Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Martineau]

This is the log, when I open reddit.com
https://pastebin.com/0y7y2JAd

Restart unbound. Statistics show 0 queries again.
I start Firefox and open reddit.com.
You can see 37 cache misses.

Analyzing your 'reddit.com' unbound log entries

56 Cache Hits
71 Cache Misses​

So as soon as you open 'www.reddit.com' there is an uninterrupted sequence of 20 Cache Hits

[✔]Jun 12 01:12:43 theme.zdassets.com. 0.000000 1 133
[✔]Jun 12 01:12:43 theme.zdassets.com. 0.000000 1 133
[✔]Jun 12 01:12:43 theme.zdassets.com. 0.000000 1 133
[✔]Jun 12 01:12:43 www.reddit.com. 0.000000 1 83
[✔]Jun 12 01:12:43 www.reddit.com. 0.000000 1 83
[✔]Jun 12 01:12:43 theme.zdassets.com. 0.000000 1 133
[✔]Jun 12 01:12:43 www.reddit.com. 0.000000 1 83
[✔]Jun 12 01:12:43 www.reddit.com. 0.000000 1 83
[✔]Jun 12 01:12:43 theme.zdassets.com. 0.000000 1 133
[✔]Jun 12 01:12:43 www.reddit.com. 0.000000 1 83
[✔]Jun 12 01:12:43 dns.msftncsi.com. 0.000000 1 50
[✔]Jun 12 01:12:43 www.youtube.com. 0.000000 1 179
[✔]Jun 12 01:12:43 www.facebook.com. 0.000000 1 79
[✔]Jun 12 01:12:43 theme.zdassets.com. 0.000000 1 133
[✔]Jun 12 01:12:43 theme.zdassets.com. 0.000000 1 133
[✔]Jun 12 01:12:43 www.youtube.com. 0.000000 1 179
[✔]Jun 12 01:12:43 dns.msftncsi.com. 0.000000 1 50
[✔]Jun 12 01:12:43 www.facebook.com. 0.000000 1 79
[✔]Jun 12 01:12:43 dns.msftncsi.com. 0.000000 1 50
[✔]Jun 12 01:12:43 www.reddit.com. 0.000000 1 83

followed by a an unniterrupted sequence of 16 Cache Misses.

[✖]Jun 12 01:12:43 firefox.settings.services.mozilla.com. 0.643441 0 119
[✖]Jun 12 01:12:43 firefox.settings.services.mozilla.com. 0.643441 0 119
[✖]Jun 12 01:12:43 firefox.settings.services.mozilla.com. 0.649484 0 119
[✖]Jun 12 01:12:43 firefox.settings.services.mozilla.com. 0.668049 0 119
[✖]Jun 12 01:12:43 firefox.settings.services.mozilla.com. 0.668049 0 119
[✖]Jun 12 01:12:43 firefox.settings.services.mozilla.com. 0.668049 0 119
[✖]Jun 12 01:12:43 firefox.settings.services.mozilla.com. 0.668049 0 119
[✖]Jun 12 01:12:43 content-signature-2.cdn.mozilla.net. 0.648671 0 157
[✖]Jun 12 01:12:43 content-signature-2.cdn.mozilla.net. 0.648671 0 157
[✖]Jun 12 01:12:43 content-signature-2.cdn.mozilla.net. 0.657740 0 157
[✖]Jun 12 01:12:43 content-signature-2.cdn.mozilla.net. 0.673279 0 157
[✖]Jun 12 01:12:43 content-signature-2.cdn.mozilla.net. 0.673279 0 157
[✖]Jun 12 01:12:43 content-signature-2.cdn.mozilla.net. 0.673279 0 157
[✖]Jun 12 01:12:43 content-signature-2.cdn.mozilla.net. 0.673279 0 157
[✖]Jun 12 01:12:43 youtube-ui.l.google.com. 0.666456 0 153
[✖]Jun 12 01:12:43 star-mini.c10r.facebook.com. 0.666456 0 61

NOTE: There are 6 'www.reddit.com' Cache Hits in the first group of 20 Cache hits ( and no '.reddit.com' Cache Misses in the entire log)

Not sure how you derive your 37 Cache Misses figure, certainly it doesn't include specific 'www.reddit.com' references, but I can see

25 .mozilla Cache Misses
6 .firefox Cache Misses​

Perhaps as @tomsk replied, perhaps use a different browser?
or on the host i.e. Win10 ensure that the Primary DNS cache is hosted on the router.

ipconfig /flushdns

Spoiler: Rest of 'reddit.com log

[✔]Jun 12 01:12:43 youtube-ui.l.google.com. 0.000000 1 69
[✔]Jun 12 01:12:43 star-mini.c10r.facebook.com. 0.000000 1 73
[✔]Jun 12 01:12:43 twitter.com. 0.000000 1 45
[✔]Jun 12 01:12:43 support.opendns.com. 0.000000 1 99
[✔]Jun 12 01:12:43 twitter.com. 0.000000 1 45
[✖]Jun 12 01:12:43 push.services.mozilla.com. 0.679901 0 97
[✖]Jun 12 01:12:43 push.services.mozilla.com. 0.679901 0 97
[✖]Jun 12 01:12:43 push.services.mozilla.com. 0.686511 0 97
[✖]Jun 12 01:12:43 push.services.mozilla.com. 0.704509 0 97
[✖]Jun 12 01:12:43 push.services.mozilla.com. 0.704509 0 97
[✖]Jun 12 01:12:43 push.services.mozilla.com. 0.704509 0 97
[✖]Jun 12 01:12:43 push.services.mozilla.com. 0.704509 0 97
[✔]Jun 12 01:12:43 opendns.zendesk.com. 0.000000 1 69
[✖]Jun 12 01:12:44 www.wikipedia.org. 0.702301 0 80
[✖]Jun 12 01:12:44 www.wikipedia.org. 0.702301 0 80
[✔]Jun 12 01:12:44 dyna.wikimedia.org. 0.000000 1 52
[✔]Jun 12 01:12:44 dyna.wikimedia.org. 0.000000 1 64
[✔]Jun 12 01:12:44 twitter.com. 0.073887 0 101
[✔]Jun 12 01:12:44 opendns.zendesk.com. 0.111724 0 87
[✔]Jun 12 01:12:44 firefox.settings.services.mozilla.com. 0.000000 1 119
[✖]Jun 12 01:12:44 cf.zdassets.com. 0.121306 0 113
[✖]Jun 12 01:12:44 firefox.settings.services.mozilla.com. 0.060901 0 139
[✖]Jun 12 01:12:44 d2nxq2uap88usk.cloudfront.net. 0.000000 0 111
[✖]Jun 12 01:12:44 reddit.map.fastly.net. 0.122536 0 55
[✖]Jun 12 01:12:44 snippets.cdn.mozilla.net. 0.088832 0 146
[✖]Jun 12 01:12:44 d2nxq2uap88usk.cloudfront.net. 0.032240 0 271
[✖]Jun 12 01:12:44 autopush.prod.mozaws.net. 0.000000 0 58
[✖]Jun 12 01:12:44 cf.zdassets.com. 0.073642 0 106
[✖]Jun 12 01:12:44 d228z91au11ukj.cloudfront.net. 0.000000 0 111
[✖]Jun 12 01:12:44 d228z91au11ukj.cloudfront.net. 0.032285 0 128
[✖]Jun 12 01:12:44 autopush.prod.mozaws.net. 0.066769 0 127
[✖]Jun 12 01:12:44 reddit.map.fastly.net. 0.105306 0 100
[✖]Jun 12 01:12:44 detectportal.firefox.com. 1.023087 0 254
[✖]Jun 12 01:12:44 detectportal.firefox.com. 1.031581 0 254
[✖]Jun 12 01:12:44 detectportal.firefox.com. 1.047695 0 254
[✖]Jun 12 01:12:44 detectportal.firefox.com. 1.047695 0 254
[✖]Jun 12 01:12:44 detectportal.firefox.com. 1.047695 0 254
[✖]Jun 12 01:12:44 detectportal.firefox.com. 1.051679 0 254
[✖]Jun 12 01:12:44 a1089.dscd.akamai.net.0.1.cn.akamaitech.net. 0.000000 0 93
[✔]Jun 12 01:12:44 ocsp.digicert.com. 0.000000 1 83
[✔]Jun 12 01:12:44 cs9.wac.phicdn.net. 0.000000 1 52
[✖]Jun 12 01:12:44 a1089.dscd.akamai.net.0.1.cn.akamaitech.net. 0.099576 0 117
[✖]Jun 12 01:12:44 mozilla.org. 0.027670 0 45
[✖]Jun 12 01:12:44 cs9.wac.phicdn.net. 0.126974 0 104
[✖]Jun 12 01:12:44 27.239.224.13.in-addr.arpa. 0.076780 0 101
[✖]Jun 12 01:12:44 126.239.224.13.in-addr.arpa. 0.139121 0 103
[✖]Jun 12 01:12:45 146.106.88.52.in-addr.arpa. 0.289262 0 107
[✔]Jun 12 01:12:46 www.redditstatic.com. 0.000000 1 89
[✔]Jun 12 01:12:46 styles.redditmedia.com. 0.000000 1 91
[✔]Jun 12 01:12:46 preview.redd.it. 0.000000 1 84
[✖]Jun 12 01:12:46 support.mozilla.org. 0.209199 0 107
[✖]Jun 12 01:12:46 prod-tp.sumo.mozit.cloud. 0.000000 0 74
[✔]Jun 12 01:12:46 b.thumbs.redditmedia.com. 0.000000 1 93
[✖]Jun 12 01:12:46 external-preview.redd.it. 0.081479 0 93
[✖]Jun 12 01:12:46 prod-tp.sumo.mozit.cloud. 0.074713 0 127
[✖]Jun 12 01:12:46 www.redditmedia.com. 0.082879 0 88
[✖]Jun 12 01:12:46 safebrowsing.googleapis.com. 0.098852 0 61
[✔]Jun 12 01:12:46 safebrowsing.googleapis.com. 0.000000 1 61
[✔]Jun 12 01:12:46 safebrowsing.googleapis.com. 0.000000 1 73
[✖]Jun 12 01:12:46 ocsp.pki.goog. 0.176464 0 82
[✖]Jun 12 01:12:46 pki-goog.l.google.com. 0.000000 0 55
[✖]Jun 12 01:12:46 pki-goog.l.google.com. 0.096747 0 67
[✔]Jun 12 01:12:47 www.googletagservices.com. 0.000000 1 99
[✔]Jun 12 01:12:47 c.amazon-adsystem.com. 0.000000 1 98
[✔]Jun 12 01:12:47 d1ykf07e75w7ss.cloudfront.net. 0.000000 1 63
[✔]Jun 12 01:12:47 pagead46.l.doubleclick.net. 0.000000 1 72
[✔]Jun 12 01:12:47 d1ykf07e75w7ss.cloudfront.net. 0.043108 0 128
[✔]Jun 12 01:12:47 gql.reddit.com. 0.000000 1 83
[✔]Jun 12 01:12:47 i.redd.it. 0.000000 1 78
[✖]Jun 12 01:12:48 emoji.redditmedia.com. 0.041873 0 90
[✔]Jun 12 01:12:48 fonts.gstatic.com. 0.000000 1 87
[✖]Jun 12 01:12:48 gstaticadssl.l.google.com. 0.000000 0 59
[✔]Jun 12 01:12:48 v.redd.it. 0.000000 1 78
[✖]Jun 12 01:12:48 gstaticadssl.l.google.com. 0.085893 0 71
[✔]Jun 12 01:12:49 i.ytimg.com. 0.000000 1 45
[✔]Jun 12 01:12:49 i.ytimg.com. 0.000000 1 45
[✖]Jun 12 01:12:49 yt3.ggpht.com. 0.081941 0 92
[✖]Jun 12 01:12:49 photos-ugc.l.googleusercontent.com. 0.000000 0 68
[✔]Jun 12 01:12:49 reddit.map.fastly.net. 0.000000 1 100
[✖]Jun 12 01:12:49 i.ytimg.com. 0.132055 0 57
[✔]Jun 12 01:12:49 a.thumbs.redditmedia.com. 0.000000 1 93
[✖]Jun 12 01:12:49 photos-ugc.l.googleusercontent.com. 0.139629 0 80
[✖]Jun 12 01:12:49 www.googletagmanager.com. 0.092612 0 102
[✖]Jun 12 01:12:49 www-googletagmanager.l.google.com. 0.000000 0 67
[✖]Jun 12 01:12:49 www-googletagmanager.l.google.com. 0.099815 0 79
[✔]Jun 12 01:12:49 40.23.217.172.in-addr.arpa. 0.000000 1 141
[✔]Jun 12 01:12:49 sb.scorecardresearch.com. 0.000000 1 142
[✖]Jun 12 01:12:49 e8736.e7.akamaiedge.net. 0.034078 0 57
[✖]Jun 12 01:12:50 e8736.e7.akamaiedge.net. 0.109333 0 103
[✔]Jun 12 01:12:55 gateway.reddit.com. 0.000000 1 87
[✔]Jun 12 01:12:55 reddit.map.fastly.net. 0.000000 1 100

I can only suggest you try:

cache-min-ttl: 0

If you still believe unbound's caching feature is faulty then you should raise a bug report on the NLnet Labs support forum.

 

[ugandy]

apologies if I missed the answer when searching the thread, but if i start a second instance of dnsmaq for diversion's alternate blocking list, how do i change dnsmasq conf so that both instances of dnsmasq go through unbound?
thanks

 

[tomsk]

apologies if I missed the answer when searching the thread, but if i start a second instance of dnsmaq for diversion's alternate blocking list, how do i change dnsmasq conf so that both instances of dnsmasq go through unbound?
thanks

Unfortunately its not that easy.... you have to alter the 2nd dnsmasq instances .conf file (through a .postconf file) to forward queries to an interface where unbound can listen. The unbound.conf entry is fairly simple , you just need to add an interface: statement for the new listen interface.

 

[dave14305]

Unfortunately its not that easy.... you have to alter the 2nd dnsmasq instances .conf file (through a .postconf file) to forward queries to an interface where unbound can listen. The unbound.conf entry is fairly simple , you just need to add an interface: statement for the new listen interface.

Both dnsmasq instances can forward to the same unbound listener 127.0.0.1#53535. No unbound.conf changes needed, just that second dnsmasq.conf file...

 

[tomsk]

Both dnsmasq instances can forward to the same unbound listener 127.0.0.1#53535. No unbound.conf changes needed, just that second dnsmasq.conf file...

Oh ... theres no conflict issue with both dnsmasq instances trying to forward to the same port?
Conflict comes from devices trying to listen on the same port?

 

[ugandy]

Both dnsmasq instances can forward to the same unbound listener 127.0.0.1#53535. No unbound.conf changes needed, just that second dnsmasq.conf file...

can you share instructions for that second dnsmasq file?
is it just adding the server=127.0.0.1 to the second dnsmasq conf?
thanks

 

[tomsk]

can you share instructions for that second dnsmasq file? thanks

the 2nd instance of dnsmasq .conf file is generated from the alternate-bf.div file in /opt/share/diversion/file directory.
You would need to alter the echo "servers-file=/tmp/resolv.dnsmasq" line to echo "server=127.0.0.1#53535"
Or alter the alternate-bf.conf file itself restart the 2nd instance of dnsmasq for it to take effect.

 

[ugandy]

the 2nd instance of dnsmasq .conf file is generated from the alternate-bf.div file in /opt/share/diversion/file directory.
You would need to alter the echo "servers-file=/tmp/resolv.dnsmasq" line to echo "server=127.0.0.1#53535"
Or alter the alternate-bf.conf file itself restart the 2nd instance of dnsmasq for it to take effect.

thanks!
i guess the change to alternate-bf.div will get lost everytime diversion gets updated?

 

[immi803]

@Martineau
I've always opted for CPU/MEMORY optimisation feature but just got curious, how does it actually work, do we need to optimize for a cpu/memory like ax88u? What about little old ones Ac68u/Ac66u ? Does enabling or disabling has any impact on performance as well?

 

[Martineau]

@Martineau
I've always opted for CPU/MEMORY optimisation feature but just got curious, how does it actually work, do we need to optimize for a cpu/memory like ax88u? What about little old ones Ac68u/Ac66u ? Does enabling or disabling has any impact on performance as well?

see this post#

I don't believe there are any posts indicating issues with either of the two (appropriately applied) tweaks on any router models.

 

[thelonelycoder]

thanks!
i guess the change to alternate-bf.div will get lost everytime diversion gets updated?

Yes.

 

[Ubimo]

After disabling the Windows DNS-Client service via regedit, I finally get high cache hits again.

 Standard Statistics
 --------------------------------------------------------

 Number of DNS queries: 579
 Number of queries that were successfully answered using cache lookup (ie. cache hit): 507
 Number of queries that needed recursive lookup (ie. cache miss): 72
 Number of queries dropped because request list was full: 0
 Average number of requests in list for recursive processing: 1.18056

 Extended Statistics
 --------------------------------------------------------

 RRset cache usage in bytes: 922454
 Message cache usage in bytes: 193960

 Cache hit success percent: 87.56

 

[martinr]

After disabling the Windows DNS-Client service via regedit, I finally get high cache hits again.

 Standard Statistics
 --------------------------------------------------------

 Number of DNS queries: 579
 Number of queries that were successfully answered using cache lookup (ie. cache hit): 507
 Number of queries that needed recursive lookup (ie. cache miss): 72
 Number of queries dropped because request list was full: 0
 Average number of requests in list for recursive processing: 1.18056

 Extended Statistics
 --------------------------------------------------------

 RRset cache usage in bytes: 922454
 Message cache usage in bytes: 193960

 Cache hit success percent: 87.56

And that Windows device is the only one you use, no smartphone or tablet/iPad?

 

[Ubimo]

@martinr
Yes.

This is what I wanted:

unbound (pid 25352) is running... uptime: 0 Days, 00:01:54 version: 1.10.0 # rgnldo Github Version=v1.10 Martineau update (Date Loaded by unbound_manager Sat Jun 13 12:12:21 DST 2020)

i  = Update unbound and configuration ('/opt/var/lib/unbound/')         l  = Show unbound LIVE (Loglevel=1) log entries (lx=Disable Logging)
z  = Remove unbound/unbound_manager                                     v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
3  = Advanced Tools                                                     rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                                oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'

rs = Restart (or Start) unbound (use 'rs nocache' to flush cache)       s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://192.168.1.1:80/user3.asp)

e  = Exit Script [?]

A:Option ==> s

total.num.queries=314                   total.num.prefetch=0                    total.requestlist.max=4                 total.requestlist.current.user=0        msg.cache.count=971
total.num.queries_ip_ratelimited=0      total.num.expired=0                     total.requestlist.overwritten=0         total.recursion.time.avg=0.153496       rrset.cache.count=4013
total.num.cachehits=294                 total.num.recursivereplies=20           total.requestlist.exceeded=0            total.recursion.time.median=0.131072    infra.cache.count=44
total.num.cachemiss=20                  total.requestlist.avg=0.3               total.requestlist.current.all=0         total.tcpusage=0                        key.cache.count=25

Summary: Cache Hits success=93.00%

I can remember, that some years ago, I disabled DNS-Client service, but re-enabled it some months ago, due to Wireguard testing (Wireguard needs DNS-client service).

 

[heysoundude]

I have a question about this chart in the GUI - is this just my browser (Brave), or is there a scaling problem?



the vertical y-axis doesn't scale correctly (a 36-72HOUR DNS lookup? most would give up after 3 minutes, I'd wager.) the range looks logarithmic to me...might'nt it be better to have a log scale on the x-axis?, and all the lines seemed bunched up.

don't call this a bug report or feature request...I'm just curious as to what's going on and if other people are experiencing/bothered by this. and @Martineau - do not let this be a distraction to continued development of functionality, unless addressing metrics in this way aids in that. For all I know, I've missed/messed up something in the setup or conf file.

 

[L&LD]

@heysoundude I understand what you're asking, but the graph itself seems very articulate to me. Gives the information it should and gives the differences between data points visually too.

I don't think this is an 'issue' at all?

(Countdown to being proved wrong in 3, 2, 1...).

 

[Martineau]

I have a question about this chart in the GUI - is this just my browser (Brave), or is there a scaling problem?

View attachment 24060

the vertical y-axis doesn't scale correctly (a 36-72HOUR DNS lookup? most would give up after 3 minutes, I'd wager.) the range looks logarithmic to me...might'nt it be better to have a log scale on the x-axis?, and all the lines seemed bunched up.

don't call this a bug report or feature request...I'm just curious as to what's going on and if other people are experiencing/bothered by this. and @Martineau - do not let this be a distraction to continued development of functionality, unless addressing metrics in this way aids in that. For all I know, I've missed/messed up something in the setup or conf file.

@juched provided the GUI; not sure what criteria he uses to determine/scale the axis.

 

[Ubimo]

I was celebrating too early. Cache hits down to 26%. :-(

 Standard Statistics
 --------------------------------------------------------

 Number of DNS queries: 1461
 Number of queries that were successfully answered using cache lookup (ie. cache hit): 381
 Number of queries that needed recursive lookup (ie. cache miss): 1080
 Number of queries dropped because request list was full: 0
 Average number of requests in list for recursive processing: 1.4987

 Extended Statistics
 --------------------------------------------------------

 RRset cache usage in bytes: 1513532
 Message cache usage in bytes: 426313

 Cache hit success percent: 26.08

 

[juched]

@juched provided the GUI; not sure what criteria he uses to determine/scale the axis.

Those are how unbound buckets the results. It is an exponential method they use to grow the buckets, agree.

 

[martinr]

I was celebrating too early. Cache hits down to 26%. :-(

 Standard Statistics
 --------------------------------------------------------

 Number of DNS queries: 1461
 Number of queries that were successfully answered using cache lookup (ie. cache hit): 381
 Number of queries that needed recursive lookup (ie. cache miss): 1080
 Number of queries dropped because request list was full: 0
 Average number of requests in list for recursive processing: 1.4987

 Extended Statistics
 --------------------------------------------------------

 RRset cache usage in bytes: 1513532
 Message cache usage in bytes: 426313

 Cache hit success percent: 26.08

But you’ve only made 1461 queries to your new cache? And if you never visit a new domain and keep visiting the old ones (and keep your current cache), surely you’ll climb asymptotically towards a 100% hit rate? Anyway, it’s like quantum physics: you change the outcome by observing it. So I leave mine alone and happily accept whatever the hit rate is.