I change my OpnSense to a new machine with more processors. It has now an i7 with 12 cores.
Because of it the configuration of the Unbound is using 12 threads and 16 slabs in its autoconfiguration. The recursive resolution is just a part of total, but it seems way to much anyway.
Below my config file and the resolution times.
This is a home network with less than 100 devices and I'm working from home.
Should I reduce the number of threads for instance to make it faster since the number of queries is not that high ?
Quote from: andrema2 on August 19, 2021, 03:48:02 PM
I change my OpnSense to a new machine with more processors. It has now an i7 with 12 cores.
Because of it the configuration of the Unbound is using 12 threads and 16 slabs in its autoconfiguration. The recursive resolution is just a part of total, but it seems way to much anyway.
Below my config file and the resolution times.
##########################
# Unbound Configuration
##########################
##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /var/unbound/root.hints
use-syslog: yes
port: 53
verbosity: 0
extended-statistics: yes
log-queries: yes
hide-identity: yes
hide-version: yes
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
so-reuseport: yes
module-config: "validator iterator"
cache-max-ttl: 86400
cache-min-ttl: 7200
harden-dnssec-stripped: yes
serve-expired: yes
outgoing-num-tcp: 50
incoming-num-tcp: 50
num-queries-per-thread: 8192
outgoing-range: 16384
infra-host-ttl: 900
infra-cache-numhosts: 50000
unwanted-reply-threshold: 0
jostle-timeout: 200
msg-cache-size: 50m
rrset-cache-size: 100m
num-threads: 12
msg-cache-slabs: 16
rrset-cache-slabs: 16
infra-cache-slabs: 16
key-cache-slabs: 16
auto-trust-anchor-file: /var/unbound/root.key
prefetch: yes
prefetch-key: yes
# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::
interface-automatic: yes
# DNS Rebinding
# For DNS Rebinding prevention
#
# All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet.
#
# IPv4 Addresses
#
private-address: 0.0.0.0/8 # Broadcast address
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 127.0.0.0/8 # Loopback Localhost
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 192.0.2.0/24 # Documentation network TEST-NET
private-address: 192.168.0.0/16
private-address: 198.18.0.0/15 # Used for testing inter-network communications
private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
private-address: 203.0.113.0/24 # Documentation network TEST-NET-3
private-address: 233.252.0.0/24 # Documentation network MCAST-TEST-NET
#
# IPv6 Addresses
#
private-address: ::1/128 # Loopback Localhost
private-address: 2001:db8::/32 # Documentation network IPv6
private-address: fc00::/8 # Unique local address (ULA) part of "fc00::/7", not defined yet
private-address: fd00::/8 # Unique local address (ULA) part of "fc00::/7", "/48" prefix group
private-address: fe80::/10 # Link-local address (LLA)
# Access lists
include: /var/unbound/access_lists.conf
# Static host entries
include: /var/unbound/host_entries.conf
# DHCP leases (if configured)
include: /var/unbound/dhcpleases.conf
# Domain overrides
include: /var/unbound/domainoverrides.conf
# Custom includes
include: /var/unbound/etc/*.conf
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: /var/unbound/unbound_server.key
server-cert-file: /var/unbound/unbound_server.pem
control-key-file: /var/unbound/unbound_control.key
control-cert-file: /var/unbound/unbound_control.pem
Have you tried running unbound with a higher log level than the default, and if that doesn't yield any clues, with query logging enabled?
My unbound used to be slow, and when running it with verbose logging, it appeared that it was timing out on IPv6 queries, as my internet connection currently doesn't support IPv6. It didn't show that with the default log level.