Unbound - Authoritative Recursive Caching DNS Server

[rgnldo]

I now issue a warning, and skip the 'dnsmasq.postconf' set 'cache-size=0' modification.

Not 100% sure if this is acceptable?

First, alpha version. Second, if I'm not mistaken, there is the interaction with Diversion. I will install the alpha version to check.

 

[rgnldo]

Damn. Eventually, I get the same thing. It just takes several queries to finally hit thread 2

I found it strange to be able to fix only by changing the memory. Here working normal. Here's a tip, pause your experience for a moment. Soon you will find the solution.

 

[SolluxCaptor]

I found it strange to be able to fix only by changing the memory. Here working normal. Here's a tip, pause your experience for a moment. Soon you will find the solution.

Same here. Was too hopeful too quick, definitely will - tunnel vision takes over after a couple hours lol

 

[rgnldo]

Working fine.

 

[rgnldo]

Uninstall and install with unbound_installer script.
Working fine on FW Alpha 384.15
https://pastebin.com/NCu7neJp

 

[SomeWhereOverTheRainBow]

Uninstall and install with unbound_installer script.
Working fine on FW Alpha 384.15
https://pastebin.com/NCu7neJp

Are you guys going to jump in onboard with the addons train and integrate a gui interface of some kind ? @Martineau @rgnldo

It has become a new critical race among the snb developers here on the forum.

Unbound with a graphical interface.

 

[rgnldo]

Are you guys going to jump in onboard with the addons train and integrate a gui interface of some kind ?

I do not think so. We still have a long way to go at least in AMTM. It's a challenge. Projects that are more focused on embedded software are easy for the API. We need more employees who know the FW Merlin code well.

 

[Seij]

Weird. Working fine here. On terminal FW Merlin

@rgnldo:/tmp/home/root# dig @127.0.0.1 -p 53535 google.com

; <<>> DiG 9.14.4 <<>> @127.0.0.1 -p 53535 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64719
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             900     IN      A       216.58.202.174

;; Query time: 606 msec
;; SERVER: 127.0.0.1#53535(127.0.0.1)
;; WHEN: Tue Jan 07 16:12:25 BRT 2020
;; MSG SIZE  rcvd: 55

@rgnldo:/tmp/home/root# dig @127.0.0.1 -p 53535 google.com

; <<>> DiG 9.14.4 <<>> @127.0.0.1 -p 53535 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26998
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             898     IN      A       216.58.202.174

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53535(127.0.0.1)
;; WHEN: Tue Jan 07 16:12:27 BRT 2020
;; MSG SIZE  rcvd: 55

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4

so-reuseport: yes
outgoing-range: 4096
num-queries-per-thread: 1024

# tiny memory cache
key-cache-size: 16m
msg-cache-size: 8m
rrset-cache-size: 8m

This is probably a naive observation but it appears the unbound package that's installed with this script was compiled WITHOUT libevent. As someone who understands router configuration but hasn't taken the leap of faith to start compiling my own packages, this may explain why I've (we've?) been struggling with the aforementioned tweaks regarding multiple unbound threads, outgoing-range, queries per thread, etc. Not sure if there's an alternative way to get this functionality for us laymen folk but for now the single-thread solution is working like a charm. Thanks again to everyone's hard work on this!

FWIW I'm running unbound without logging, with advanced tweaks, without stubby, and with ad-block ("no, yes, no, yes" sequence using the installer). I then edit unbound.conf to make the following tweaks in BOLD based on my learnings from this full thread, as I'm using an RT-AC5300 with 512MB ram and a dual core processor:

# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2

# tiny memory cache
key-cache-size: 64m
msg-cache-size: 32m
rrset-cache-size: 64m
cache-min-ttl: 900
cache-max-ttl: 86400
incoming-num-tcp: 1000
cache-max-negative-ttl: 60

# additional modifications
extended-statistics: yes
so-reuseport: yes
so-rcvbuf: 1m
use-caps-for-id: no
rrset-roundrobin: yes​

FYI, OUTPUT SHOWING UNBOUND COMPILED W/O LIBEVENT:

# unbound -V
Version 1.9.3

Configure line: --target=arm-openwrt-linux --host=arm-openwrt-linux --build=x86_64-pc-linux-gnu --program-prefix= --program-suffix= --prefix=/opt --exec-prefix=/opt --bindir=/opt/bin --sbindir=/opt/sbin --libexecdir=/opt/lib --sysconfdir=/opt/etc --datadir=/opt/share --localstatedir=/opt/var --mandir=/opt/man --infodir=/opt/info --disable-nls --disable-dsa --disable-gost --enable-allsymbols --enable-ecdsa --enable-tfo-client --enable-tfo-server --with-libexpat=/media/ware/Entware.2019.10/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt --with-ssl=/media/ware/Entware.2019.10/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt --with-user=unbound --with-run-dir=/opt/var/lib/unbound --with-conf-file=/opt/var/lib/unbound/unbound.conf --with-pidfile=/opt/var/run/unbound.pid --without-pthreads --without-solaris-threads --without-libevent
Linked libs: pluggable-event internal (it uses select), OpenSSL 1.1.1d 10 Sep 2019
Linked modules: dns64 respip validator iterator
TCP Fastopen feature available​

 

[SomeWhereOverTheRainBow]

I do not think so. We still have a long way to go at least in AMTM. It's a challenge. Projects that are more focused on embedded software are easy for the API. We need more employees who know the FW Merlin code well.

I think you have a great product here. Just have to scale it to the users. Get more testers see what gives who the best results and on consensus work out any kinks others may find. Mine is running great has been several days. Great job guys.

 

[rgnldo]

this script was compiled WITHOUT libevent

I do not know what happened. In version 1.8.1 there was libevent support. Apparently it works well with me. Probably removed because it is unnecessary for ARM devices.

 

[rgnldo]

so-reuseport: yes

If you do not use multi thread, there is no need for this option.

key-cache-size: 64m
msg-cache-size: 32m
rrset-cache-size: 64m

Not required on ARM devices. The less memory the better. I learned this from SQUID.

so-rcvbuf: 1m
use-caps-for-id: no

not necessary

 

[SomeWhereOverTheRainBow]

This is probably a naive observation but it appears the unbound package that's installed with this script was compiled WITHOUT libevent. As someone who understands router configuration but hasn't taken the leap of faith to start compiling my own packages, this may explain why I've (we've?) been struggling with the aforementioned tweaks regarding multiple unbound threads, outgoing-range, queries per thread, etc. Not sure if there's an alternative way to get this functionality for us laymen folk but for now the single-thread solution is working like a charm. Thanks again to everyone's hard work on this!

FWIW I'm running unbound without logging, with advanced tweaks, without stubby, and with ad-block ("no, yes, no, yes" sequence using the installer). I then edit unbound.conf to make the following tweaks in BOLD based on my learnings from this full thread, as I'm using an RT-AC5300 with 512MB ram and a dual core processor:

# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2

# tiny memory cache
key-cache-size: 64m
msg-cache-size: 32m
rrset-cache-size: 64m
cache-min-ttl: 900
cache-max-ttl: 86400
incoming-num-tcp: 1000
cache-max-negative-ttl: 60

# additional modifications
extended-statistics: yes
so-reuseport: yes
so-rcvbuf: 1m
use-caps-for-id: no
rrset-roundrobin: yes​

FYI, OUTPUT SHOWING UNBOUND COMPILED W/O LIBEVENT:

# unbound -V
Version 1.9.3

Configure line: --target=arm-openwrt-linux --host=arm-openwrt-linux --build=x86_64-pc-linux-gnu --program-prefix= --program-suffix= --prefix=/opt --exec-prefix=/opt --bindir=/opt/bin --sbindir=/opt/sbin --libexecdir=/opt/lib --sysconfdir=/opt/etc --datadir=/opt/share --localstatedir=/opt/var --mandir=/opt/man --infodir=/opt/info --disable-nls --disable-dsa --disable-gost --enable-allsymbols --enable-ecdsa --enable-tfo-client --enable-tfo-server --with-libexpat=/media/ware/Entware.2019.10/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt --with-ssl=/media/ware/Entware.2019.10/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt --with-user=unbound --with-run-dir=/opt/var/lib/unbound --with-conf-file=/opt/var/lib/unbound/unbound.conf --with-pidfile=/opt/var/run/unbound.pid --without-pthreads --without-solaris-threads --without-libevent
Linked libs: pluggable-event internal (it uses select), OpenSSL 1.1.1d 10 Sep 2019
Linked modules: dns64 respip validator iterator
TCP Fastopen feature available​

here is my settings

    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    # May be set to yes if you have IPv6 connectivity
    do-ip6: yes

    # don't be picky about interfaces but consider your firewall
    access-control: 0.0.0.0/0 refuse
    access-control: 127.0.0.0/8 allow
    access-control: 10.0.0.0/24 allow
    access-control: 192.168.1.0/24 allow
    access-control: ::0/0 refuse
    access-control: ::1 allow


    # Ensure privacy of local IP ranges
    private-address: 127.0.0.0/8
    private-address: 169.254.0.0/16
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10

    # no threads and no memory slabs for threads
    num-threads: 2
    msg-cache-slabs: 4
    rrset-cache-slabs: 4
    infra-cache-slabs: 4
    key-cache-slabs: 4
    outgoing-range: 8192
    num-queries-per-thread: 4096
    outgoing-num-tcp: 10
    incoming-num-tcp: 10
    infra-cache-numhosts: 15000
    infra-cache-lame-size: 10k

    # tiny memory cache
    key-cache-size: 16m
    msg-cache-size: 8m
    rrset-cache-size: 16m
    cache-min-ttl: 3600
    cache-max-ttl: 86400
    cache-max-negative-ttl: 0
    infra-host-ttl: 60
    infra-lame-ttl: 120
    edns-buffer-size: 1472

    # prefetch
    prefetch: yes
    prefetch-key: yes
    minimal-responses: yes

    # gentle on recursion
    hide-identity: yes
    hide-version: yes
    do-not-query-localhost: no
    qname-minimisation: yes
    rrset-roundrobin: yes
    harden-glue: yes
    harden-referral-path: no
    harden-below-nxdomain: yes
    harden-algo-downgrade: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
 
     use-caps-for-id: no

    # Faster UDP with multithreading
    so-reuseport: yes

    # Ensure kernel buffer is large enough to not loose messages in traffix spikes
    so-rcvbuf: 1m

 

[SomeWhereOverTheRainBow]

If you do not use multi thread, there is no need for this option.

Not required on ARM devices. The less memory the better. I learned this from SQUID.

not necessary

i recommend only if you are relying on recursion, if you are forwarding with stubby there is no need.

so-reuseport: yes

this is primarily for better udp responses when running more than one thread, those with newer nicer asus routers might benefit.

 

[dave14305]

i recommend only if you are relying on recursion, if you are forwarding with stubby there is no need.

this is primarily for better udp responses when running more than one thread, those with newer nicer asus routers might benefit.

What Linux kernel version is the AC86U?

so-reuseport: <yes or no>
If yes, then open dedicated listening sockets for incoming
queries for each thread and try to set the SO_REUSEPORT socket
option on each socket. May distribute incoming queries to
threads more evenly. Default is yes. On Linux it is supported
in kernels >= 3.9. On other systems, FreeBSD, OSX it may also
work. You can enable it (on any platform and kernel), it then
attempts to open the port and passes the option if it was avail-
able at compile time, if that works it is used, if it fails, it
continues silently (unless verbosity 3) without the option. At
extreme load it could be better to turn it off to distribute the
queries evenly, reported for Linux systems (4.4.x).

 

[Seij]

here is my settings

    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    # May be set to yes if you have IPv6 connectivity
    do-ip6: yes

    # don't be picky about interfaces but consider your firewall
    access-control: 0.0.0.0/0 refuse
    access-control: 127.0.0.0/8 allow
    access-control: 10.0.0.0/24 allow
    access-control: 192.168.1.0/24 allow
    access-control: ::0/0 refuse
    access-control: ::1 allow


    # Ensure privacy of local IP ranges
    private-address: 127.0.0.0/8
    private-address: 169.254.0.0/16
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10

    # no threads and no memory slabs for threads
    num-threads: 2
    msg-cache-slabs: 4
    rrset-cache-slabs: 4
    infra-cache-slabs: 4
    key-cache-slabs: 4
    outgoing-range: 8192
    num-queries-per-thread: 4096
    outgoing-num-tcp: 10
    incoming-num-tcp: 10
    infra-cache-numhosts: 15000
    infra-cache-lame-size: 10k

    # tiny memory cache
    key-cache-size: 16m
    msg-cache-size: 8m
    rrset-cache-size: 16m
    cache-min-ttl: 3600
    cache-max-ttl: 86400
    cache-max-negative-ttl: 0
    infra-host-ttl: 60
    infra-lame-ttl: 120
    edns-buffer-size: 1472

    # prefetch
    prefetch: yes
    prefetch-key: yes
    minimal-responses: yes

    # gentle on recursion
    hide-identity: yes
    hide-version: yes
    do-not-query-localhost: no
    qname-minimisation: yes
    rrset-roundrobin: yes
    harden-glue: yes
    harden-referral-path: no
    harden-below-nxdomain: yes
    harden-algo-downgrade: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
 
     use-caps-for-id: no

    # Faster UDP with multithreading
    so-reuseport: yes

    # Ensure kernel buffer is large enough to not loose messages in traffix spikes
    so-rcvbuf: 1m

Thank you both for the feedback and clarification! Think I'll stick with the default configuration until we reach some level of communal convergence on "ideal" settings

Question(s) for SomeWhereOverTheRainBow (SWOTRB for short) and crew:

1. Did you recompile unbound 1.9.3 with libevent on your own? Some of the settings seem "libevent-specific" as they exceed the native 1024 limit...?
2. Were you able to resolve the multi-thread, multi-cache issue reported by SolluxCaptor in Post 480? "run dig command once - get fresh result. Run once more, cache. One more time - recursion again, run again - then cache again (and it stays)? Not sure how to verify that is what's happening here, each thread *appears* to have its own cache."

 

[SomeWhereOverTheRainBow]

What Linux kernel version is the AC86U?

what does uname say?

all I can report is better performance with this option, I don't use a AC86U tho.

 

[Butterfly Bones]

@RT-AC86U-4608:/tmp/home/root# uname -sr
Linux 4.1.27

Back to lurker / cloak mode

 

[dave14305]

Another helpful set of logging commands I've made for easy switching of logging on/off, or switching Unbound on/off (these go in /jffs/configs/profile.add):

unboundlog() {
        unbound-control verbosity 2
        unbound-control set_option log-queries: yes
        unbound-control set_option log-replies: yes
        tail -50 -F /opt/var/lib/unbound/unbound.log
}

unboundnolog() {
        unbound-control verbosity 1
        unbound-control set_option log-queries: no
        unbound-control set_option log-replies: no
}

unbounddisable() {
        /opt/etc/init.d/S61unbound stop
        service restart_dnsmasq
        /opt/etc/init.d/S02haveged stop
        sed -i "s/^ENABLED=yes/ENABLED=no/" /opt/etc/init.d/S61unbound
        sed -i "s/^ENABLED=yes/ENABLED=no/" /opt/etc/init.d/S02haveged
}

unboundenable() {
        sed -i "s/^ENABLED=no/ENABLED=yes/" /opt/etc/init.d/S02haveged
        sed -i "s/^ENABLED=no/ENABLED=yes/" /opt/etc/init.d/S61unbound
        /opt/etc/init.d/S02haveged start
        /opt/etc/init.d/S61unbound start
}

Another useful unbound.conf configuration setting for log reading:

log-time-ascii: yes

 

[SomeWhereOverTheRainBow]

Thank you both for the feedback and clarification! Think I'll stick with the default configuration until we reach some level of communal convergence on "ideal" settings

Question(s) for SomeWhereOverTheRainBow (SWOTRB for short) and crew:

1. Did you recompile unbound 1.9.3 with libevent on your own? Some of the settings seem "libevent-specific" as they exceed the native 1024 limit...?
2. Were you able to resolve the multi-thread, multi-cache issue reported by SolluxCaptor in Post 480? "run dig command once - get fresh result. Run once more, cache. One more time - recursion again, run again - then cache again (and it stays)? Not sure how to verify that is what's happening here, each thread *appears* to have its own cache."

i don't have any of those issues and these settings work perfectly. Native unbound works fine with these settings I have done no recompile. I recommend testing them for yourself .

 

[Cam]

it appears the unbound package that's installed with this script was compiled WITHOUT libevent.

I don't think it's really needed on a home device. From the unbound github page...

You can use libevent if you want. libevent is useful when using many (10000) outgoing ports. By default max 256 ports are opened at the same time and the builtin alternative is equally capable and a little faster.