
>>> _______________________________________________ Unbound-users
>>> mailing list Unbound-users at unbound.net
>> _______________________________________________ Unbound-users
>> mailing list Unbound-users at unbound.net
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users