unbound request list exceeded stat ubuntu 20 vs ubuntu 22

Thu Jul 25 10:15:45 UTC 2024

Thanks for your reply.
This is indeed true. There are no complaints from clients about queries
being dropped and in reality it's a small number of requests per second
currently which is expected as you say.
Either clients retry and get success or stop trying for a while. Either
way, unbound seems to be operating normally.
I was just doing some due diligence from my side before updating our fleet
of unbound servers. I did look at release notes in unbound github but In
hindsight I should have also checked the change logs on ubuntu side. Thanks
for pointing that out.

Just to be 100% I have compiled unbound 1.20.0 on one ubuntu 20 VM and I
can see the non-zero values for requestlist exceeded. It appears that
Ubuntu did not backport this fix for any other unbound versions and just
compiling 1.13.1 on ubuntu 20 does not implement the fix  for the DNS BOMB
CVE of course. For ubuntu 20 we need to run 1.20.0 compiled or upgrade to
ubuntu 22 and run 1.13.1 from the package distro which has the backported
fix.

I will try to find a ratio between queries answered vs queries dropped to
set up some meaningful alerts. The previous non-zero alert does not make
sense.
Once again thank you for taking the time to reply. Appreciate it!

On Wed, 24 Jul 2024 at 23:31, Olivier Benghozi via Unbound-users <
unbound-users at lists.nlnetlabs.nl> wrote:

> Very simple.
>
> As you can see here:
>
> https://changelogs.ubuntu.com/changelogs/pool/main/u/unbound/unbound_1.13.1-1ubuntu5.5/changelog
>
> ... Unbuntu has backported to 1.13.1 the CVE-2024-33655 / DNSBomb patch
> from Unbound 1.20.0, described in their own release notes here:
> https://www.nlnetlabs.nl/projects/unbound/download/#unbound-1-20-0
>
>
> This fix basically kills the requests queued that are waiting for a
> recursive resolution, for which there's nothing know in the cache, and that
> have been waiting for way too long ; that is, the attempt to resolve in a
> proper amount of time, compatible with the usual DNS clients timeouts, is
> failing – maybe because the authoritative DNS servers are not answering.
>
> Answering to these requests would have been useless anyway as the client
> is not waiting for an answer anymore after a few seconds (because of
> its own timeout).
>
> Therefore, you now see dropped queries counters incrementing, and it's
> expected (as you always will have a few authoritative servers not
> responding).
>
> Shorter: all is fine.
>
>
> Le mer. 24 juil. 2024 à 22:27, Shanmuga Rao via Unbound-users <
> unbound-users at lists.nlnetlabs.nl> a écrit :
>
>> Our ubuntu 20 vms run unbound version 1.9.4
>> received new ubuntu 22 vms and installed unbound version 1.13.1 via
>> package manager.  I have started noticing that on the ubuntu 22 machines,
>> the *total.requestlist.exceeded* stat started getting non-zero values.
>> unbound v1.9.4 in ubuntu 20, always shows 0.
>>
>> The queries received by each node looks to be  at most 20k or less and
>> are distributed equally. All sysctl parameters are identical between ubuntu
>> 20 and ubuntu 22 vms. Unbound config is identical on both. Most
>> unbound.conf parameters are left to defaults, the following are the
>> important ones I believe influence unbound performance.
>>
>>  num-threads: 8
>>  outgoing-range: 60000
>>  num-queries-per-thread: 30000
>>  so-reuseport: yes
>>  module-config: "iterator"
>>  msg-cache-slabs: 2
>>  rrset-cache-slabs: 2
>>  infra-cache-slabs: 2
>>  key-cache-slabs: 2
>>  rrset-cache-size: 512m
>>  msg-cache-size: 256m
>>  so-rcvbuf: 4m
>>  so-sndbuf: 4m
>>
>> Unbound service starts and occupies available ports and FDs. CPU and
>> memory utilisation on both are very minimal. less than 25%
>> # ulimit -n
>> 1048576
>> unbound[764890:0] debug: total of 59463 outgoing ports available
>> *Ubuntu 20 stats_noreset: *
>> total.num.queries=15979
>>
>> *total.requestlist.max=5**total.requestlist.exceeded=0*
>>
>> *total.requestlist.current.all=9total.requestlist.current.user=7*
>>
>> *Ubuntu22 **stats_noreset**: *
>> total.num.queries=9157
>>
>> *total.requestlist.max=5*
>>
>>
>> *total.requestlist.exceeded=3total.requestlist.current.all=3total.requestlist.current.user=3*
>>
>> ubuntu 22 systems constantly have non-zero values. Ubuntu 20 systems and
>> even Centos7 ( unbound version 1.7.1) always have zero. As per my
>> understanding of the config parameters, the system itself has enough
>> resources available to handle atleast 2x the current traffic.
>>
>> As a test I have compiled version 1.13.1 on a ubuntu 20 VM and still the
>> request list exceeded stat is zero.  On Ubuntu 22 I have also compiled and
>> installed the latest unbound version 1.20.0 and it's still the same - non
>> zero values.
>>
>> I can see that the queries dropped is less than 1 req/s but it's still
>> confusing since its only seen on ubuntu 22 vms with little resource
>> utilisation.
>>
>> Has anyone run into something similar ? Do you know if any ubuntu 22
>> specific parameters should be modified ? Happy to provide more information
>> if needed.
>>
>
> *Ce message et toutes les pièces jointes (ci-après le "message") sont
> établis à l’intention exclusive des destinataires désignés. Il contient des
> informations confidentielles et pouvant être protégé par le secret
> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
> immédiatement l'expéditeur et de détruire le message. Toute utilisation de
> ce message non conforme à sa destination, toute diffusion ou toute
> publication, totale ou partielle, est interdite, sauf autorisation expresse
> de l'émetteur*
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20240725/df17babd/attachment-0001.htm>