[Unbound-users] Is It Correct Unbound Config as Validating DNS Server/Resolver ?
bry8star at inventati.org
Tue May 28 12:09:52 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
I have removed all stub & forwarding zones, and tested DNS-Server again.
But problem remains. So stub or forwarding zones were not a factor.
So i've added back all type of stub and forwarding zones, and
PROBLEM(s) SOLVED: :)
Changed config option "tcp-upstream:", from "yes" into "no" in
And client-side computers are still using "tcp-upstream: yes".
CPU resource usage is not jumping up unfairly anymore in DNS-Server
computer, even when any unsigned.tld type of sites/domain-names are
attempted for DNS resolving from any client-side computers.
If i were to place Unbound DNS-Server (configured as previous posts)
in an online/internet server, and connect with it via directly, or,
via SSH tunnel, or, via Socks5-proxy tunnel, it suppose to work
fine. In such case, I will reduce "outgoing-num-tcp:" &
"incoming-num-tcp:" option, from "20" into "6" or "8", or even
lesser in client-side computers, until i find which is working
better for the tunnel which i will be using to connect with the
remote online Unbound.
Thanks, to users who have helped on this.
IF/WHEN YOU ARE REPLYING, PLEASE MAKE SURE TO
PLACE ONLY ONE/BELOW EMAIL ADDRESS IN THE
unbound-users at unbound.net
Please do not send any email directly to me, Thanks.
- -- Bright Star (Bry8Star).
Received from Bry8 Star, on 2013-05-27 10:43 PM:
> When "num-threads: 2" then total thread used by unbound.exe was 6.
> Tested further, in DNS-Server (192.168.0.10), with these modified lines:
> num-threads: 4
> outgoing-range: 225 # when thread = 4
> outgoing-num-tcp: 25
> incoming-num-tcp: 25
> num-queries-per-thread: 110 # when thread = 4
> msg-cache-slabs: 4
> rrset-cache-slabs: 4
> infra-cache-slabs: 4
> key-cache-slabs: 4
> With such as above config options, now unbound.exe service is using
> total 8 threads.
> Below process thread under the unbound.exe still using very high CPU
> resources, frequently, and specially when unsigned.tld type of DNS
> queries are attempted:
> Sometime it uses so much CPU that Network interface's tray icon
> changes, and shows yellow triangle with exclamation mark, so network
> adapter stops working!
> So, by using "Process Hacker" or "Process Explorer", i have changed
> Priority of "unbound.exe" service from "Normal" (8) into "Below
> Normal" (6), and after that, when CPU usage jumps up at-least
> Network Interface itself does not get disabled, most times.
> And i observed over longer time period, network interface gets
> disabled bit more when "num-threads: 4", so i've reverted back to
> using "num-threads: 2".
> So now unbound service.conf file has such configuration:
> num-threads: 2
> outgoing-range: 450 # when thread = 2
> outgoing-num-tcp: 35
> incoming-num-tcp: 35
> num-queries-per-thread: 225 # when thread = 2
> msg-cache-slabs: 2
> rrset-cache-slabs: 2
> infra-cache-slabs: 2
> key-cache-slabs: 2
> target-fetch-policy: "3 2 1 1 1 1"
> DNS-Server is running on a computer which has:
> AMD processor 64 bit, 2.2 GHz, ( 1 CPU with
> single core, SSE1, SSE2),
> Realtek RTL8139/810x Family Fast Ethernet NIC,
> nVidia chipset based Mobo,
> 2GB DDR RAM,
> Windows 7 64 bit,
> It's average RAM usage is around ~35%, at max ~60%,
> unbound.exe 32 bit.
> And DNS-Server now running better, but occasional high cpu usage
> problem still remained when unsigned sites are queried.
> In client side computers, unbound resolvers are now configured to
> use 2 threads and running better, though they were running just fine
> with 1 thread as well.
> IF/WHEN YOU ARE REPLYING, PLEASE MAKE SURE TO
> PLACE ONLY ONE/BELOW EMAIL ADDRESS IN THE
> "TO:" FIELD/Text-Box:
> unbound-users at unbound.net
> Please do not send any email directly to me, Thanks.
> -- Bright Star (Bry8Star).
> Received from Bry8 Star, on 2013-05-27 7:52 PM:
>> Hi Wouter,
>> THANK YOU.
>> In DNS-Server (192.168.0.10), below config lines are now changed to
>> have such values:
>> num-threads: 2
>> outgoing-range: 450 # when thread = 2
>> outgoing-num-tcp: 25
>> incoming-num-tcp: 25
>> num-queries-per-thread: 225 # when thread = 2
>> And after restarting Unbound DNS-Server (in Win7 computer), i'm
>> observing, below windows thread (under the "unbound.exe" service
>> program) sometime, (not always), using high CPU resources, specially
>> when any unsigned.tld type of sites/domains are queried/resolved:
>> I'm observing its working much better : previously, for any type of
>> site/domain DNS query, CPU usage level used to jump up, now mostly
>> for unsigned.tld type of sites.
>> And when CPU usage remains at high level for around 1 or 2 minutes
>> (or more), then sometime only newer unsigned.tld type of sites,
>> SOMETIME (not always) do not get resolved, and dig shows "connection
>> timed out; no servers could be reached", and, if exactly then, DNS
>> queries are done for previously queried sites/domains, it still
>> works/responds correctly. So its performing better now.
>> The sechost.dll did not use high CPU resources anymore.
>> So need to find out, what can be done, so that endthreadex+0x29 from
>> msvcrt.dll is not used in massive rate by the unbound.exe service.
>> IF/WHEN YOU ARE REPLYING, PLEASE MAKE SURE TO
>> PLACE ONLY ONE/BELOW EMAIL ADDRESS IN THE
>> "TO:" FIELD/Text-Box:
>> unbound-users at unbound.net
>> Please do not send any email directly to me, Thanks.
>> -- Bright Star (Bry8Star).
>> Received from W.C.A. Wijngaards, on 2013-05-27 6:10 AM:
>>> Hi Bry8,
>>> You are using a lot of TCP, you should increase the incoming-num-tcp:
>>> and the outgoing-num-tcp: from the default 10 to more. Because of
>>> windows you may hit a max (try 20), on Linux you can have as much as
>>> you like. CPU resources, you can use multiple threads (on windows)
>>> for more processing capacity (even if you do not have that many
>>> cores), to be able to make more TCP connections (num-threads:).
>>> Unbound does not use advapi or sechost.dll itself, but uses
>>> openssl.dll for security and crypto functions.
>>> Unbound on windows accesses the registry infrequently. It checks for
>>> a root anchor action once in a while, and its install directory on
>>> startup. The registry keys are documented in the windows doc (at the
>>> end) on the unbound web documentation page.
>>> Best regards,
>>> Unbound-users mailing list
>>> Unbound-users at unbound.net
>> Unbound-users mailing list
>> Unbound-users at unbound.net
> Unbound-users mailing list
> Unbound-users at unbound.net
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Unbound-users