Unbound Unbound Tuning for gaming

[Twiglets]

This is difficult, for me, to explain without getting very low level into how DNS Records are constructed and what the various fields do and how they impact the operation of your resolver (unbound/dnsmasq/BIND/etc).

These examples are contrived/nonsensical uses of nameservers to try to simplify the explanation !!!

From the unbound docs:

target-fetch-policy: <”list of numbers”>
Set the target fetch policy used by Unbound to determine if it should fetch nameserver target addresses opportunistically.The policy is described per dependency depth.

The number of values determines the maximum dependency depth that Unbound will pursue in answering a query.A value of -1 means to fetch all targets opportunistically for that dependency depth.A value of 0 means to fetch on demand only.A positive value fetches that many targets opportunistically.

Enclose the list between quotes (<span>""</span>) and put spaces between numbers. Setting all zeroes, “0 0 0 0 0” gives behaviour closer to that of BIND 9,while setting “-1 -1 -1 -1 -1” gives behaviour rumoured to be closer to that of BIND 8.

Default: “3 2 1 0 0”

This impacts the effective 'pre-fetching' of nameserver DNS data based on the queries being made.

Reading this data is, of course, something that takes time and slows the apparent time to get a reply.[Latency]
The upside is that the nameserver DNS data is stored/cached and if queries are made refering to the same nameserver you gain from the faster response.

The target-fetch-policy setting has values for different "depths.".

Example Query:

You have a query that is for 'QWE.net' which leads to DNS records that point at NS1.com & NS2.com & NS3.com. [3 nameserver addresses]
These records state that the authorative IP address is obtained from any/all of NS1.com & NS2.com & NS3.com.

NS1.com & NS2.com are defined as Authorative nameservers.
NS3.com is a local internal Authorative nameserver that you can change.

'QWE.com' resolves as 111.222.111.111 and is only defined on NS3.com, for now.

NS1.com contains DNS records defining 'QWE.net' as 111.222.111.111
NS2.com contains DNS records defining 'QWE.net' as 111.222.111.111
NS3.com contains DNS records defining 'QWE.net' as CNAME 'QWE.com' (requiring further lookup to resolve.)

NS1.com & NS2.com are yet to be updated to resolve 'QWE.net' as CNAME 'QWE.com' & 'QWE.com' to be added to them.

'QWE.net' as CNAME 'QWE.com' means == 'QWE.net' is an alias for 'QWE.com'
You will be able to access 'QWE.net' or 'QWE.com' and they are the same IP address.

[Depth examples]--------------------------------------------------------------------------------
If 'target-fetch-policy:' was defined as "2 1 0 0 0" then unbound would lookup 2 of the 3 NS addresses because 2 is the 1st level defined.
[It would be the 1st 2 server addresses it retrieved from the records in the DNS definition for QWE.net.]
The first 2 nameservers will resolve directly to 111.222.111.111.
Unbound knows the DNS details of NS1, NS2 and has resolved QWE.net.
[No further action needed]

If 'target-fetch-policy:' was defined as "3 2 1 0 0" then unbound would lookup 3 of the 3 addresses because 3 is the 1st level defined.
[It would be the 3 server addresses it retrieved from the records in the DNS definition for QWE.net.]
The first 2 nameservers will resolve directly to 111.222.111.111 as above.
The 3rd namesever would return QWE.com which would require a further query to resolve it.
Unbound knows the DNS details of NS1, NS2, NS3 and has resolved QWE.net & QWE.com as 111.222.111.111
[No further Action]

If 'target-fetch-policy:' was defined as "-1 -1 -1 -1 -1" then unbound would lookup 3 of the 3 addresses because 3 is the maximum addresses available from the query. (-1 means retrieve ALL the targets at this level, which equals 3 in this case)
It would then drop down to the next level and resolve all the querys at this level, which in this example equals Zero.
This would give the same result as the "3 2 1 0 0' example, in this case.

If at a level a nameserver resolves a query to an answer that need to access another unknown nameserver ... that is a drop to a lower level.
[The next number in the "3 2 1 0 0 0' sequence, for instance.]
At that lower level the same rules apply ... unbound can query 'opportunistically' 2, the next number in this case, nameserver addresses if it does not already have the DNS data.

This is the pre-fetching that caches information that may be useful for future queries.
The more unbound does this the more busy unbound gets doing queries for data that is not dirrectly asked for by a DNS client.
This extra data is cached and ALL this extra processing impacts latency of requests for DNS clients.
The upside is that these queries don't have to be made again if the next time a request needs the data it is already in the cache.
This is the other side of the equation in speeding up unbound.

N.B.
In regard to 'harden-referral-path: ' ... See below

harden-referral-path: <yes or no>
Harden the referral path by performing additional queries for infrastructure data. Validates the replies if trust anchors are configured and the zones are signed.This enforces DNSSEC validation on nameserver NS sets and the nameserver addresses that are encountered on the referral path to the answer.
Default is off, because it burdens the authority servers, and it is not RFC standard, and could lead to performance problems because of the extra query load that is generated.
Experimental option. If you enable it consider adding more numbers after the target-fetch-policy: to increase the max depth that is checked to.

Default: no

 

[Tech9]

Quick question:
Do we have at least one DNS tuned Game by Page 4 or not yet?

 

[Twiglets]

I don't know what a 'DNS Tuned Game' is !!!???

I do know what a 'DNS Tuning Game' is !!!!

 

[Gary_Dexter]

This is difficult, for me, to explain without getting very low level into how DNS Records are constructed and what the various fields do and how they impact the operation of your resolver (unbound/dnsmasq/BIND/etc).

These examples are contrived/nonsensical uses of nameservers to try to simplify the explanation !!!

From the unbound docs:

This impacts the effective 'pre-fetching' of nameserver DNS data based on the queries being made.

Reading this data is, of course, something that takes time and slows the apparent time to get a reply.[Latency]
The upside is that the nameserver DNS data is stored/cached and if queries are made refering to the same nameserver you gain from the faster response.

The target-fetch-policy setting has values for different "depths.".

Example Query:

You have a query that is for 'QWE.net' which leads to DNS records that point at NS1.com & NS2.com & NS3.com. [3 nameserver addresses]
These records state that the authorative IP address is obtained from any/all of NS1.com & NS2.com & NS3.com.

NS1.com & NS2.com are defined as Authorative nameservers.
NS3.com is a local internal Authorative nameserver that you can change.

'QWE.com' resolves as 111.222.111.111 and is only defined on NS3.com, for now.

NS1.com contains DNS records defining 'QWE.net' as 111.222.111.111
NS2.com contains DNS records defining 'QWE.net' as 111.222.111.111
NS3.com contains DNS records defining 'QWE.net' as CNAME 'QWE.com' (requiring further lookup to resolve.)

NS1.com & NS2.com are yet to be updated to resolve 'QWE.net' as CNAME 'QWE.com' & 'QWE.com' to be added to them.

'QWE.net' as CNAME 'QWE.com' means == 'QWE.net' is an alias for 'QWE.com'
You will be able to access 'QWE.net' or 'QWE.com' and they are the same IP address.

[Depth examples]--------------------------------------------------------------------------------
If 'target-fetch-policy:' was defined as "2 1 0 0 0" then unbound would lookup 2 of the 3 NS addresses because 2 is the 1st level defined.
[It would be the 1st 2 server addresses it retrieved from the records in the DNS definition for QWE.net.]
The first 2 nameservers will resolve directly to 111.222.111.111.
Unbound knows the DNS details of NS1, NS2 and has resolved QWE.net.
[No further action needed]

If 'target-fetch-policy:' was defined as "3 2 1 0 0" then unbound would lookup 3 of the 3 addresses because 3 is the 1st level defined.
[It would be the 3 server addresses it retrieved from the records in the DNS definition for QWE.net.]
The first 2 nameservers will resolve directly to 111.222.111.111 as above.
The 3rd namesever would return QWE.com which would require a further query to resolve it.
Unbound knows the DNS details of NS1, NS2, NS3 and has resolved QWE.net & QWE.com as 111.222.111.111
[No further Action]

If 'target-fetch-policy:' was defined as "-1 -1 -1 -1 -1" then unbound would lookup 3 of the 3 addresses because 3 is the maximum addresses available from the query. (-1 means retrieve ALL the targets at this level, which equals 3 in this case)
It would then drop down to the next level and resolve all the querys at this level, which in this example equals Zero.
This would give the same result as the "3 2 1 0 0' example, in this case.

If at a level a nameserver resolves a query to an answer that need to access another unknown nameserver ... that is a drop to a lower level.
[The next number in the "3 2 1 0 0 0' sequence, for instance.]
At that lower level the same rules apply ... unbound can query 'opportunistically' 2, the next number in this case, nameserver addresses if it does not already have the DNS data.

This is the pre-fetching that caches information that may be useful for future queries.
The more unbound does this the more busy unbound gets doing queries for data that is not dirrectly asked for by a DNS client.
This extra data is cached and ALL this extra processing impacts latency of requests for DNS clients.
The upside is that these queries don't have to be made again if the next time a request needs the data it is already in the cache.
This is the other side of the equation in speeding up unbound.

N.B.
In regard to 'harden-referral-path: ' ... See below

Not entirely correct.

The first number is the number of retries, not to query 3 NS addresses.

target-fetch-policy: <nretry> <nhost> <nserv> <nperaddr> <nothresh>

 

[Twiglets]

Not entirely correct.

The first number is the number of retries, not to query 3 NS addresses.

target-fetch-policy: <nretry> <nhost> <nserv> <nperaddr> <nothresh>

Thanks, I did not see anything that stated the 1st number was retries.

In the case of -1 -1 -1 -1 -1 what does that mean in terms of retries ???

Oops ... reread the text on the https://unbound.docs.nlnetlabs.nl/e...nd.conf.html#unbound-conf-target-fetch-policy
Obviously misunderstood it !!!???

 

[Viktor Jaep]

I don't know what a 'DNS Tuned Game' is !!!???

I do know what a 'DNS Tuning Game' is !!!!

I love it on that one level in Shadow of the Tomb Raider, where Lara Croft is stuck in the chamber with that ancient mechanism, and the only way she is able to get the massive megalithic door to lift is by tuning the DNS settings on that laptop that some enemy combatant left behind in order to cause a battery overload that blows the ballast and gets her free!

All my games are DNS tuned now. Each one has their own special config. I couldn't stop myself.

 

[Jack-Sparr0w]

Add to VPN config file:

pull-filter ignore "dhcp-option DNS"

To prevent an OpenVPN client from accepting DNS server settings pushed by the server, add the following line to the client configuration file


dhcp-option DNS 127.0.0.1 To bind to unbound

Will this with VPN will it exclusively? looks like config in logs are verified that in exclusively using unbound as my dns in VPN logs



add to vpn config file:

pull-filter ignore "dhcp-option DNS"
dhcp-option DNS 127.0.0.1

vpn is using port 53 in connection logs now

 

[Twiglets]

Not entirely correct.

The first number is the number of retries, not to query 3 NS addresses.

target-fetch-policy: <nretry> <nhost> <nserv> <nperaddr> <nothresh>

Please could you point me at a reference for this, as all I get is the same text as per the official docs.
I want to understand this properly ... Thanks.
Do I need to go to the source code ???

[Will not use/Refuse to use 'AI' ... Automated Guesswork !!! ]

 

[Quoc Huynh]

I have been confused with the target-fetch-policy parameter, too. Moreover, I also have the same understanding of those numbers as @Twiglets explained.

 

[Twiglets]

I have been confused with the target-fetch-policy parameter, too. Moreover, I also have the same understanding of those numbers as @Twiglets explained.

I did do a large number of searches after @Gary_Dexter post to try to find the original source of the information re:target-fetch-policy.
Mostly I got sent back to the official docs and the same answer I quoted.
I also read the 'AI' answer(s) [Cough spit !!!] and found another 'different' answer !!!???

I will not repeat it until I can confirm it elsewhere.

['AI' guesses are polluting the internet and I will not add to it, reinforcing why I avoid 'AI' 100%. 'Auto-Guessimates' at best.]

P.S.
Thanks for confirming that the official docs 'appear' to say what I explained.
I did double/triple check my understanding to the best of my ability.

This is why I want to find whatever definitively explains the values/meanings in low level detail.

 

[Viktor Jaep]

Add to VPN config file:

pull-filter ignore "dhcp-option DNS"

To prevent an OpenVPN client from accepting DNS server settings pushed by the server, add the following line to the client configuration file


dhcp-option DNS 127.0.0.1 To bind to unbound

Will this with VPN will it exclusively? looks like config in logs are verified that in exclusively using unbound as my dns in VPN logs



add to vpn config file:

pull-filter ignore "dhcp-option DNS"
dhcp-option DNS 127.0.0.1

vpn is using port 53 in connection logs now

You don't need to do any of this... all you have to do is disable the "Accept DNS Configuration" in order to use your local DNS settings.