Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Safemode]

Hello and good day/night to everyone. I have been reading and following unbound for awhile now and since i haven't seen anyone else but L&LD and dave14305 post their modified configuration files for unbound i'm going to include mine if anyone is willing and interested in trying. I must add the developers involved have done a great job making unbound available for our routers. A very big Thank You...

P.S. This configuration is running smooth on my asus rt-ac3200. I also have Diversion and Skynet running aswell. Only two settings upon installation is SGUI and Fastmenu enabled, all others are skipped.

P.S.S. I'm open to opinions about this setup and ways of improving it (if necessary).

# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 1
rrset-cache-slabs: 1
infra-cache-slabs: 1
key-cache-slabs: 1

# tiny memory cache
extended-statistics: yes # v1.06 Martineau for @juched GUI TAB
cache-max-ttl: 86400
cache-min-ttl: 300
key-cache-size: 50m
msg-cache-size: 50m
rrset-cache-size: 100m
minimal-responses: yes
edns-buffer-size: 1232
harden-algo-downgrade: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
identity: "DNS"
unwanted-reply-threshold: 10000
use-caps-for-id: yes
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
aggressive-nsec: yes
rrset-roundrobin: yes
do-daemonize: no
neg-cache-size: 4m
harden-large-queries: yes
harden-short-bufsize: yes
ratelimit: 1000
val-clean-additional: yes
prefetch: yes
prefetch-key: yes
serve-expired: yes
deny-any: yes
incoming-num-tcp: 10
outgoing-num-tcp: 10
outgoing-range: 950
num-queries-per-thread: 512

# prefetch

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default
so-sndbuf: 1m
so-reuseport: yes

 

[L&LD]

@Safemode could you please use the 'code' tags found in the 'Insert...' icon beside the Drafts (Floppy Icon)? Thank you.

Also, what are you doing differently than the defaults?

 

[Safemode]

@Safemode could you please use the 'code' tags found in the 'Insert...' icon beside the Drafts (Floppy Icon)? Thank you.

Also, what are you doing differently than the defaults?

Got it sorry about that. As for what i'm doing differently is i'm using the forked optimised settings and the DNS flag day recommendations for edns buffer size of 1232 for starters. Then i harden unbound as much as possible without breaking anything. I have been running this for quite awhile now with great success.

 

[Chris0815]

Code:
Administrator@RT-AC86U-6A50:/tmp/home/root# cru l
12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache #root_servers#
*/2 * * * * /etc/openvpn/server1/vpns-watchdog1.sh #CheckVPNServer1#
*/2 * * * * /etc/openvpn/server2/vpns-watchdog2.sh #CheckVPNServer2#
*/15 * * * * /jffs/addons/unbound/unbound_rpz.sh download #Unbound_RPZ.sh#
0 5 * * * /opt/var/lib/unbound/adblock/gen_adblock.sh #adblock#
59 * * * * /jffs/addons/unbound/unbound_stats.sh generate #Unbound_Stats.sh#
57 * * * * /jffs/addons/unbound/unbound_log.sh #Unbound_Log.sh#
1 0 * * * /opt/bin/find /opt/var/log/unbound.log -size +10M -exec rm -f {} \; #unboundLOG#

Should it not be:
/opt/var/lib/unbound/unbound.log ???

 

[dave14305]

Hello and good day/night to everyone. I have been reading and following unbound for awhile now and since i haven't seen anyone else but L&LD and dave14305 post their modified configuration files for unbound i'm going to include mine if anyone is willing and interested in trying. I must add the developers involved have done a great job making unbound available for our routers. A very big Thank You...

P.S. This configuration is running smooth on my asus rt-ac3200. I also have Diversion and Skynet running aswell. Only two settings upon installation is SGUI and Fastmenu enabled, all others are skipped.

P.S.S. I'm open to opinions about this setup and ways of improving it (if necessary).

# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 1
rrset-cache-slabs: 1
infra-cache-slabs: 1
key-cache-slabs: 1

# tiny memory cache
extended-statistics: yes # v1.06 Martineau for @juched GUI TAB
cache-max-ttl: 86400
cache-min-ttl: 300
key-cache-size: 50m
msg-cache-size: 50m
rrset-cache-size: 100m
minimal-responses: yes
edns-buffer-size: 1232
harden-algo-downgrade: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
identity: "DNS"
unwanted-reply-threshold: 10000
use-caps-for-id: yes
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
aggressive-nsec: yes
rrset-roundrobin: yes
do-daemonize: no
neg-cache-size: 4m
harden-large-queries: yes
harden-short-bufsize: yes
ratelimit: 1000
val-clean-additional: yes
prefetch: yes
prefetch-key: yes
serve-expired: yes
deny-any: yes
incoming-num-tcp: 10
outgoing-num-tcp: 10
outgoing-range: 950
num-queries-per-thread: 512

# prefetch

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default
so-sndbuf: 1m
so-reuseport: yes

What’s actually used of your 200MB caches?

 

[Safemode]

What’s actually used of your 200MB caches?

RRset cache usage in bytes: 3262063

 Message cache usage in bytes: 2917726


 Cache hit success percent: 92.68


total.num.queries=48560                 total.num.expired=23867                 total.requestlist.exceeded=0            total.tcpusage=0

total.num.queries_ip_ratelimited=0      total.num.recursivereplies=3544         total.requestlist.current.all=0         msg.cache.count=14291

total.num.cachehits=45016               total.requestlist.avg=1.14762           total.requestlist.current.user=0        rrset.cache.count=14712

total.num.cachemiss=3544                total.requestlist.max=178               total.recursion.time.avg=0.234186       infra.cache.count=8085

total.num.prefetch=27557                total.requestlist.overwritten=0         total.recursion.time.median=0.072826    key.cache.count=1583


Summary: Cache Hits success=92.00%



unbound (pid 3776) is running... uptime: 4 days 18:21:55 version: 1.10.0 # rgnldo Github Version=v1.09 Martineau update (Date Loaded by unbound_manager Fri Apr 17 20:54:18 DST 2020)

 

[Chris0815]

Please try the 'lo'/'lx' sequence a few times to check the status etc.

There is a topic:
if I hit "lx" i.e. 3 times, the .config changes to

###verbosity: 1                               # v1.02 '1' is adequate to prove unbound is processing domains

and "lo" does not change the .config anymore. So the only possibility to activate verbosity again is changing the .config manually.

 

[bluzfanmr1]

RRset cache usage in bytes: 3262063
Message cache usage in bytes: 2917726

Cache hit success percent: 92.68

total.num.queries=48560 total.num.expired=23867 total.requestlist.exceeded=0 total.tcpusage=0
total.num.queries_ip_ratelimited=0 total.num.recursivereplies=3544 total.requestlist.current.all=0 msg.cache.count=14291
total.num.cachehits=45016 total.requestlist.avg=1.14762 total.requestlist.current.user=0 rrset.cache.count=14712
total.num.cachemiss=3544 total.requestlist.max=178 total.recursion.time.avg=0.234186 infra.cache.count=8085
total.num.prefetch=27557 total.requestlist.overwritten=0 total.recursion.time.median=0.072826 key.cache.count=1583

Summary: Cache Hits success=92.00%


unbound (pid 3776) is running... uptime: 4 days 18:21:55 version: 1.10.0 # rgnldo Github Version=v1.09 Martineau update (Date Loaded by unbound_manager Fri Apr 17 20:54:18 DST 2020)

I was about to ask you what your cache hit rate was. Highest I've achieved is 70%. I've played with the settings a lot to get there but I will definitely tweak them to see if I can do better. Pretty much all the DNS servers where I live are slow so Unbound has been great for me.

Thanks for posting this.

 

[New2This]

Everything seems to be running smooth here

 

[JGrana]

Got it sorry about that. As for what i'm doing differently is i'm using the forked optimised settings and the DNS flag day recommendations for edns buffer size of 1232 for starters. Then i harden unbound as much as possible without breaking anything. I have been running this for quite awhile now with great success.

Speaking of forked, given an AX88U with 4 cores, what do most believe to be the best number of threads (forks)? I recalled Merlin mentioning on another post that, if you can, try to leave the first core for router functions. That would imply 3 threads or less, assuming you can assign processor affinity.

 

[Safemode]

Speaking of forked, given an AX88U with 4 cores, what do most believe to be the best number of threads (forks)? I recalled Merlin mentioning on another post that, if you can, try to leave the first core for router functions. That would imply 3 threads or less, assuming you can assign processor affinity.

Personally i would leave num-threads to 1 but if you want to test , yes you can use 3 or 4. You can read more about it at
https://nlnetlabs.nl/documentation/unbound/howto-optimise/
You need to scroll all the way to the bottom for forked operation.

 

[L&LD]

https://www.snbforums.com/threads/u...-caching-dns-server.58967/page-53#post-547423

 

[Safemode]

https://www.snbforums.com/threads/u...-caching-dns-server.58967/page-53#post-547423

I have tested all configurations you have posted , that's what got me experimenting with other tweaks to get as close to an universal configuration for all.

 

[juched]

RRset cache usage in bytes: 3262063
Message cache usage in bytes: 2917726

Cache hit success percent: 92.68

total.num.queries=48560 total.num.expired=23867 total.requestlist.exceeded=0 total.tcpusage=0
total.num.queries_ip_ratelimited=0 total.num.recursivereplies=3544 total.requestlist.current.all=0 msg.cache.count=14291
total.num.cachehits=45016 total.requestlist.avg=1.14762 total.requestlist.current.user=0 rrset.cache.count=14712
total.num.cachemiss=3544 total.requestlist.max=178 total.recursion.time.avg=0.234186 infra.cache.count=8085
total.num.prefetch=27557 total.requestlist.overwritten=0 total.recursion.time.median=0.072826 key.cache.count=1583

Summary: Cache Hits success=92.00%


unbound (pid 3776) is running... uptime: 4 days 18:21:55 version: 1.10.0 # rgnldo Github Version=v1.09 Martineau update (Date Loaded by unbound_manager Fri Apr 17 20:54:18 DST 2020)

So you are using ~ 3MB of your 200MB allocation. Keep an eye on it, I myself have never gotten past 7 MB, so the default of 16MB seems more than enough for me, but curious what others see too.

 

[Kingp1n]

I have tested all configurations you have posted , that's what got me experimenting with other tweaks to get as close to an universal configuration for all.

@Safemode, so on your setup you're not using some of the options available inside the script correct i.e. edns-buffer-size = 4096 as well as others to name a few plus some added new features?

 

[Safemode]

So you are using ~ 3MB of your 200MB allocation. Keep an eye on it, I myself have never gotten past 7 MB, so the default of 16MB seems more than enough for me, but curious what others see too.

Yes four days only for now due to an power failure few days ago. Very windy again today hopefully no power failure. I will be monitoring this in the next coming weeks.

 

[Safemode]

@Safemode, so on your setup you're not using some of the options available inside the script correct i.e. edns-buffer-size = 4096?

i started with 4096 then 1472 , i did some reading and fell upon DNS Flag day which they came to a conclusion of make edns buffer size default to 1232. I have been experimenting with this value for atleast 1 month and no noticeable problems here.
https://dnsflagday.net/2020/

 

[JGrana]

Personally i would leave num-threads to 1 but if you want to test , yes you can use 3 or 4. You can read more about it at
https://nlnetlabs.nl/documentation/unbound/howto-optimise/
You need to scroll all the way to the bottom for forked operation.

Thanks for the pointer!

 

[juched]

I was about to ask you what your cache hit rate was. Highest I've achieved is 70%. I've played with the settings a lot to get there but I will definitely tweak them to see if I can do better. Pretty much all the DNS servers where I live are slow so Unbound has been great for me.

Thanks for posting this.

You don’t happen to have num-threads > 1 do you? If you do then as I understand it bounces between them meaning you have two separate caches meaning it is harder to get cache hits higher.

 

[Kingp1n]

i started with 4096 then 1472 , i did some reading and fell upon DNS Flag day which they came to a conclusion of make edns buffer size default to 1232. I have been experimenting with this value for atleast 1 month and no noticeable problems here.
https://dnsflagday.net/2020/

Thanks, is ratelimit and ip-ratelimit basically the same? Also, I noticed your not using serve-expired-ttl, correct.