Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unbound SLOW queries #52

Open
DFlexy opened this issue Mar 11, 2022 · 16 comments
Open

Unbound SLOW queries #52

DFlexy opened this issue Mar 11, 2022 · 16 comments

Comments

@DFlexy
Copy link

DFlexy commented Mar 11, 2022
edited
Loading

kutchell good evening I've been noticing that unbound is too slow for queries. Can you tell me what it could be?
Version (start of service (unbound 1.15.0)

image
@klutchell
Copy link
Owner

That's much slower than I'm seeing. I'm running on Raspberry Pi 3 and my results are all below 60ms.

What kind of device are you running on? Are you running any other services on that device that may be using resources? Have you tried adjusting the settings in your unbound.conf to see if you can improve performance?

The provided configuration file is the bare minimum to get the container running. Any advanced performance tuning is up to the user and would be different depending on the device being used. Here are some docs that may help you get started.

If you are able to squeeze additional performance out of your setup I would appreciate if you shared your configuration here for other users to reference!

@typkrft
Copy link

typkrft commented Apr 11, 2022

Just to chime in on performance. I'm one of the documented configs mostly verbatim, with no issue in a proxmox vm. I've a had a couple hits in the 400ms range, subsequent looks to the same domain are cached and and are listed as 0.0 or 0.1ms.

The docker image mvance/unbound mentions using the host network mode specifically for performace, minding security issues of course. Maybe this would help here as well.

@zilexa
Copy link

zilexa commented Jul 29, 2022

It's just 6ms for me according to AdGuard Home. It uses Unbound as the only DNS server.

@churchofnoise
Copy link
Contributor

@DFlexy could you share your conf file(s)?
I recently noticed that that could strongly influence performance...

@DFlexy
Copy link
Author

DFlexy commented Aug 8, 2022

@DFlexy could you share your conf file(s)? I recently noticed that that could strongly influence performance...

hello sorry for the delay
About my configuration follows.
Use in bridge mode

docker run -d
--name unbound
--hostname unbound
--network=lan
--ip=172.20.0.2
--restart=unless-stopped
--cap-add=sys_nice
crazymax/unbound:latest

Another point you might notice is that I'm using the crazymax image instead of the klutchell image.
What I noticed was that the klutchell image takes longer to respond to queries.

And regarding the UNBOUND.CONF configuration file, I don't have any customized ones, I just use the image itself

@hagezi hagezi mentioned this issue Aug 9, 2022
Merged
@churchofnoise
Copy link
Contributor

Could you check if the problem still exists? (with the klutchell image that is)

@DFlexy
Copy link
Author

DFlexy commented Aug 14, 2022
edited
Loading

Could you check if the problem still exists? (with the klutchell image that is)

Info: I'm in Brazil
Only default config no have volume for custom config

root@Rasphouse:/home/pi# docker exec unbound dig sigok.verteiltesysteme.net @127.0.0.1 +dnssec

; <<>> DiG 9.16.27 <<>> sigok.verteiltesysteme.net @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51700
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60  IN      A       134.91.78.139
sigok.verteiltesysteme.net. 60  IN      RRSIG   A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=

**;; Query time: 1443 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 14 22:35:16 UTC 2022
;; MSG SIZE  rcvd: 251

root@Rasphouse:/home/pi# docker exec unbound dig dyndns.com @127.0.0.1 +dnssec

; <<>> DiG 9.16.27 <<>> dyndns.com @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5125
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com.                    IN      A

;; ANSWER SECTION:
dyndns.com.             300     IN      A       138.1.125.45

;; Query time: 2383 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 14 22:38:34 UTC 2022
;; MSG SIZE  rcvd: 55

@DFlexy
Copy link
Author

DFlexy commented Aug 14, 2022
edited
Loading

Using crazymax

root@Rasphouse:/home/pi# dig sigok.verteiltesysteme.net @172.30.0.254 +dnssec

; <<>> DiG 9.16.27-Debian <<>> sigok.verteiltesysteme.net @172.30.0.254 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27811
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60  IN      A       134.91.78.139
sigok.verteiltesysteme.net. 60  IN      RRSIG   A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=

;; Query time: 695 msec
;; SERVER: 172.30.0.254#53(172.30.0.254)
;; WHEN: Sun Aug 14 19:43:27 -03 2022
;; MSG SIZE  rcvd: 251

root@Rasphouse:/home/pi# dig dyndns.com @172.30.0.254 +dnssec

; <<>> DiG 9.16.27-Debian <<>> dyndns.com @172.30.0.254 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com.                    IN      A

;; ANSWER SECTION:
dyndns.com.             300     IN      A       138.1.125.45

;; Query time: 371 msec
;; SERVER: 172.30.0.254#53(172.30.0.254)
;; WHEN: Sun Aug 14 19:41:46 -03 2022
;; MSG SIZE  rcvd: 55

@DFlexy
Copy link
Author

DFlexy commented Aug 14, 2022
edited
Loading

The tests were run after starting the container to not use any cache

here crazy-max config default too
https://github.com/crazy-max/docker-unbound/blob/master/rootfs/etc/unbound/unbound.conf

Here my tests config

docker run -d
--name unbound
--hostname unbound
--network=lan
--ip=172.20.0.2
--restart=unless-stopped
--cap-add=sys_nice
klutchell/unbound:latest

docker run -d
--name=unbound
--hostname=unbound
--network=lan
--ip=172.20.0.2
-v unbound:/config
--restart=unless-stopped
--cap-add=sys_nice
crazymax/unbound:latest

@klutchell
Copy link
Owner

@DFlexy can you try again with the :main tag? You can also try :sha-3ed0699 to be certain.
The latest tag hasn't been updated with the performance improvements.

@DFlexy
Copy link
Author

DFlexy commented Aug 15, 2022
edited
Loading

Tests done

With MAIN TAG
root@Rasphouse:/home/pi# docker exec unbound dig dyndns.com @127.0.0.1 +dnssec

; <<>> DiG 9.16.27 <<>> dyndns.com @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2831
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com.                    IN      A

;; ANSWER SECTION:
dyndns.com.             300     IN      A       138.1.125.45

**;; Query time: 731 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 15 12:10:41 UTC 2022
;; MSG SIZE  rcvd: 55

root@Rasphouse:/home/pi# docker exec unbound dig sigok.verteiltesysteme.net @127.0.0.1 +dnssec

; <<>> DiG 9.16.27 <<>> sigok.verteiltesysteme.net @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23622
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60  IN      A       134.91.78.139
sigok.verteiltesysteme.net. 60  IN      RRSIG   A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=

**;; Query time: 671 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 15 12:10:48 UTC 2022
;; MSG SIZE  rcvd: 251

With SHA TAG

root@Rasphouse:/home/pi# docker exec unbound dig dyndns.com @127.0.0.1 +dnssec

; <<>> DiG 9.16.27 <<>> dyndns.com @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57476
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com.                    IN      A

;; ANSWER SECTION:
dyndns.com.             300     IN      A       138.1.125.45

**;; Query time: 567 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 15 12:11:55 UTC 2022
;; MSG SIZE  rcvd: 55

root@Rasphouse:/home/pi# docker exec unbound dig sigok.verteiltesysteme.net @127.0.0.1 +dnssec

; <<>> DiG 9.16.27 <<>> sigok.verteiltesysteme.net @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40131
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60  IN      A       134.91.78.139
sigok.verteiltesysteme.net. 60  IN      RRSIG   A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=

**;; Query time: 431 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 15 12:11:59 UTC 2022
;; MSG SIZE  rcvd: 251

Again with crazymax/unbound:latest

root@Rasphouse:/home/pi# dig dyndns.com @172.30.0.254 +dnssec

; <<>> DiG 9.16.27-Debian <<>> dyndns.com @172.30.0.254 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41402
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com.                    IN      A

;; ANSWER SECTION:
dyndns.com.             300     IN      A       138.1.125.45

**;; Query time: 387 msec**
;; SERVER: 172.30.0.254#53(172.30.0.254)
;; WHEN: Mon Aug 15 09:13:04 -03 2022
;; MSG SIZE  rcvd: 55

root@Rasphouse:/home/pi# dig sigok.verteiltesysteme.net @172.30.0.254 +dnssec

; <<>> DiG 9.16.27-Debian <<>> sigok.verteiltesysteme.net @172.30.0.254 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38347
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60  IN      A       134.91.78.139
sigok.verteiltesysteme.net. 60  IN      RRSIG   A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=

**;; Query time: 679 msec**
;; SERVER: 172.30.0.254#53(172.30.0.254)
;; WHEN: Mon Aug 15 09:13:08 -03 2022
;; MSG SIZE  rcvd: 251

@churchofnoise
Copy link
Contributor

Those are VERY high numbers, regardless of which image you use... I'd even dare say that both images perform somewhat similarly.

For reference, here's mine using the main tag version of the klutchell image:


dig dyndns.com @172.16.0.3 +dnssec

; <<>> DiG 9.16.1-Ubuntu <<>> dyndns.com @172.16.0.3 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7498
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com.                    IN      A

;; ANSWER SECTION:
dyndns.com.             86400   IN      A       138.1.125.45

;; Query time: 44 msec
;; SERVER: 172.16.0.3#53(172.16.0.3)
;; WHEN: Mon Aug 15 14:20


dig sigok.verteiltesysteme.net @172.16.0.3 +dnssec

; <<>> DiG 9.16.1-Ubuntu <<>> sigok.verteiltesysteme.net @172.16.0.3 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54129
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 86399 IN    A       134.91.78.139
sigok.verteiltesysteme.net. 86399 IN    RRSIG   A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=

;; Query time: 88 msec
;; SERVER: 172.16.0.3#53(172.16.0.3)
;; WHEN: Mon Aug 15 14:18:14 CEST 2022
;; MSG SIZE  rcvd: 251

@DFlexy
Copy link
Author

DFlexy commented Aug 15, 2022
edited
Loading

i'm in brazil my ping average for the USA is an average of 160ms

C:>ping sigok.verteiltesysteme.net
Disparando sigok.verteiltesysteme.net [134.91.78.139] com 32 bytes de dados:
Resposta de 134.91.78.139: bytes=32 tempo=248ms TTL=46
Resposta de 134.91.78.139: bytes=32 tempo=254ms TTL=46
Resposta de 134.91.78.139: bytes=32 tempo=249ms TTL=46
Resposta de 134.91.78.139: bytes=32 tempo=247ms TTL=46

C:>ping cisco.com
Disparando cisco.com [72.163.4.185] com 32 bytes de dados:
Resposta de 72.163.4.185: bytes=32 tempo=162ms TTL=233
Resposta de 72.163.4.185: bytes=32 tempo=160ms TTL=233
Resposta de 72.163.4.185: bytes=32 tempo=160ms TTL=233
Resposta de 72.163.4.185: bytes=32 tempo=165ms TTL=233

@DFlexy
Copy link
Author

DFlexy commented Aug 16, 2022

@klutchell

Good Morning
I have a question the closest ROOT server to me is ICANN's can I prioritize somehow for him to use this first?

l.root-servers.net | 199.7.83.42, 2001:500:9f::42 | ICANN

root@Rasphouse:/home/pi# ping 199.7.83.42
PING 199.7.83.42 (199.7.83.42) 56(84) bytes of data.
64 bytes from 199.7.83.42: icmp_seq=1 ttl=61 time=14.3 ms
64 bytes from 199.7.83.42: icmp_seq=2 ttl=61 time=12.8 ms
64 bytes from 199.7.83.42: icmp_seq=3 ttl=61 time=8.56 ms
64 bytes from 199.7.83.42: icmp_seq=4 ttl=61 time=10.6 ms
64 bytes from 199.7.83.42: icmp_seq=5 ttl=61 time=12.9 ms

@klutchell
Copy link
Owner

@DFlexy You could try blocking queries to the other root servers so it is forced to use ICANN, like they've done in this post: https://discourse.pi-hole.net/t/is-there-a-way-to-avoid-russian-root-servers-using-unbound/54033/6

However I'm not confident that will actually speed up your queries since it should be loaded into cache at startup.

@klutchell
Copy link
Owner

@DFlexy is this still an issue for you? Can it be closed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@zilexa @typkrft @klutchell @DFlexy @churchofnoise