Unbound performance tuning to prevent flood fails

Wouter Wijngaards wouter at nlnetlabs.nl
Thu Aug 26 14:18:07 UTC 2021


Hi,

>From what it looks like, the dig command opens a port and because
dnsflood uses raw sockets and random port numbers, the reply that dig
receives is for a query that dnsflood sent. Hence the id mismatches.

Use the source port option for dns-flood '-P 12345', and then hope that
randomly the dig command uses a different source port number. From the
looks of it you then receive a reply, because the mismatches you receive
now are replies from unbound, it is up and running.

Or otherwise separate the dnsflood source address and port from the dig
command source and port number, so that dig can receive the reply meant
for it instead of a reflected part of the dns flood.

Best regards, Wouter

On 26/08/2021 15:10, Юрий Иванов via Unbound-users wrote:
> Hi,
> I've got vm based unbound and trying to tune unbound perfomance to able
> process huge loads.
> For testing I'm using dnsflood utility.
> (https://github.com/nickwinn/dns-flood)
> 
> Server has 16 cores (unbound max-threads also 16) with 6GB of memory.
> When I perfom flood, ./dnsflood A 10.0.0.10, server simply stops replying:
> 
> dig @10.0.0.10 google.com
> ;; Warning: ID mismatch: expected ID 28634, got 48552
> ;; Warning: ID mismatch: expected ID 28634, got 41394
> ;; Warning: ID mismatch: expected ID 28634, got 62162
> ;; Warning: ID mismatch: expected ID 28634, got 25233
> ...
> 
> Trying this https://nlnetlabs.nl/documentation/unbound/howto-optimise/
> but that doesn't help.
> Maybe there is some perfomance tuning of unbound to help process massive
> loads?


More information about the Unbound-users mailing list