Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[tomsk]

That is due to all your responses being cached properly and being used properly(hopefully). the question is, do you have any stale cache getting used?

total.num.expired=9226

looking at the unbound.conf i would say yes but its limited to an hour after the ttl expires.

serve-expired: yes
serve-expired-ttl: 3600

serve-expired: <yes or no>
If enabled, unbound attempts to serve old responses from cache
with a TTL of serve-expired-reply-ttl in the response without
waiting for the actual resolution to finish. The actual resolu-
tion answer ends up in the cache later on. Default is "no".

serve-expired-ttl: <seconds>
Limit serving of expired responses to configured seconds after
expiration. 0 disables the limit. This option only applies when
serve-expired is enabled. A suggested value per draft-ietf-
dnsop-serve-stale-10 is between 86400 (1 day) and 259200 (3
days). The default is 0.

Not sure if the prefetch number is indicative of the stale cache hits?.... seems to fit... supplied from cache but recursive lookup performed

total.num.prefetch=13901

threadX.num.prefetch
number of cache prefetches performed. This number is included
in cachehits, as the original query had the unprefetched answer
from cache, and resulted in recursive processing, taking a slot
in the requestlist. Not part of the recursivereplies (or the
histogram thereof) or cachemiss, as a cache response was sent.

 

[Martineau]

looking at the unbound.conf i would say yes but its limited to an hour after the ttl expires.

serve-expired: yes
serve-expired-ttl: 3600

Not sure if the prefetch number is indicative of the stale cache hits?.... seems to fit... supplied from cache but recursive lookup performed

total.num.prefetch=13901

@tomsk , @SomeWhereOverTheRainBow

My post was actually rhetorical, and analysis/discussion of my near perfect unbound stats is NOT required.

The point of my post was to highlight that without any additional technical information, it is pointless for an OP to tersely post

'X doesn't work - why?'​

and expect someone to respond with an immediate definitive solution to their issue.
Now clearly if someone says ' my router's not working...no lights - why?', most would reply 'is it plugged in/powered-up' and may get lucky if their guess actually fixes the issue, but I doubt this would be the norm.

Case in point, @tomsk has assumed I am using the published 'unbound.conf', but I can categorically state that with respect to the available caching directives I am not - but what may work for me doesn't necessarily work for others.

So you get my point, i.e. TTLs metrics such as

total.num.expired=9226

are only valid in the correct context.

i.e. is it possible that I have watched a random set of say cat videos but having watched them once, never watch them again, so surely the cached DNS will expire naturally based on either the TTL set by the Authoritative DNS or by an artificial extended custom 'unbound.conf' TTL that may result in using stale DNS cache entries.

I'm sure there is hopefully a logical reason why the OP gets such a result

I reloaded a website 12 times....

12 cache misses, 0% cache hits.

but without being given the URL in question then it is difficult to confirm/deny the observation.

e.g. could it be that in an unbound+dnsmasq environment, that dnsmasq caching is actually still ENABLED, so if dnsmasq hasn't got the domain in its cache, it then sends the request upstream to unbound and in all probability unbound also won't have the domain in its cache so has to retrieve the domain from the Authoritative server?

Also, is it possible the 12 unbound cache misses are due to normal 'background' LAN domain requests that actually have nothing to do with the website being 'tested'?

 

[tomsk]

Hi @Martineau, i got the point of your post perfectly and was merely trying to add a commentary on @SomeWhereOverTheRainBow question about stale cache usage and curious about the meaning of the prefetch statistic. No analysis of your stats intended. And for the record you should never look at random cat videos more than once

 

[Milan]

btw. what is the meaning of the numbers on the end of the lines in log ? is it somewhere explained ?

 

[juched]

Having been up for 43 days my router and unbound have been very stable.

Coming up to the top of my cache limit size just now, after almost 5 million requests.

Wonder how it handles max cache size limit now.

 Standard Statistics
 --------------------------------------------------------

 Number of DNS queries: 4901616
 Number of queries that were successfully answered using cache lookup (ie. cache hit): 4532249
 Number of queries that needed recursive lookup (ie. cache miss): 369367
 Number of queries dropped because request list was full: 0
 Average number of requests in list for recursive processing: 4.37211

 Extended Statistics
 --------------------------------------------------------

 RRset cache usage in bytes: 15640365
 Message cache usage in bytes: 8029246

 

[Martineau]

@Ubimo: before disabling dnsmasq please dont forget to set domain name LAN->LAN IP configuration ...

FYI 'unbound_manager' will not allow a full bypass dnsmasq if the domain name is blank:

Warning: Cannot replicate dnsmasq's local hosts; Blank router domain name; see $HTTP_TYPE://$(nvram get lan_ipaddr):$HTTP_PORT/Advanced_LAN_Content.asp LAN->LAN-IP $HARDWARE_MODEL's Domain Name

 

[Martineau]

btw. what is the meaning of the numbers on the end of the lines in log ? is it somewhere explained ?

RTFM?

       log-replies: <yes or no>

              Prints one line per reply to the log, with the log timestamp and
              IP address, name, type, class, return  code,  time  to  resolve,
              from  cache  and  response  size.   Default is no.  Note that it
              takes time to print these lines which makes the server (signifi-
              cantly)  slower.   Odd  (nonprintable)  characters  in names are
              printed as '?'.

e.g. Cache Hit for 'reply: 127.0.0.1 cdn.samsungcloudsolution.com. A IN NOERROR 0.000000 1 218'

(Caller) IP address 127.0.0.1                            (Default if dnsmasq is the Primary DNS for LAN Clients)
name                cdn.samsungcloudsolution.com.
type                A
class               IN
return code         NOERROR
time to resolve     0.000000
from  cache         1
response size       218

e.g. Cache Miss for 'reply: 127.0.0.1 prod.registrar.skype.com. A IN NOERROR 0.062644 0 108'

(Caller) IP address 127.0.0.1
name                prod.registrar.skype.com.
type                A
class               IN
return code         NOERROR
time to resolve     0.062644
from  cache         0
response size       1088

 

[rgnldo]

Time to live maximum for RRsets and messages in the cache. Default is 86400 seconds (1 day)
serve-expired-ttl: 3600 = life time of 60 minutes
The sum generated with unbount-control is the accumulated history.

I currently do not define numbers. If the operator of a zone decides to set extremely low or high TTLs, he/she usually has a good reason to do so. A resolver should not interfere at this point.

 

[Milan]

RTFM?

       log-replies: <yes or no>

              Prints one line per reply to the log, with the log timestamp and
              IP address, name, type, class, return  code,  time  to  resolve,
              from  cache  and  response  size.   Default is no.  Note that it
              takes time to print these lines which makes the server (signifi-
              cantly)  slower.   Odd  (nonprintable)  characters  in names are
              printed as '?'.

e.g. Cache Hit for 'reply: 127.0.0.1 cdn.samsungcloudsolution.com. A IN NOERROR 0.000000 1 218'

(Caller) IP address 127.0.0.1                            (Default if dnsmasq is the Primary DNS for LAN Clients)
name                cdn.samsungcloudsolution.com.
type                A
class               IN
return code         NOERROR
time to resolve     0.000000
from  cache         1
response size       218

e.g. Cache Miss for 'reply: 127.0.0.1 prod.registrar.skype.com. A IN NOERROR 0.062644 0 108'

(Caller) IP address 127.0.0.1
name                prod.registrar.skype.com.
type                A
class               IN
return code         NOERROR
time to resolve     0.062644
from  cache         0
response size       1088

then i need change my glasses as i spent 2 hours with reading manual and - cache miss
thanks

 

[skhan85]

Hi is it possible to exclude a couple of devices from using Unbound and use a specific DNS address instead? For example I use a DNS service on my Smart TV to unblock geo locked content. Thanks a bunch!

 

[Ubimo]

I see this in syslog, is this normal?

Jun 10 14:45:02 (unbound_rpz.sh): 11067 Reload unbound for zone named rpz.urlhaus.abuse.ch
Jun 10 14:57:01 (unbound_log.sh): 13753 Processed 0 reply_domains...
Jun 10 14:57:01 (unbound_log.sh): 13753 Processed 0 nx_domains...
Jun 10 14:57:01 (unbound_log.sh): 13753 Processed 0 RPZ events...

Edit:
Since yesterday, I was browsing the same websites again and again.
29% cache hit success....

 

[Martineau]

I see this in syslog, is this normal?

Jun 10 14:45:02 (unbound_rpz.sh): 11067 Reload unbound for zone named rpz.urlhaus.abuse.ch
Jun 10 14:57:01 (unbound_log.sh): 13753 Processed 0 reply_domains...
Jun 10 14:57:01 (unbound_log.sh): 13753 Processed 0 nx_domains...
Jun 10 14:57:01 (unbound_log.sh): 13753 Processed 0 RPZ events...

Edit:
Since yesterday, I was browsing the same websites again and again.
29% cache hit success....

Can you issue the following command (NOTE: you may have to enter it twice if at first it doesn't show any data)

e  = Exit Script [?]

A:Option ==> sd

or you may need to manually scan the appropriate dnsmasq log or Syslog

awk '/cache size/,/Host/' path_to_log

 

[Ubimo]

I've already removed unbound/unbound_manager.

Edit:
I installed it again.
The first time sd displayed screenshot 1.
The second time sd my router became unresponsive. Also screenshot 1.
100% CPU load. Screenshot 2+3
I exited ssh terminal.
I tried a third time, screenshot 4

Edit2:
F***, why are the screenshot so small after uploading?
Here, bigger on imgur: https://imgur.com/a/aHCTVzn

Edit3:
What is hogging my router cpu? https://imgur.com/tSziHWs

 

[kernol]

I've already removed unbound/unbound_manager.

Edit:
I installed it again.
The first time sd displayed screenshot 1.
The second time sd my router became unresponsive. Also screenshot 1.
100% CPU load. Screenshot 2+3
I exited ssh terminal.
I tried a third time, screenshot 4

Edit2:
F***, why are the screenshot so small after uploading?
Here, bigger on imgur: https://imgur.com/a/aHCTVzn

Edit3:
What is hogging my router cpu? https://imgur.com/tSziHWs

@Ubimo - you are unlikely to get a constructive response to your caching woes in this thread - my advice ... live with it or move on without unbound. It seems that some of us suffer the poor cache performance while the lucky ones don't and if you are one of those [like me] who used to have great cache hit rates - but no longer do ... it's simply your bad .

 

[tomsk]

@Ubimo don't forget that your web browser is doing some caching too as well as the machine its being used on before we even think about unbound caching.... and even that is a minefield ..
have a look here for ways to flush various browser DNS cache .... not sure how up to date this is

 

[heysoundude]

@Ubimo don't forget that your web browser is doing some caching too as well as the machine its being used on before we even think about unbound caching.... and even that is a minefield ..
have a look here for ways to flush various browser DNS cache .... not sure how up to date this is

Most browsers clear their cache at CRTL-f5.
You can also look in the settings of those browsers for a way to NOT cache - history, privacy - so that your unbound gets more of a workout.
I’ve got my unbound config to use both processors/threads and I’m at 48%...per thread. That’s 96% unbound if my math is correct and I understand how the code calculates these things.


Sent from my iPhone using Tapatalk

 

[Yanik]

How can i use unbound behind VPN?
I run "vpn 5" and at config i can see "outgoing-interface: 10.8.2.4"

But when i check dnsleaktest.com,
My laptop IP is my VPN's IP, which is expected.
My DNS server is my ISP/Home IP, which should be "vpn 5" exit IP.

I want to hide my ISP/Home IP as my DNS server if thats possible.

 

[Opasen]

I want to hide my ISP/Home IP as my DNS server if thats possible.

That's exactly how it should work. Websites you visit will see your VPN IP and your ISP IP is the recursive DNS server

 

[juched]

I see this in syslog, is this normal?

Jun 10 14:45:02 (unbound_rpz.sh): 11067 Reload unbound for zone named rpz.urlhaus.abuse.ch
Jun 10 14:57:01 (unbound_log.sh): 13753 Processed 0 reply_domains...
Jun 10 14:57:01 (unbound_log.sh): 13753 Processed 0 nx_domains...
Jun 10 14:57:01 (unbound_log.sh): 13753 Processed 0 RPZ events...

Edit:
Since yesterday, I was browsing the same websites again and again.
29% cache hit success....

Those logs are normal. One is the DNS Firewall updates and the other is for log scraping to build stats. You do not logging enabled to it isn’t finding any data. No harm.

 

[Yanik]

That's exactly how it should work. Websites you visit will see your VPN IP and your ISP IP is the recursive DNS server

Yes, thats what i have.
But i want to hide my DNS servers IP address, obviously its a bad security practice.

While i am running unbound trough VPN (outgoing-interface), i was expecting dnsleak test would show my VPN IP instead of my ISP IP.

Is there a way to hide my DNS Server IP?