Perfomance issue between 1.5.8-1ubuntu1.1 (xenial) and 1.6.7-1ubuntu2.1 (bionic)
We're using unbound on our four proxy servers (and a hand-compiled, current version of squid), which channel all outbound HTTP/HTTPS traffic. Naturally, these machine do a lot of resolving. Recently I upgraded the OS from xenial to bionic, and while everything was working as expected I noticed a significant increase in the DNS query times on those proxies. Before the update (runnung unbound 1.5.8-1ubuntu1.1) we were seeing query times around 20ms: After the upgrade (1.6.7-1ubuntu2.1) those rose to 40ms. See these graphs: https://www.arschkrebs.de/bugs/dnssvc30d.png https://www.arschkrebs.de/bugs/dnssvc1w.png I then tinkered with different package versions -- tried upgrading to 1.7.3 (no change) and finally downgraded back to to 1.5.8-1ubuntu1.1 - and the query times dropped to pre-update levels. Is that to be expected? Is it a regression? I'm a bit late to notice, but I thought I'd rather ask. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
Re: Perfomance issue between 1.5.8-1ubuntu1.1 (xenial) and 1.6.7-1ubuntu2.1 (bionic)
Hi Ralf, On 25/06/18 11:43, Ralf Hildebrandt via Unbound-users wrote: > We're using unbound on our four proxy servers (and a hand-compiled, > current version of squid), which channel all outbound HTTP/HTTPS traffic. So I think it may be this change from 1.5.9: - Fix unbound sets CD bit on all forwards. If no trust anchors, it'll not set CD bit when forwarding to another server. If a trust anchor, no CD bit on the first attempt to a forwarder, but CD bit thereafter on repeated attempts to get DNSSEC. It could be other fixes, perhaps in TCP (if you have tcp-upstream enabled?) or ssl-upstream? Or caps-for-id? Those have seen some work can you have different performance. tcp and ssl should be better performance, really, but have seen work on them. It depends on your configuration and the upstream server responses. From 20 to 40 msec could be another roundtrip to your favorite frequent server, and thos the CD flag thing jumps out from the changelogs as something that could trigger this change. Best regards, Wouter > > Naturally, these machine do a lot of resolving. > > Recently I upgraded the OS from xenial to bionic, and while everything > was working as expected I noticed a significant increase in the DNS > query times on those proxies. > > Before the update (runnung unbound 1.5.8-1ubuntu1.1) we were seeing query > times around 20ms: After the upgrade (1.6.7-1ubuntu2.1) those rose to > 40ms. > > See these graphs: > https://www.arschkrebs.de/bugs/dnssvc30d.png > https://www.arschkrebs.de/bugs/dnssvc1w.png > > I then tinkered with different package versions -- tried upgrading to > 1.7.3 (no change) and finally downgraded back to to 1.5.8-1ubuntu1.1 - > and the query times dropped to pre-update levels. > > Is that to be expected? Is it a regression? I'm a bit late to notice, > but I thought I'd rather ask. > signature.asc Description: OpenPGP digital signature
Re: [ext] Re: Perfomance issue between 1.5.8-1ubuntu1.1 (xenial) and 1.6.7-1ubuntu2.1 (bionic)
* W.C.A. Wijngaards via Unbound-users : > Hi Ralf, > > On 25/06/18 11:43, Ralf Hildebrandt via Unbound-users wrote: > > We're using unbound on our four proxy servers (and a hand-compiled, > > current version of squid), which channel all outbound HTTP/HTTPS traffic. > > So I think it may be this change from 1.5.9: > - Fix unbound sets CD bit on all forwards. If no trust anchors, it'll > not set CD bit when forwarding to another server. If a trust anchor, no > CD bit on the first attempt to a forwarder, but CD bit thereafter on > repeated attempts to get DNSSEC. It's probably that, yes. > It could be other fixes, perhaps in TCP (if you have tcp-upstream > enabled?) or ssl-upstream? Or caps-for-id? None of those. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
Re: Perfomance issue between 1.5.8-1ubuntu1.1 (xenial) and 1.6.7-1ubuntu2.1 (bionic)
Ralf Hildebrandt via Unbound-users wrote: > Before the update (runnung unbound 1.5.8-1ubuntu1.1) we were seeing query > times around 20ms: After the upgrade (1.6.7-1ubuntu2.1) those rose to > 40ms. > > See these graphs: > https://www.arschkrebs.de/bugs/dnssvc30d.png > https://www.arschkrebs.de/bugs/dnssvc1w.png > > I then tinkered with different package versions -- tried upgrading to > 1.7.3 (no change) and finally downgraded back to to 1.5.8-1ubuntu1.1 - > and the query times dropped to pre-update levels. One significant difference between those versions is that the Debian/Ubuntu unbound package enabled query minimisation by default in package version 1.5.9-1. You might try installing 1.6.7-1ubuntu2.1 and commenting out the 'qname-minimisation: yes' line in /etc/unbound/unbound.conf.d/qname-minimisation.conf. -- Robert Edmonds edmo...@debian.org
