Memory tuning with Unbound RPZ implementation

dns at todoo.biz dns at todoo.biz
Mon Sep 19 16:15:11 UTC 2022 

Hello, 

We are preparing a special config of unbound which will allow one to use RPZ and benefit from a global GUI. 
This will be embedded on firewall devices such as APU devices (4GB of RAM and 1GHz quad core AMD-G series ).

The zones we are dealing with could be of quite large size (largest is 468Mo) in size. 

We have observed that after downloading the rpz files from our main RPZ server, It loads the server and uses ±3Go of RAM.
This seems quite strange because the total size of loaded RPZ files in the provided ex. below is 275Mo. 


last pid: 64525;  load averages:  0.63,  0.57,  0.43   
up 0+03:03:48  16:05:00   35 processes:  2 running, 33 sleeping
CPU: 22.0% user,  0.0% nice,  9.1% system,  0.0% interrupt, 68.9% idle
Mem: 2263M Active, 752M Inact, 2316K Laundry, 422M Wired, 245M Buf, 481M Free
Swap: 764M Total, 60M Used, 703M Free, 7% Inuse
19073 unbound       4  52    0  2924M  2833M kqread   2   7:43   0.00% unbound



The questions are the following: 

1. Is there any specific parameters that we could use in order to minimise the RPZ memory impact ? 

2. By default RPZ will use an AXFR zone transfer, can you confirm that this zone transfer is compressed ? (by RFC It should be)

3. What would you suggest as a general advise in order to tune the parameters (knowing that the zone content will change but not very often - like once a week)… 


These are the default parameters we are using: 

##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /var/unbound/root.hints
use-syslog: yes
port: 53
verbosity: 1
extended-statistics: no
log-queries: yes
hide-identity: no
hide-version: no
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
so-reuseport: yes
module-config: "iterator"
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: no
serve-expired: no
outgoing-num-tcp: 10
incoming-num-tcp: 10
num-queries-per-thread: 4096
outgoing-range: 8192
infra-host-ttl: 900
infra-cache-numhosts: 10000
unwanted-reply-threshold: 0
jostle-timeout: 200
msg-cache-size: 4m
rrset-cache-size: 8m
num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8



Thanks for your feedback. 


—


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220919/cf7dad3a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: LOGO_OCTOPUS_90.png
Type: image/png
Size: 4732 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220919/cf7dad3a/attachment.png>

More information about the Unbound-users mailing list