[Unbound-users] Improve avg response times
I am using an amazon large EC2 instance (4ECUs, 2 cores) for my unbound configured as below. I am seeing a 150ms+ average response time as reported by namebench Alexa 2K result. In order to reduce my lookup times, I am running an hourly scan of these 35K sites (from namebench dat files) in order to give my clients a cached response whenever possible. On average, my cachemiss rate is 6% as shown below. My cache-ttl-min is 1 hour so these entries should be cached at all times. The cachemisses I am guessing are from sites my pythonmod looks up and responds to in a special way: 6.5Mbytes of free RAM total.num.cachehits=3185 total.num.cachemiss=188 mem.cache.rrset=8319405 mem.cache.message=8729827 (forked configuration) server: #disable chroot as it caused several issues with python's PYTHONHOME vars chroot: "" verbosity: 0 # set to num of cores or cpus num-threads: 2 ##slabs rrset-cache-slabs: 1 infra-cache-slabs: 1 key-cache-slabs: 1 msg-cache-slabs: 1 ##cache sizes msg-cache-size: 250m #2X msg-cache-size rrset-cache-size: 500m outgoing-range: 950 #2X outgoing range num-queries-per-thread: 512 # sudo sysctl -w net.core.rmem_max=8388608 so-rcvbuf: 8m interface: 0.0.0.0 interface: ::0 port: 53 access-control: 0.0.0.0/0 allow module-config: "python iterator" prefetch: yes cache-min-ttl: 3600 python: python-script: "XYZ" remote-control: control-enable: yes forward-zone: name: "." forward-addr: XYZ Question: Even with this setup, I am seeing most of the domains return a TTL of 3600 at the start of a random namebench which means they were iterated/recursed over instead of looked up from cache. This is causing a 150ms+ average response times for these 35K sites. It's the exact same 35K sites being scanned by namebench - why aren't these looked up from the cache instead of being iterated over? Are these sites not cached for a full 3600 seconds? With prefetch, cache-min-ttl of 1hour, why isn't an hourly scan of these 35K sites populating my cache and giving me a <50ms response time on average? With the same setup, if I take 500 sites and run namebench back to back for these fixed 500 sites, my average response time starts approaching 40-50ms which is where I am trying to be with the 35K sites. Where am I going wrong and how can debug and fix this issue? Vinay. ___ Unbound-users mailing list Unbound-users@unbound.net http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Re: [Unbound-users] Servers for local zones that are not signed
On 07/06/2012 04:45 PM, W.C.A. Wijngaards wrote: So unbound asks dnsmasq for the address of "myhost.lan" as it is instructed by forward-zone, gets correct result (!), but then marks it bogus because it cannot establish trust chain. >>> >>> You'll need >>> >>> private-domain: "lan." domain-insecure: "lan." > >> Wow, that was fast! After also adding "do-not-query-localhost: no" >> (and 'local-zone: "168.192.in-addr.arpa" nodefault' for the reverse >> zone) it all worked! > >> Thanks a lot! > >> Any chance to make these sort of tricks more apparent in the >> documentation? > > Where in the documentation have you been looking, i.e. does it make > sense to add some text to help out? I was reading unbound.conf(5) because there is no relevant doc in the Guides section. I'd say, a separate "HowTo Configure Forward For Local Zones" document would be ideal for my particular case. Or, spray hints in the unbound.conf manpage like so: - In the description of "forward-zone" and "stub-zone" mention that: + if this is a local zone that does not have a DS in the parent zone, you must list the name as "domain-insecure", + if it may contain private addresses, then also in "private-domain" + if it is a reverse zone for private address range, the zone needs to be configured "local-zone: nodefault" - In the description of "forward-addr" note that if you specify loopback address you should also add "do-not-query-localhost: no" I think a separate HowTo might be better because this is a relatively common setup, so many would benefit, and on the other hand the manpage is rather long and dense already. I could knock up a short doc, shall I try? Regards, Eugene signature.asc Description: OpenPGP digital signature ___ Unbound-users mailing list Unbound-users@unbound.net http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Re: [Unbound-users] Servers for local zones that are not signed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Eugene, On 07/06/2012 02:25 PM, Eugene Crosser wrote: > On 07/06/2012 03:33 PM, Jan-Piet Mens wrote: >>> So unbound asks dnsmasq for the address of "myhost.lan" as it >>> is instructed by forward-zone, gets correct result (!), but >>> then marks it bogus because it cannot establish trust chain. >> >> You'll need >> >> private-domain: "lan." domain-insecure: "lan." > > Wow, that was fast! After also adding "do-not-query-localhost: no" > (and 'local-zone: "168.192.in-addr.arpa" nodefault' for the reverse > zone) it all worked! > > Thanks a lot! > > Any chance to make these sort of tricks more apparent in the > documentation? Where in the documentation have you been looking, i.e. does it make sense to add some text to help out? Best regards, Wouter -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP9t3iAAoJEJ9vHC1+BF+N968P+wcvL6ItGXtzuu5LU9uzsII0 wIcFUcl36oQ4ktrQBma5eETYQq8shYbhkFXdtBStMxQ+E5zryNnYkTVj1/r6vxtw 3gaeGF8wmWjIRuQ8yG1oZHKzOogjxJxym8cr7vvRedCFjWY3AlTIgBO/7LKqWdKT ADBAEahG4dHHmo48oDBNusyrCJLL2JGtQt/cP5lM76MevMZnzieCxJPelsrA0f8W xCHxfdZ1pd4JUI7PrjEKyzkyo2ZUep0tbL7tEJ9yvrlhuqTwEruLgmVGSXh6v09H NRddmAXuXEbvH8OvPF/hGANuZq8AbNaQ5S8N8xJHCbbzioEaz0HpYJODObI0Mcci 26KX/Xrz8O0MvytYsM8aizJEZhTktKh71DSvDRPow5rptBnacVTNXlhlmp4yolTj 4Zmpk7b6qVu9bA8bc5Vde78kI+Gh/3SSWUm2pUVE0vsRJ+7U2XiCZmpVHAfYyCeO Kuwr+/ev1533s1HewxUm1AFV89l2JH8Xjotzox+rkI5GqKFYO3uKElCU/4ldcIXf IZgPsAGVY7eln7GyMh3wC74pc5CxBlxrEKK9GTcKa5Cg6zYHhi33k/SNqLK0p9QN rR0JJr8WjouW4N5PD4mGBS3t3/W6GW4K+ncaQBaeH3OaMgYy+m47+dJVl1JkOaoh K/KdyRE/h2/HqoJgzZ46 =P8pf -END PGP SIGNATURE- ___ Unbound-users mailing list Unbound-users@unbound.net http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Re: [Unbound-users] Servers for local zones that are not signed
On 07/06/2012 03:33 PM, Jan-Piet Mens wrote: >> So unbound asks dnsmasq for the address >> of "myhost.lan" as it is instructed by forward-zone, gets correct result (!), >> but then marks it bogus because it cannot establish trust chain. > > You'll need > > private-domain: "lan." > domain-insecure: "lan." Wow, that was fast! After also adding "do-not-query-localhost: no" (and 'local-zone: "168.192.in-addr.arpa" nodefault' for the reverse zone) it all worked! Thanks a lot! Any chance to make these sort of tricks more apparent in the documentation? Eugene signature.asc Description: OpenPGP digital signature ___ Unbound-users mailing list Unbound-users@unbound.net http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Re: [Unbound-users] Servers for local zones that are not signed
> So unbound asks dnsmasq for the address > of "myhost.lan" as it is instructed by forward-zone, gets correct result (!), > but then marks it bogus because it cannot establish trust chain. You'll need private-domain: "lan." domain-insecure: "lan." Regards, -JP ___ Unbound-users mailing list Unbound-users@unbound.net http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
[Unbound-users] Servers for local zones that are not signed
Hello all, sorry if this was discussed already, I could not find the answer. I am trying to configure unbound (1.4.5, running on openwrt) to resolve local zones ("lan." and "168.192.in-addr.arpa.") from another DNS server that has them (in my case, dnsmasq: I want DHCP names resolved in the .lan zone). I configured "the other DNS server" to bind to non-standard port (5553) and put this into unbound.conf: forward-zone: name: "lan." forward-addr: 127.0.0.1@5553 (I also tried "stub-zone:" with "stub-addr:"). Now I am trying to resolve "myhost.lan" which is registered in dnsmasq (I can get the address if I ask "dig -p 5553 myhost.lan @"). But resolving through unbound does not work because unbound tries to obtain the DS for "lan." from the root nameservers. _If_ it got NODATA, everything would have been OK, I would get an "insecure" (without 'ad') answer as from normal non-dnssec zones. But obviously the root servers answer with NXDOMAIN. So unbound asks dnsmasq for the address of "myhost.lan" as it is instructed by forward-zone, gets correct result (!), but then marks it bogus because it cannot establish trust chain. As I understand, unbound should not try to get DS from the parent of a zone that is configured as "forward" or "stub": if it is by definition "local" then there is no point in asking the "global authorities" to certify for it. If your local zones _are_ signed, you should be able to add 'local-data "lan. DS ."' but if they are _not_ signed, the resolver should behave as if the DS query returned NODATA. Am I missing something? Is unbound missing something? Is there a workaround? Thanks, Eugene signature.asc Description: OpenPGP digital signature ___ Unbound-users mailing list Unbound-users@unbound.net http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users