Unbound After upgrading to firmware version 3006 that Unbound's hit rate has decreased?

[aru]

From what I remember, Unbound used to have a hit rate of around 80–90% on the older 388 firmware version. However, after upgrading to version 3006, the hit rate has dropped to around 40%. Even after reinstalling the Unbound package, there doesn't seem to be any improvement. Looking at the msg-cache-size and rrset-cache-size, the cache usage is less than half and hasn’t reached the limit yet. Could it be because the system has only been running for two days and hasn’t built up an effective cache yet? Or could it be an issue with my own configuration?

The only change I made was increasing msg-cache-size from 8M to 16M; all other settings remain unchanged.

        unbound Memory/Cache:

        'key-cache-size:'       8388608 (8.00 MB)
        'msg-cache-size:'       16777216 (16.00 MB)     49% used 8261191        (7.88 MB)
        'rrset-cache-size:'     16777216 (16.00 MB)     54% used 9117657        (8.70 MB)

        System Memory/Cache:

                     total       used       free     shared    buffers     cached
        Mem:       1018508     962112      56396       4888      94252     292300
        -/+ buffers/cache:     575560     442948
        Swap:      2097148          0    2097148

total.num.queries=222626                total.num.cachehits=93772               total.num.dns_error_reports=0           total.recursion.time.avg=0.205162
total.num.queries_ip_ratelimited=0      total.num.cachemiss=128854              total.requestlist.avg=4.21364           total.recursion.time.median=0.137648
total.num.queries_cookie_valid=0        total.num.prefetch=10247                total.requestlist.max=90                total.tcpusage=0
total.num.queries_cookie_client=0       total.num.queries_timed_out=0           total.requestlist.overwritten=0         msg.cache.count=24229
total.num.queries_cookie_invalid=0      total.query.queue_time_us.max=0         total.requestlist.exceeded=0            rrset.cache.count=26534
total.num.queries_discard_timeout=141   total.num.expired=1533                  total.requestlist.current.all=0         infra.cache.count=9984
total.num.queries_wait_limit=0          total.num.recursivereplies=128713       total.requestlist.current.user=0        key.cache.count=1520

 

[dave14305]

Are there any guest networks that aren’t forwarding to Unbound?

 

[aru]

I'm not yet familiar with the settings for Guest Network Pro, so I haven't used it at all and am still observing for now.

 

[Crimliar]

I hate graphs with false baselines (unless I'm using them to persuade someone)! The overall change at around just 1% could just be down to what was being browsed in the dead if night- it's not a significant change!

 

[ColinTaylor]

The overall change at around just 1% could just be down to what was being browsed in the dead if night- it's not a significant change!

I think you've missed his point. Read the first sentence of post #1 again.

The only change I made was increasing msg-cache-size from 8M to 16M; all other settings remain unchanged.

Change it back to 8M and see if that changes the hit rate (although I doubt it will as it's only 49% used).

 

[bluzfanmr1]

I'm not on the new firmware yet, but I too have had the hit rate drop significantly. It was always in the mid 80's and now stays around 25%. I saw this happen with the last Unbound update and I think it's the likely culprit, be it Unbound itself, or the stats app.

 

[donbru]

Same issue here. I noticed it right after the latest Entware update.

 

[aru]

Change it back to 8M and see if that changes the hit rate (although I doubt it will as it's only 49% used).

Actually, I didn’t change the setting initially — it was 8M by default when I encountered the 40% hit rate issue. I suspected the low hit rate might be due to cache exhaustion, which is why I increased it to 16M. But even after increasing the cache size, there was no noticeable improvement.

According to past records, the older 388 firmware consistently achieved an excellent 80–90% hit rate with Unbound, using only the default configuration without any modifications to unbound.conf.

Unbound - unbound/WAN settings

I used to have Cloudfare set in WAN DNS Setting along with DNS over TLS. But now I installed "unbound" thinking I'd rather have local DNS and it had me disable some settings. I'm not sure how to configure WAN now, do I just set it to ISP? When I try to enter Cloudfare or any other it just...

www.snbforums.com

 

[DevourerOS]

Just an observation, but my pfsense firewall has seen a huge decline in blocked unbound sites over the last several months. Down from 90 + % to 6 - 8 %. I believe it has a lot to do with the way ads are being channeled to us.

Yes I know this isn't a pfsense thread, but I no longer use my Asus router to run unbound, but wanted to express/share that I don't think it has anything to do with the firmware.

 

[bluzfanmr1]

In my case, the drop correlated with the recent Entware Unbound update. I see no difference in the number of blocked ads. I use AdGuard Home to feed Unbound and that is where the issue shows.

 

[aru]

Your observations are very likely correct. If the same issue can be reproduced across different platforms like pfSense, then it’s probably not related to the 3006 firmware. Instead, it may be an issue with the Unbound 1.23 core version itself.


I also found a similar report from another user on the official GitHub page (link here). It seems that after fixing some issues in version 1.23, Unbound may have introduced new behavior that negatively affects cache hit rates.


At this point, we may just have to wait for the release of Unbound 1.24 to see if things improve.
Thanks for your insights and for bringing this up!

 

[Jack-Sparr0w]

Try tunning it

ip ratelimit 1000
so rcvbuf 4m
incoming num tcp 950 best for overhead
outgoing num tcp 200 best for overhead
cache max ttl 14400
serve expired ttl 3600
# tiny memory cache
key-cache-size: 16m # L&LDv1.03 (Orig 8m) RT-AX88U For RT-AC86U use (8m)
msg-cache-size: 16m # L&LDv1.03 (Orig 8m) RT-AX88U For RT-AC86U use (8m)
rrset-cache-size: 32m # L&LDv1.03 (Orig 16m) RT-AX88U For RT-AC86U use (16m)

# no threads and no memory slabs for threads
num-threads: 4 # L&LDv1.03 (Orig 1) RT-AX88U For RT-AC86U use (2)
msg-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
rrset-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
infra-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U use (2)
key-cache-slabs: 4 # L&LDv1.03 (Orig 2) RT-AX88U For RT-AC86U

use (vx) to edit unbound config file (stock settings are slow)

 

[Jack-Sparr0w]

Before making any changes to your unbound.conf file located in /opt/var/lib/unbound/ make a backup and store it in a safe location.

1. num-threads:
   1. This should equal the number of Cores your router's CPU has. For the RT-AX88U: 4.
2. The following should all be the same:
   1. msg-cache-slabs:
      1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.
   2. rrset-cache-slabs:
      1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.
   3. infra-cache-slabs:
      1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.
   4. key-cache-slabs:
      1. This should be close to the number of Cores and must be a power of 2. For the RT-AX88U: 4.
3. key-cache-size:
   1. The largest value that didn't crash the RT-AX88U: 16m.
4. msg-cache-size:
   1. The largest value that didn't crash the RT-AX88U: 16m.
5. rrset-cache-size:
   1. This value should be twice the value of the msg-cache-size above. For the RT-AX88U: 32m.
6. cache-min-ttl: '0' is the (DNS) servers' default value (anything else here over-rides that).
7. incoming-num-tcp: '1024' is the maximum value allowed (except in a Linux build).
8. outgoing-num-tcp: '256' is 1024 divided by the number of cores.

use this guide and take 50 off incoming-num-tcp also outgoing-num-tcp take 50 off for overhead

incoming-num-tcp (950)
outgoing-num-tcp (200)
As seen in other documents

 

[bluzfanmr1]

This has nothing to do with tuning Unbound. I've been using Unbound for years and know all the settings well. You are posting settings from other posts in this forum from long ago.

 

[Jack-Sparr0w]

So, I'm helping someone get a better hit rate on unbound dns. the other tune has no room for overhead. here is the links. unbound is used on a lot of other systems. netgate and nlnetlabs have better info on this. the forum can only take you so far

unbound.conf(5) — Unbound 1.23.0 documentation

unbound.docs.nlnetlabs.nl

Unbound - unbound.conf.5

unbound.conf(5) unbound 1.23.1 unbound.conf(5) NAME unbound.conf - Unbound configuration file. SYNOPSIS unbound.conf DESCRIPTION unbound.conf is used to configure unbound(8). The file format has at- tributes and values. Some attributes have attributes inside them. The notation is: attribute...

www.nlnetlabs.nl

Cache & Performance Tuning | TNSR Documentation

docs.netgate.com

 

[Gary_Dexter]

As per here -
Post in thread 'Unbound low cache hit rate'
https://www.snbforums.com/threads/unbound-low-cache-hit-rate.95332/post-964101

Unbound made changes to the way serve-expired is now handled.

By default, the serve-expired-ttl is now 86400 seconds (rather than 0 - ie infinite), and serve-expired-client-timeout is now 1800ms (Time in milliseconds before replying to the client with expired data. This essentially enables the serve-stale behavior as specified in RFC 8767that first tries to resolve before immediately responding with expired data. Setting this to 0 will disable this behavior and instead serve the expired record immediately from the cache before attempting to refresh it via resolution.)

This means if DNS can’t resolve with a “clean” reply within 1800ms it will then (and only then) serve the expired/cached reply.

 

[aru]

Thank you for your detailed explanation. So it turns out the change to serve-expired-client-timeout is what affected the caching behavior — this information is truly essential. It really helped me understand the issue. Thanks again!

As it turns out, this change in the newer version was actually made to better follow DNS standards (RFC 8767), aiming to improve data accuracy and freshness rather than performance or cache hit rate.
But ironically, I personally prefer faster query responses over real-time accuracy — so forgive me for reverting to the old behavior, as it lets me enjoy high cache hit rates once again.

 

[Gary_Dexter]

Make sure you are using prefetch as well to keep cached records updated

 

[aru]

Thank you for the information. The default configuration file that comes with the Unbound installation package is already quite comprehensive, having been fine-tuned by many knowledgeable and dedicated contributors. It also includes numerous optimizations specifically tailored for the ASUS Merlin environment. Since I haven’t fully delved into the configuration details myself, I’ve been hesitant to make changes on my own.


Unbound’s highly efficient caching strategy has long delivered an almost instant “DNS lookup” experience, which was one of my main motivations for installing it. The ability to provide fast and smooth DNS resolution is precisely the core value I appreciate.

 

[dave14305]

Unbound Manager’s default configuration file hasn’t been updated since 2021. People were still wearing masks back then.