Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Incorrect rrset-cache-size in unbound.conf

    Scheduled Pinned Locked Moved DHCP and DNS
    10 Posts 4 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wagebox
      last edited by

      Hello guys,

      I've been playing with the unbound a little bit since it got introduced in the 2.2.2 release. I wanted to have an idea about memory consumption and limits so I sent some queries for a bunch of domains using dig. I have used the Alexa top 1 million domains list as a base and run a simple script to go through them by "digging" ANY for a while.

      unbound is configured to use 100MB as message cache, which should result into having 200MB as rrset cache according to web configuration interface.

      However, when checking the stats using unbound-control -c /var/unbound/unbound.conf stats (btw, some status page would be nice ;)), I have noticed, that rrset.cache.count never reaches significantly above 30k and mem.cache.rrset is stuck around 8MB.

      unbound-control -c /var/unbound/unbound.conf stats:

      
      $ unbound-control -c /var/unbound/unbound.conf stats
      thread0.num.queries=18397
      thread0.num.cachehits=5
      thread0.num.cachemiss=18392
      thread0.num.prefetch=0
      thread0.num.recursivereplies=18388
      thread0.requestlist.avg=2.89985
      thread0.requestlist.max=22
      thread0.requestlist.overwritten=0
      thread0.requestlist.exceeded=0
      thread0.requestlist.current.all=3
      thread0.requestlist.current.user=2
      thread0.recursion.time.avg=1.339847
      thread0.recursion.time.median=0.246674
      total.num.queries=18397
      total.num.cachehits=5
      total.num.cachemiss=18392
      total.num.prefetch=0
      total.num.recursivereplies=18388
      total.requestlist.avg=2.89985
      total.requestlist.max=22
      total.requestlist.overwritten=0
      total.requestlist.exceeded=0
      total.requestlist.current.all=3
      total.requestlist.current.user=2
      total.recursion.time.avg=1.339847
      total.recursion.time.median=0.246674
      time.now=1422737153.945010
      time.up=9341.711168
      time.elapsed=533.959676
      mem.total.sbrk=0
      mem.cache.rrset=8913062
      mem.cache.message=15570329
      mem.mod.iterator=16532
      mem.mod.validator=4045694
      histogram.000000.000000.to.000000.000001=3
      histogram.000000.000001.to.000000.000002=0
      histogram.000000.000002.to.000000.000004=0
      histogram.000000.000004.to.000000.000008=0
      histogram.000000.000008.to.000000.000016=0
      histogram.000000.000016.to.000000.000032=0
      histogram.000000.000032.to.000000.000064=0
      histogram.000000.000064.to.000000.000128=0
      histogram.000000.000128.to.000000.000256=0
      histogram.000000.000256.to.000000.000512=1
      histogram.000000.000512.to.000000.001024=0
      histogram.000000.001024.to.000000.002048=1
      histogram.000000.002048.to.000000.004096=0
      histogram.000000.004096.to.000000.008192=0
      histogram.000000.008192.to.000000.016384=14
      histogram.000000.016384.to.000000.032768=162
      histogram.000000.032768.to.000000.065536=903
      histogram.000000.065536.to.000000.131072=2939
      histogram.000000.131072.to.000000.262144=5863
      histogram.000000.262144.to.000000.524288=5532
      histogram.000000.524288.to.000001.000000=1202
      histogram.000001.000000.to.000002.000000=734
      histogram.000002.000000.to.000004.000000=520
      histogram.000004.000000.to.000008.000000=239
      histogram.000008.000000.to.000016.000000=98
      histogram.000016.000000.to.000032.000000=65
      histogram.000032.000000.to.000064.000000=60
      histogram.000064.000000.to.000128.000000=30
      histogram.000128.000000.to.000256.000000=7
      histogram.000256.000000.to.000512.000000=9
      histogram.000512.000000.to.001024.000000=6
      histogram.001024.000000.to.002048.000000=0
      histogram.002048.000000.to.004096.000000=0
      histogram.004096.000000.to.008192.000000=0
      histogram.008192.000000.to.016384.000000=0
      histogram.016384.000000.to.032768.000000=0
      histogram.032768.000000.to.065536.000000=0
      histogram.065536.000000.to.131072.000000=0
      histogram.131072.000000.to.262144.000000=0
      histogram.262144.000000.to.524288.000000=0
      num.query.type.A=730
      num.query.type.PTR=1
      num.query.type.TXT=9
      num.query.type.SRV=6
      num.query.type.ANY=17651
      num.query.class.IN=18397
      num.query.opcode.QUERY=18397
      num.query.tcp=0
      num.query.tcpout=618
      num.query.ipv6=0
      num.query.flags.QR=0
      num.query.flags.AA=0
      num.query.flags.TC=0
      num.query.flags.RD=18397
      num.query.flags.RA=0
      num.query.flags.Z=0
      num.query.flags.AD=17649
      num.query.flags.CD=0
      num.query.edns.present=17649
      num.query.edns.DO=0
      num.answer.rcode.NOERROR=18178
      num.answer.rcode.FORMERR=0
      num.answer.rcode.SERVFAIL=186
      num.answer.rcode.NXDOMAIN=29
      num.answer.rcode.NOTIMPL=0
      num.answer.rcode.REFUSED=0
      num.answer.rcode.nodata=67
      num.answer.secure=217
      num.answer.bogus=0
      num.rrset.bogus=1
      unwanted.queries=0
      unwanted.replies=1
      msg.cache.count=59574
      rrset.cache.count=30991
      infra.cache.count=40580
      key.cache.count=16413
      
      

      So I checked the unbound.conf (IPs bogusified):

      
      ##########################
      # Unbound Configuration
      ##########################
      
      ##
      # Server configuration
      ##
      server:
      
      chroot: /var/unbound
      username: "unbound"
      directory: "/var/unbound"
      pidfile: "/var/run/unbound.pid"
      use-syslog: yes
      port: 53
      verbosity: 1
      hide-identity: yes
      hide-version: yes
      harden-referral-path: no
      harden-glue: yes
      do-ip4: yes
      do-ip6: yes
      do-udp: yes
      do-tcp: yes
      do-daemonize: yes
      module-config: "validator iterator"
      unwanted-reply-threshold: 10000000
      num-queries-per-thread: 512
      jostle-timeout: 200
      infra-host-ttl: 900
      infra-cache-numhosts: 50000
      outgoing-num-tcp: 10
      incoming-num-tcp: 10
      edns-buffer-size: 4096
      cache-max-ttl: 86400
      cache-min-ttl: 0
      harden-dnssec-stripped: yes
      msg-cache-size: 100m
      num-threads: 1
      msg-cache-slabs: 4
      rrset-cache-slabs: 4
      infra-cache-slabs: 4
      key-cache-slabs: 4
      rrset-cache-size: 8m
      outgoing-range: 4096
      #so-rcvbuf: 4m
      auto-trust-anchor-file: /var/unbound/root.key
      prefetch: yes
      prefetch-key: yes
      # Statistics
      # Unbound Statistics
      statistics-interval: 0
      extended-statistics: yes
      statistics-cumulative: yes
      
      # Interface IP(s) to bind to
      interface: 192.168.1.1
      interface: 192.168.2.1
      interface: 192.168.3.1
      
      # Outgoing interfaces to be used
      outgoing-interface: 1.2.3.4
      outgoing-interface: 192.168.1.1
      
      # DNS Rebinding
      # For DNS Rebinding prevention
      private-address: 10.0.0.0/8
      private-address: 172.16.0.0/12
      private-address: 169.254.0.0/16
      private-address: 192.168.0.0/16
      private-address: fd00::/8
      private-address: fe80::/10
      # Set private domains in case authoritative name server returns a Private IP address
      private-domain: "lan.local"
      domain-insecure: "lan.local"
      
      # Access lists
      include: /var/unbound/access_lists.conf
      
      # Static host entries
      include: /var/unbound/host_entries.conf
      
      # dhcp lease entries
      include: /var/unbound/dhcpleases_entries.conf
      
      # Domain overrides
      include: /var/unbound/domainoverrides.conf
      
      # Unbound custom options
      server: local-zone: "168.192.in-addr.arpa." nodefault
      stub-zone: name: "168.192.in-addr.arpa."
      stub-addr: 192.168.1.10
      
      ###
      # Remote Control Config
      ###
      include: /var/unbound/remotecontrol.conf
      
      

      Despite having set the msg cache to 100MB in web config, the rrset cache is alwaus stuck at 8MB:

      rrset-cache-size: 8m

      Btw, maybe it would not be such a bad idea to add more controls, such sa number of threads, individually setting the msg and rrset caches and higher ceiling for maximum cache entries.

      1 Reply Last reply Reply Quote 0
      • K
        kejianshi
        last edited by

        I'd like to be able to see whats in the hints.

        1 Reply Last reply Reply Quote 0
        • W
          wagebox
          last edited by

          I don't believe it is related to root hints file - if that's what you are asking for. There is no entry specifying the root hints in unbound.conf, so the default internal list is used.

          And there is no problem with dns resolution itself. This looks to be a web configurator problem. It's not setting the correct value for rrset-cache-size in unbound.conf.

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi
            last edited by

            haha - I know.

            I was just saying, as long as you are asking for features, I'd like to be able to see the root hint.

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              @kejianshi:

              I was just saying, as long as you are asking for features, I'd like to be able to see the root hint.

              
              unbound-control -c /var/unbound/unbound.conf list_stubs | grep -v noprime
              
              
              1 Reply Last reply Reply Quote 0
              • K
                kejianshi
                last edited by

                Thats also works…  :P

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by

                  Yeah… dunno why the status page vanished, was pretty nice in the 2.1.x package.

                  1 Reply Last reply Reply Quote 0
                  • K
                    kejianshi
                    last edited by

                    Dumb question and not even sure if it would make a difference…

                    But...  After you changed the advanced setting in unbound, did you restart the service or reboot?  I usually reboot after tinkering with anything not basic.

                    1 Reply Last reply Reply Quote 0
                    • W
                      wagebox
                      last edited by

                      For those who asked to see the root hints:

                      
                      $ unbound-control -c /var/unbound/unbound.conf list_stubs | grep -v noprime
                      . IN stub prime M.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 2001:dc3::35 2001:500:3::42 2001:7fd::1 2001:503:c27::2:30 2001:7fe::53 2001:500:1::803f:235 2001:500:2f::f 2001:500:2d::d 2001:500:2::c 2001:500:84::b 2001:503:ba3e::2:30 202.12.27.33 199.7.83.42 193.0.14.129 192.58.128.30 192.36.148.17 128.63.2.53 192.112.36.4 192.5.5.241 192.203.230.10 199.7.91.13 192.33.4.12 192.228.79.201 198.41.0.4
                      
                      

                      I have tried to change the settings, restart unbound and also reboot. The rrset-cache-size is never updated in unbound.conf.

                      So, I checked which of the php scripts is actually controlling unbound advanced options and found it's:

                      /usr/local/www/services_unbound_advanced.php

                      …only to find exactly nothing :) Simply put, there are no references to any functions or variables that seem to update the value of rrset-cache-size in unbound.conf. That piece of code is missing.

                      As this is the first time I'm looking at the inner workings of pfsense, please better check it, just to be sure I'm not missing something.

                      1 Reply Last reply Reply Quote 0
                      • P
                        phil.davis
                        last edited by

                        The back-end code is in /etc/in/unbound.inc
                        I added a comment to https://redmine.pfsense.org/issues/4367

                        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.