[Unbound-users] Unbound performance and firewal issues
CHABOISSEAU Samuel
Samuel.CHABOISSEAU at coe.int
Thu Mar 6 13:30:30 UTC 2014
Hi,
We want to migrate our BIND servers to Unbound.
We just install a single VM for testing purposes. Both Unbound and BIND are installed as DNS resolvers (Internet by default and local authorities).
A single server is using this DNS resolver and everything work fine. Now to have a valuable test for performance, we choose to proceed a Web stats report with awstats from an Nginx huge LogFile (thousands IP addresses to resolves).
When Unbound is started, stats are 5 times longer to produce than with BIND. Is it normal ??
Second point, a firewall is installed on the VM and *only with Unbound* I notice some reject on the firewall as follow :
TESTDNS kernel: [541975.554683] OUTPUT DFLT REJECT IN= OUT=eth0 SRC=192.168.100.177 DST=192.168.100.79 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=8206 PROTO=UDP SPT=53 DPT=4
It's like some hazardous packets are not kept in the conntrack table!!
Thanks for your help.
Here is our Unbound configuration file :
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
dlv-anchor-file: "dlv.isc.org.key"
val-permissive-mode:yes
interface: 0.0.0.0
interface-automatic: yes
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
pidfile: "/var/run/unbound.pid"
# Access list
access-control: 192.168.100.0/24 allow
chroot: "/etc/unbound"
root-hints: "/etc/unbound/db.root"
# Log
verbosity: 1
val-log-level: 2
use-syslog: no
logfile: /var/log/unbound.log
# Stats for munin
statistics-cumulative: no
extended-statistics: yes
statistics-interval: 0
hide-identity: yes
hide-version: yes
harden-dnssec-stripped: yes
harden-glue: yes
use-caps-for-id: yes
do-not-query-localhost: no
#
# Optimisation
#
num-threads: 4
msg-cache-slabs: 1
rrset-cache-slabs: 1
infra-cache-slabs: 1
key-cache-slabs: 1
rrset-cache-size: 512m
msg-cache-size: 256m
outgoing-range: 1024
num-queries-per-thread: 512
so-rcvbuf: 32m
#
# /Optimisation
#
#
# CACHE
#
# Time to live MAX for RRsets and messages ine the cache (in sec)
cache-max-ttl: 300
# Time to live for entries in the host cache (in sec)
infra-host-ttl: 300
# Message cache elements are prefetched before they expire
prefetch: yes
#
# /CACHE
#
# ARPA
local-zone: "10.in-addr.arpa" nodefault
local-zone: "16.172.in-addr.arpa" nodefault
local-zone: "30.172.in-addr.arpa" nodefault
local-zone: "31.172.in-addr.arpa" nodefault
local-zone: "168.192.in-addr.arpa" nodefault
# Non DNSSEC local domaines
domain-insecure: "key.coe.int"
domain-insecure: "ilo.coe.int"
python:
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-interface: 192.168.100.177
#
# STUB Zones
#
# ARPA
stub-zone:
name: "10.in-addr.arpa"
stub-addr: 192.168.100.157
stub-addr: 192.168.100.158
stub-zone:
name: "100.168.192.in-addr.arpa"
stub-addr: 192.168.100.157
stub-addr: 192.168.100.158
stub-zone:
name: "16.172.in-addr.arpa"
stub-addr: 192.168.100.157
stub-addr: 192.168.100.158
stub-zone:
name: "30.172.in-addr.arpa"
stub-addr: 192.168.100.157
stub-addr: 192.168.100.158
stub-zone:
name: "1.31.172.in-addr.arpa"
stub-addr: 192.168.100.157
stub-addr: 192.168.100.158
# ZONES
stub-zone:
name: "coe.int"
stub-addr: 192.168.100.157
stub-addr: 192.168.100.158
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20140306/bcd25346/attachment.htm>
More information about the Unbound-users
mailing list