Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Martineau]

The cache hit percentage in the UI is calculated hourly (at :59) and is calculated the same way as the script does it when you show stats.

Unbound tracks the number of hits and misses and total requests. It is in memory only so if you restart unbound those stats reset. This has nothing to do with the cache, these are just numbers unbound has built internally to track usage.

The calculation is simple total hits / total requests. It has always been the same with no changes.

When I boot my router, yes my number drops as there is such a low number of requests processed by then. But by the next hour it has come back up into the 80s and then grows to 90%.

That also being said, this is highly dependant on your devices and browsing habits.

I do believe there was a change not too long ago to change the max and min time to live inside the conf file. This should change your testing as in my understanding, but may be worth a review.

“Change 'cache-max-ttl: 21600' and 'cache-min-ttl: 5 to 14400/1200'”

Totally agree.

Also, it should be noted that we are now using unbound v1.10.0 rather than v1.96.x.

Furthermore, when auto-saving/restoring the cache across a reboot, I'm pretty sure there appears to be a lot less cached buffer entries restored, and as you state, may be as a result of the 'cache-max-ttl:' and 'cache-min-ttl:' values, but as I have stated previously,....

"no one was ever apparently concerned with the loss of the dnsmasq cache during a reboot, nor its cache efficiency"​

i.e. terminate unbound, then interrogate dnsmasq's cache stats, i.e. admittedly the dnsmasq metrics are only representative after a limited couple of mins dnsmasq has been UP, but how should the counts 712/331/117 be used/interpreted together to calculate a hit percentage? - assuming it really matters in the real-world!

May  1 13:22:26 RT-AC68U dnsmasq[5218]: cache size 1500, 0/712 cache insertions re-used unexpired cache entries.
May  1 13:22:26 RT-AC68U dnsmasq[5218]: queries forwarded 331, queries answered locally 117
May  1 13:22:26 RT-AC68U dnsmasq[5218]: pool memory in use 0, max 0, allocated 0
May  1 13:22:26 RT-AC68U dnsmasq[5218]: server 127.0.1.1#53: queries sent 331, retried or failed 9
May  1 13:22:26 RT-AC68U dnsmasq[5218]: server 100.120.224.1#53: queries sent 0, retried or failed 0
May  1 13:22:26 RT-AC68U dnsmasq[5218]: server 1.1.1.1#53: queries sent 0, retried or failed 0

FYI, FWIW, IMHO there isn't anything wrong with your reporting.

 

[juched]

Totally agree.

...

FYI, IMHO there isn't anything wrong with your reporting.

so, what are you using unbound.conf.addgui for? (yes, off topic, but it doesn't seem to be covered in this thread yet).

 

[Martineau]

so, what are you using unbound.conf.addgui for? (yes, off topic, but it doesn't seem to be covered in this thread yet).

I stick loads of stuff in my script....

 

[juched]

I stick loads of stuff in my script....

Gotcha. I just moved my "GUI" items there for changing port, logging etc. Seems to work.

 

[Martineau]

Gotcha. I just moved my "GUI" items there for changing port, logging etc. Seems to work.

Indeed

Having decided it's about time I baked my own firmware, there are many possibilities … i.e. including 'unbound_manger' is obviously one, enhanced GUI tweaks, and 2FA etc....although I see someone has recently revived the 2FA implementation (first implemented a couple of years ago) which IMHO should be mandatory for all Web GUI logons - heck I even use 2FA from my LAN to perform admin tasks on my NAS boxes!

 

[heysoundude]

I see someone has recently revived the 2FA implementation (first implemented a couple of years ago) which IMHO should be mandatory for all Web GUI logons

AGREED!!!!

 

[Martineau]

@juched

Not sure if it's worthwhile generating a new GUI graph based on these metrics dumped regularly to the log

May  1 14:45:35 RT-AC68U unbound: [18555:0] info: server stats for thread 0: 941 queries, 573 answers from cache, 368 recursions, 61 prefetch, 0 rejected by ip ratelimiting
May  1 14:58:55 RT-AC68U unbound: [18555:0] info: server stats for thread 0: 1570 queries, 1145 answers from cache, 425 recursions, 133 prefetch, 0 rejected by ip ratelimiting
May  1 15:12:15 RT-AC68U unbound: [18555:0] info: server stats for thread 0: 2107 queries, 1659 answers from cache, 448 recursions, 182 prefetch, 0 rejected by ip ratelimiting

NOTE: If everyone enabled the option, then perhaps we would have a definitive concensus on the merits of multi-thread ('num-threads: n') configurations and its effect on caching.

 

[bluzfanmr1]

I recently gave up on trying to get my cache hits much above 50%. I started with the default settings and tried many tweaks either from this forum or from scouring the web. I once got to 60% but it didn't last long as I believe it was due to an old version of Windows that got fired up for the first time in forever. I only used 1 thread as suggested here previously.

DNS is slower in my location no matter what I've tried and I had hoped that unbound would be the solution to speed up things. I decided to try out NextDNS to see if things would be faster, and it is. I now realize how slowly unbound was working. Granted, we are aren't talking about huge differences but it was noticeable enough to see the changes in browsing. Not a scientific test for sure, just the eye test.

I am going to start over and try unbound again with the changes mentioned here in recent posts. I too am a numbers guy so the stats play into my OCD about it. As discussed, maybe if I didn't see the numbers (like we don't see dnsmasq stats) maybe it wouldn't matter as much to me.

 

[netware5]

Indeed

.................... - heck I even use 2FA from my LAN to perform admin tasks on my NAS boxes!

I thought I am extremely paranoid, but you are the best

 

[New2This]

Almost running 12 days now ,without a hiccup

 

[Martineau]

Almost running 12 days now ,without a hiccup

View attachment 23199

Out of interest, could you please provide the output of

grep -E "^cache-m|^num-t" /opt//var/lib/unbound/unbound.conf

 

[New2This]

cache-max-ttl: 14400 # v1.08 Martineau
cache-min-ttl: 1200 # v1.08 Martineau

 

[Martineau]

cache-max-ttl: 14400 # v1.08 Martineau
cache-min-ttl: 1200 # v1.08 Martineau

Thanks, and I assume your omitted value is actually 'num-threads: 1' ?

 

[L&LD]

@Martineau, yes. That is what I get too.

 

[New2This]

Yes it is...

 

[CardcaptorRLH85]

Do you still get the same errors from the two commands?

unbound -v

unbound: symbol lookup error: unbound: undefined symbol: log_ident_set_default

unbound -dv

unbound: symbol lookup error: unbound: undefined symbol: log_ident_set_default

Can you post the '/opt/var/lib/unbound/unbound.config'

I no longer get those errors but unbound -dv does get an error.

ASUSWRT-Merlin RT-AC68U 384.17_0 Sun Apr 26 02:25:09 UTC 2020
admin@RT-AC68U-03B0-Yggdrasil:/tmp/home/root# unbound -v
[1588354913] unbound[29457:0] notice: Start of unbound 1.10.0.
admin@RT-AC68U-03B0-Yggdrasil:/tmp/home/root# unbound -dv
[1588354917] unbound[29468:0] notice: Start of unbound 1.10.0.
May 01 17:41:57 unbound[29468:0] error: can't bind socket: Address already in use for 127.0.0.1 port 53535
May 01 17:41:57 unbound[29468:0] fatal error: could not open ports

I'm not quite sure how to get my configuration file out of the router though. I can't figure out how to copy the text from nano to my system clipboard.

 

[Torson]

I'm still seeing those errors after the last 3.09 update:

asmin@RT-AC86U:/tmp/home/root# unbound -v
[1588356327] unbound[16876:0] notice: Start of unbound 1.10.0.
May 01 14:05:27 unbound[16876:0] error: can't bind socket: Address already in use for 127.0.0.1 port 953
May 01 14:05:27 unbound[16876:0] error: cannot open control interface 127.0.0.1 953
May 01 14:05:27 unbound[16876:0] fatal error: could not open ports
asmin@RT-AC86U:/tmp/home/root# unbound -dv
[1588356330] unbound[16882:0] notice: Start of unbound 1.10.0.
May 01 14:05:30 unbound[16882:0] error: can't bind socket: Address already in use for 127.0.0.1 port 953
May 01 14:05:30 unbound[16882:0] error: cannot open control interface 127.0.0.1 953
May 01 14:05:30 unbound[16882:0] fatal error: could not open ports

 

[Safemode]

Do we have any good suggestions / recommendations for cache sizes? Also, if we install libevent, do you think we can take advantage of multithreading? I'm trying to finalize all my edits so i can set and forget. Any help would be greatly appreciated.

# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 1
rrset-cache-slabs: 1
infra-cache-slabs: 1
key-cache-slabs: 1

# tiny memory cache / # prefetch / # gentle on recursion
extended-statistics: yes                        # v1.06 Martineau for @juched GUI TAB
cache-min-ttl: 300
key-cache-size: 25m
msg-cache-size: 25m
rrset-cache-size: 50m
outgoing-range: 450
num-queries-per-thread: 256
edns-buffer-size: 1232
max-udp-size: 1232
harden-algo-downgrade: yes
harden-referral-path: yes
harden-large-queries: yes
harden-short-bufsize: yes
identity: "DNS"
use-caps-for-id: yes
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
aggressive-nsec: yes
ratelimit: 1000
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 3600
deny-any: yes

Edit: Corrected outgoing-range from 950 to 450 and num-queries-per-thread from 512 to 256. This is for dual core routers. For quad core, outgoing-range 200 and num-queries-per-thread 100.

Set the outgoing-range to as large a value as possible, see the sections in the referred web page above on how to overcome the limit of 1024 in total. This services more clients at a time. With 1 core, try 950. With 2 cores, try 450. With 4 cores try 200. The num-queries-per-thread is best set at half the number of the outgoing-range

 

[Martineau]

If we install libevent, do you think we can take advantage of multithreading?

num-threads: 1

No idea about libevent - consult the "SME"?

You can already increase the number of threads used by unbound on the router, and optionally track the individual thread caches say every 10 minutes by adding directives

statistics-cumulative: yes
statistics-interval: 600

I have uploaded 'unbound_manager' v3.10 beta to the GitHub 'dev' branch which if it detects 'num-threads:' > 1 will now report the individual Threads cache Summary stats.

e.g. using 'num-threads: 2'

e  = Exit Script [?]

A:Option ==> s

total.num.queries=3782                  total.num.expired=273               total.requestlist.exceeded=0            total.tcpusage=0
total.num.queries_ip_ratelimited=0      total.num.recursivereplies=544      total.requestlist.current.all=0         msg.cache.count=1326
total.num.cachehits=3238                total.requestlist.avg=0.932735      total.requestlist.current.user=0        rrset.cache.count=5131
total.num.cachemiss=544                 total.requestlist.max=11            total.recursion.time.avg=0.111437       infra.cache.count=727
total.num.prefetch=348                  total.requestlist.overwritten=0     total.recursion.time.median=0.0540585   key.cache.count=150

Summary: Cache Hits success=85.00%

thread0.num.queries=1791                thread0.num.expired=155             thread0.requestlist.exceeded=0          thread0.tcpusage=0
thread0.num.queries_ip_ratelimited=0    thread0.num.recursivereplies=233    thread0.requestlist.current.all=0       msg.cache.count=1326
thread0.num.cachehits=1558              thread0.requestlist.avg=0.960187    thread0.requestlist.current.user=0      rrset.cache.count=5131
thread0.num.cachemiss=233               thread0.requestlist.max=11          thread0.recursion.time.avg=0.099881     infra.cache.count=727
thread0.num.prefetch=194                thread0.requestlist.overwritten=0   thread0.recursion.time.median=0.0494671 key.cache.count=150

Thread 0: Cache Hits success=86.00%

thread1.num.queries=1991                thread1.num.expired=118             thread1.requestlist.exceeded=0          thread1.tcpusage=0
thread1.num.queries_ip_ratelimited=0    thread1.num.recursivereplies=311    thread1.requestlist.current.all=0       msg.cache.count=1326
thread1.num.cachehits=1680              thread1.requestlist.avg=0.907527    thread1.requestlist.current.user=0      rrset.cache.count=5131
thread1.num.cachemiss=311               thread1.requestlist.max=9           thread1.recursion.time.avg=0.120095     infra.cache.count=727
thread1.num.prefetch=154                thread1.requestlist.overwritten=0   thread1.recursion.time.median=0.05865   key.cache.count=150

Thread 1: Cache Hits success=84.00%

Example tracking messages in the log

e.g. I use 'scribe' logging

grep cache $LOGFILE | tail -n 2

May  1 19:32:31 RT-AC68U unbound: [27264:0] info: server stats for thread 0: 4329 queries, 3877 answers from cache, 452 recursions, 547 prefetch, 0 rejected by ip ratelimiting
May  1 19:32:31 RT-AC68U unbound: [27270:1] info: server stats for thread 1: 4205 queries, 3588 answers from cache, 617 recursions, 491 prefetch, 0 rejected by ip ratelimiting

 

[Safemode]

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 1
rrset-cache-slabs: 1
infra-cache-slabs: 1
key-cache-slabs: 1

# tiny memory cache / # prefetch / # gentle on recursion
extended-statistics: yes                        # v1.06 Martineau for @juched GUI TAB
cache-min-ttl: 300
key-cache-size: 8m
msg-cache-size: 8m
rrset-cache-size: 16m
outgoing-range: 450
num-queries-per-thread: 256
edns-buffer-size: 1232
max-udp-size: 1232
harden-algo-downgrade: yes
harden-referral-path: yes
harden-large-queries: yes
harden-short-bufsize: yes
identity: "DNS"
use-caps-for-id: yes
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
aggressive-nsec: yes
ratelimit: 1000
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 3600
deny-any: yes

No idea about libevent - consult the "SME"?

You can already increase the number of threads used by unbound on the router, and track the individual thread caches say every 10 minutes by adding directives

statistics-cumulative: yes
statistics-interval: 600

I have uploaded 'unbound_manager' v3.10 beta to the GitHub 'dev' branch which if it detects 'num-threads:' > 1 will now report the individual Threads cache Summary stats.

e.g. using 'num-threads: 2'

e  = Exit Script [?]

A:Option ==> s

total.num.queries=8401               total.num.expired=826                total.requestlist.exceeded=0             total.tcpusage=0
total.num.queries_ip_ratelimited=0   total.num.recursivereplies=1041      total.requestlist.current.all=0          msg.cache.count=1921
total.num.cachehits=7360             total.requestlist.avg=1.01114        total.requestlist.current.user=0         rrset.cache.count=6846
total.num.cachemiss=1041             total.requestlist.max=16             total.recursion.time.avg=0.106429        infra.cache.count=1400
total.num.prefetch=1024              total.requestlist.overwritten=0      total.recursion.time.median=0.0498103    key.cache.count=225

Summary: Cache Hits success=87.00%   Thread 1=85.48%   Thread 0=90.11%

based on the existence of the tracking messages in the log

e.g. I use 'scribe' logging

grep cache $LOGFILE | tail -n 2

May  1 19:32:31 RT-AC68U unbound: [27264:0] info: server stats for thread 0: 4329 queries, 3877 answers from cache, 452 recursions, 547 prefetch, 0 rejected by ip ratelimiting
May  1 19:32:31 RT-AC68U unbound: [27270:1] info: server stats for thread 1: 4205 queries, 3588 answers from cache, 617 recursions, 491 prefetch, 0 rejected by ip ratelimiting

Very interesting, i will definetely try this. Did you change just the threads or the slabs aswell?

Edit: I'm going to use L&LD suggested values for cache sizes and work from there.