Unbound After upgrading to firmware version 3006 that Unbound's hit rate has decreased?

[aru]

From what I remember, Unbound used to have a hit rate of around 80–90% on the older 388 firmware version. However, after upgrading to version 3006, the hit rate has dropped to around 40%. Even after reinstalling the Unbound package, there doesn't seem to be any improvement. Looking at the msg-cache-size and rrset-cache-size, the cache usage is less than half and hasn’t reached the limit yet. Could it be because the system has only been running for two days and hasn’t built up an effective cache yet? Or could it be an issue with my own configuration?

The only change I made was increasing msg-cache-size from 8M to 16M; all other settings remain unchanged.

        unbound Memory/Cache:

        'key-cache-size:'       8388608 (8.00 MB)
        'msg-cache-size:'       16777216 (16.00 MB)     49% used 8261191        (7.88 MB)
        'rrset-cache-size:'     16777216 (16.00 MB)     54% used 9117657        (8.70 MB)

        System Memory/Cache:

                     total       used       free     shared    buffers     cached
        Mem:       1018508     962112      56396       4888      94252     292300
        -/+ buffers/cache:     575560     442948
        Swap:      2097148          0    2097148

total.num.queries=222626                total.num.cachehits=93772               total.num.dns_error_reports=0           total.recursion.time.avg=0.205162
total.num.queries_ip_ratelimited=0      total.num.cachemiss=128854              total.requestlist.avg=4.21364           total.recursion.time.median=0.137648
total.num.queries_cookie_valid=0        total.num.prefetch=10247                total.requestlist.max=90                total.tcpusage=0
total.num.queries_cookie_client=0       total.num.queries_timed_out=0           total.requestlist.overwritten=0         msg.cache.count=24229
total.num.queries_cookie_invalid=0      total.query.queue_time_us.max=0         total.requestlist.exceeded=0            rrset.cache.count=26534
total.num.queries_discard_timeout=141   total.num.expired=1533                  total.requestlist.current.all=0         infra.cache.count=9984
total.num.queries_wait_limit=0          total.num.recursivereplies=128713       total.requestlist.current.user=0        key.cache.count=1520

 

[dave14305]

Are there any guest networks that aren’t forwarding to Unbound?

 

[aru]

I'm not yet familiar with the settings for Guest Network Pro, so I haven't used it at all and am still observing for now.

 

[Crimliar]

I hate graphs with false baselines (unless I'm using them to persuade someone)! The overall change at around just 1% could just be down to what was being browsed in the dead if night- it's not a significant change!

 

[ColinTaylor]

The overall change at around just 1% could just be down to what was being browsed in the dead if night- it's not a significant change!

I think you've missed his point. Read the first sentence of post #1 again.

The only change I made was increasing msg-cache-size from 8M to 16M; all other settings remain unchanged.

Change it back to 8M and see if that changes the hit rate (although I doubt it will as it's only 49% used).

 

[bluzfanmr1]

I'm not on the new firmware yet, but I too have had the hit rate drop significantly. It was always in the mid 80's and now stays around 25%. I saw this happen with the last Unbound update and I think it's the likely culprit, be it Unbound itself, or the stats app.

 

[donbru]

Same issue here. I noticed it right after the latest Entware update.

 

[aru]

Change it back to 8M and see if that changes the hit rate (although I doubt it will as it's only 49% used).

Actually, I didn’t change the setting initially — it was 8M by default when I encountered the 40% hit rate issue. I suspected the low hit rate might be due to cache exhaustion, which is why I increased it to 16M. But even after increasing the cache size, there was no noticeable improvement.

According to past records, the older 388 firmware consistently achieved an excellent 80–90% hit rate with Unbound, using only the default configuration without any modifications to unbound.conf.

Unbound - unbound/WAN settings

I used to have Cloudfare set in WAN DNS Setting along with DNS over TLS. But now I installed "unbound" thinking I'd rather have local DNS and it had me disable some settings. I'm not sure how to configure WAN now, do I just set it to ISP? When I try to enter Cloudfare or any other it just...

www.snbforums.com

 

[DevourerOS]

Just an observation, but my pfsense firewall has seen a huge decline in blocked unbound sites over the last several months. Down from 90 + % to 6 - 8 %. I believe it has a lot to do with the way ads are being channeled to us.

Yes I know this isn't a pfsense thread, but I no longer use my Asus router to run unbound, but wanted to express/share that I don't think it has anything to do with the firmware.

 

[bluzfanmr1]

In my case, the drop correlated with the recent Entware Unbound update. I see no difference in the number of blocked ads. I use AdGuard Home to feed Unbound and that is where the issue shows.

 

[aru]

Your observations are very likely correct. If the same issue can be reproduced across different platforms like pfSense, then it’s probably not related to the 3006 firmware. Instead, it may be an issue with the Unbound 1.23 core version itself.


I also found a similar report from another user on the official GitHub page (link here). It seems that after fixing some issues in version 1.23, Unbound may have introduced new behavior that negatively affects cache hit rates.


At this point, we may just have to wait for the release of Unbound 1.24 to see if things improve.
Thanks for your insights and for bringing this up!

 

[Jack-Sparr0w]

Try tunning it

ip ratelimit 1000
so rcvbuf 4m
incoming num tcp 950 best for overhead
outgoing num tcp 200 best for overhead
cache max ttl 14400
serve expired ttl 3600
# tiny memory cache
key-cache-size: 16m # L&LDv1.03 (Orig 8m) RT-AX88U For RT-AC86U use (8m)
msg-cache-size: 16m # L&LDv1.03 (Orig 8m) RT-AX88U For RT-AC86U use (8m)
rrset-cache-size: 32m # L&LDv1.03 (Orig 16m) RT-AX88U For RT-AC86U use (16m)

# no threads and no memory slabs for threads
num-threads: 4 # L&LDv1.03 (Orig 1) RT-AX88U For RT-AC86U use (2)
msg-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
rrset-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
infra-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
key-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U

use (vx) to edit unbound config file (stock settings are slow)

 

[Jack-Sparr0w]

Before making any changes to your unbound.conf file located in /opt/var/lib/unbound/ make a backup and store it in a safe location.

1. num-threads:
   1. This should equal the number of Cores your router's CPU has. For the RT-AX88U: 4.
2. The following should all be the same:
   1. msg-cache-slabs:
      1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.
   2. rrset-cache-slabs:
      1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.
   3. infra-cache-slabs:
      1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.
   4. key-cache-slabs:
      1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.
3. key-cache-size:
   1. The largest value that didn't crash the RT-AX88U: 16m.
4. msg-cache-size:
   1. The largest value that didn't crash the RT-AX88U: 16m.
5. rrset-cache-size:
   1. This value should be twice the value of the msg-cache-size above. For the RT-AX88U: 32m.
6. cache-min-ttl: '0' is the (DNS) servers' default value (anything else here over-rides that).
7. incoming-num-tcp: '1024' is the maximum value allowed (except in a Linux build).
8. outgoing-num-tcp: '256' is 1024 divided by the number of cores.

use this guide and take 50 off incoming-num-tcp also outgoing-num-tcp take 50 off for overhead

incoming-num-tcp (950)
outgoing-num-tcp (200)
As seen in other documents

 

[bluzfanmr1]

This has nothing to do with tuning Unbound. I've been using Unbound for years and know all the settings well. You are posting settings from other posts in this forum from long ago.

 

[Jack-Sparr0w]

So, I'm helping someone get a better hit rate on unbound dns. the other tune has no room for overhead. here is the links. unbound is used on a lot of other systems. netgate and nlnetlabs have better info on this. the forum can only take you so far

unbound.conf(5) — Unbound 1.23.0 documentation

unbound.docs.nlnetlabs.nl

Unbound - unbound.conf.5

unbound.conf(5) unbound 1.23.0 unbound.conf(5) NAME unbound.conf - Unbound configuration file. SYNOPSIS unbound.conf DESCRIPTION unbound.conf is used to configure unbound(8). The file format has at- tributes and values. Some attributes have attributes inside them. The notation is: attribute...

www.nlnetlabs.nl

Cache & Performance Tuning | TNSR Documentation

docs.netgate.com