klutchell
Unbound SLOW queries
kutchell good evening I've been noticing that unbound is too slow for queries. Can you tell me what it could be? Version (start of service (unbound 1.15.0)
That's much slower than I'm seeing. I'm running on Raspberry Pi 3 and my results are all below 60ms.
What kind of device are you running on? Are you running any other services on that device that may be using resources? Have you tried adjusting the settings in your unbound.conf to see if you can improve performance?
The provided configuration file is the bare minimum to get the container running. Any advanced performance tuning is up to the user and would be different depending on the device being used. Here are some docs that may help you get started.
- https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound
- https://unbound.docs.nlnetlabs.nl/en/latest/topics/performance.html
If you are able to squeeze additional performance out of your setup I would appreciate if you shared your configuration here for other users to reference!
Just to chime in on performance. I'm one of the documented configs mostly verbatim, with no issue in a proxmox vm. I've a had a couple hits in the 400ms range, subsequent looks to the same domain are cached and and are listed as 0.0 or 0.1ms.
The docker image mvance/unbound mentions using the host network mode specifically for performace, minding security issues of course. Maybe this would help here as well.
It's just 6ms for me according to AdGuard Home. It uses Unbound as the only DNS server.
@DFlexy could you share your conf file(s)? I recently noticed that that could strongly influence performance...
@DFlexy could you share your conf file(s)? I recently noticed that that could strongly influence performance...
hello sorry for the delay About my configuration follows. Use in bridge mode
docker run -d
--name unbound
--hostname unbound
--network=lan
--ip=172.20.0.2
--restart=unless-stopped
--cap-add=sys_nice
crazymax/unbound:latest
Another point you might notice is that I'm using the crazymax image instead of the klutchell image. What I noticed was that the klutchell image takes longer to respond to queries.
And regarding the UNBOUND.CONF configuration file, I don't have any customized ones, I just use the image itself
Could you check if the problem still exists? (with the klutchell image that is)
Could you check if the problem still exists? (with the klutchell image that is)
Info: I'm in Brazil Only default config no have volume for custom config
root@Rasphouse:/home/pi# docker exec unbound dig sigok.verteiltesysteme.net @127.0.0.1 +dnssec
; <<>> DiG 9.16.27 <<>> sigok.verteiltesysteme.net @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51700
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A
;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60 IN A 134.91.78.139
sigok.verteiltesysteme.net. 60 IN RRSIG A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=
**;; Query time: 1443 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 14 22:35:16 UTC 2022
;; MSG SIZE rcvd: 251
root@Rasphouse:/home/pi# docker exec unbound dig dyndns.com @127.0.0.1 +dnssec
; <<>> DiG 9.16.27 <<>> dyndns.com @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5125
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com. IN A
;; ANSWER SECTION:
dyndns.com. 300 IN A 138.1.125.45
;; Query time: 2383 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 14 22:38:34 UTC 2022
;; MSG SIZE rcvd: 55
Using crazymax
root@Rasphouse:/home/pi# dig sigok.verteiltesysteme.net @172.30.0.254 +dnssec
; <<>> DiG 9.16.27-Debian <<>> sigok.verteiltesysteme.net @172.30.0.254 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27811
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A
;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60 IN A 134.91.78.139
sigok.verteiltesysteme.net. 60 IN RRSIG A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=
;; Query time: 695 msec
;; SERVER: 172.30.0.254#53(172.30.0.254)
;; WHEN: Sun Aug 14 19:43:27 -03 2022
;; MSG SIZE rcvd: 251
root@Rasphouse:/home/pi# dig dyndns.com @172.30.0.254 +dnssec
; <<>> DiG 9.16.27-Debian <<>> dyndns.com @172.30.0.254 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com. IN A
;; ANSWER SECTION:
dyndns.com. 300 IN A 138.1.125.45
;; Query time: 371 msec
;; SERVER: 172.30.0.254#53(172.30.0.254)
;; WHEN: Sun Aug 14 19:41:46 -03 2022
;; MSG SIZE rcvd: 55
The tests were run after starting the container to not use any cache
here crazy-max config default too https://github.com/crazy-max/docker-unbound/blob/master/rootfs/etc/unbound/unbound.conf
Here my tests config
docker run -d
--name unbound
--hostname unbound
--network=lan
--ip=172.20.0.2
--restart=unless-stopped
--cap-add=sys_nice
klutchell/unbound:latest
docker run -d
--name=unbound
--hostname=unbound
--network=lan
--ip=172.20.0.2
-v unbound:/config
--restart=unless-stopped
--cap-add=sys_nice
crazymax/unbound:latest
@DFlexy can you try again with the :main tag? You can also try :sha-3ed0699 to be certain.
The latest tag hasn't been updated with the performance improvements.
Tests done
With MAIN TAG
root@Rasphouse:/home/pi# docker exec unbound dig dyndns.com @127.0.0.1 +dnssec
; <<>> DiG 9.16.27 <<>> dyndns.com @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2831
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com. IN A
;; ANSWER SECTION:
dyndns.com. 300 IN A 138.1.125.45
**;; Query time: 731 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 15 12:10:41 UTC 2022
;; MSG SIZE rcvd: 55
root@Rasphouse:/home/pi# docker exec unbound dig sigok.verteiltesysteme.net @127.0.0.1 +dnssec
; <<>> DiG 9.16.27 <<>> sigok.verteiltesysteme.net @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23622
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A
;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60 IN A 134.91.78.139
sigok.verteiltesysteme.net. 60 IN RRSIG A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=
**;; Query time: 671 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 15 12:10:48 UTC 2022
;; MSG SIZE rcvd: 251
With SHA TAG
root@Rasphouse:/home/pi# docker exec unbound dig dyndns.com @127.0.0.1 +dnssec
; <<>> DiG 9.16.27 <<>> dyndns.com @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57476
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com. IN A
;; ANSWER SECTION:
dyndns.com. 300 IN A 138.1.125.45
**;; Query time: 567 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 15 12:11:55 UTC 2022
;; MSG SIZE rcvd: 55
root@Rasphouse:/home/pi# docker exec unbound dig sigok.verteiltesysteme.net @127.0.0.1 +dnssec
; <<>> DiG 9.16.27 <<>> sigok.verteiltesysteme.net @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40131
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A
;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60 IN A 134.91.78.139
sigok.verteiltesysteme.net. 60 IN RRSIG A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=
**;; Query time: 431 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 15 12:11:59 UTC 2022
;; MSG SIZE rcvd: 251
Again with crazymax/unbound:latest
root@Rasphouse:/home/pi# dig dyndns.com @172.30.0.254 +dnssec
; <<>> DiG 9.16.27-Debian <<>> dyndns.com @172.30.0.254 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41402
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com. IN A
;; ANSWER SECTION:
dyndns.com. 300 IN A 138.1.125.45
**;; Query time: 387 msec**
;; SERVER: 172.30.0.254#53(172.30.0.254)
;; WHEN: Mon Aug 15 09:13:04 -03 2022
;; MSG SIZE rcvd: 55
root@Rasphouse:/home/pi# dig sigok.verteiltesysteme.net @172.30.0.254 +dnssec
; <<>> DiG 9.16.27-Debian <<>> sigok.verteiltesysteme.net @172.30.0.254 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38347
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A
;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60 IN A 134.91.78.139
sigok.verteiltesysteme.net. 60 IN RRSIG A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=
**;; Query time: 679 msec**
;; SERVER: 172.30.0.254#53(172.30.0.254)
;; WHEN: Mon Aug 15 09:13:08 -03 2022
;; MSG SIZE rcvd: 251
Those are VERY high numbers, regardless of which image you use... I'd even dare say that both images perform somewhat similarly.
For reference, here's mine using the main tag version of the klutchell image:
dig dyndns.com @172.16.0.3 +dnssec
; <<>> DiG 9.16.1-Ubuntu <<>> dyndns.com @172.16.0.3 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7498
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com. IN A
;; ANSWER SECTION:
dyndns.com. 86400 IN A 138.1.125.45
;; Query time: 44 msec
;; SERVER: 172.16.0.3#53(172.16.0.3)
;; WHEN: Mon Aug 15 14:20
dig sigok.verteiltesysteme.net @172.16.0.3 +dnssec
; <<>> DiG 9.16.1-Ubuntu <<>> sigok.verteiltesysteme.net @172.16.0.3 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54129
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A
;; ANSWER SECTION:
sigok.verteiltesysteme.net. 86399 IN A 134.91.78.139
sigok.verteiltesysteme.net. 86399 IN RRSIG A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=
;; Query time: 88 msec
;; SERVER: 172.16.0.3#53(172.16.0.3)
;; WHEN: Mon Aug 15 14:18:14 CEST 2022
;; MSG SIZE rcvd: 251
i'm in brazil my ping average for the USA is an average of 160ms
C:>ping sigok.verteiltesysteme.net Disparando sigok.verteiltesysteme.net [134.91.78.139] com 32 bytes de dados: Resposta de 134.91.78.139: bytes=32 tempo=248ms TTL=46 Resposta de 134.91.78.139: bytes=32 tempo=254ms TTL=46 Resposta de 134.91.78.139: bytes=32 tempo=249ms TTL=46 Resposta de 134.91.78.139: bytes=32 tempo=247ms TTL=46
C:>ping cisco.com Disparando cisco.com [72.163.4.185] com 32 bytes de dados: Resposta de 72.163.4.185: bytes=32 tempo=162ms TTL=233 Resposta de 72.163.4.185: bytes=32 tempo=160ms TTL=233 Resposta de 72.163.4.185: bytes=32 tempo=160ms TTL=233 Resposta de 72.163.4.185: bytes=32 tempo=165ms TTL=233
@klutchell
Good Morning I have a question the closest ROOT server to me is ICANN's can I prioritize somehow for him to use this first?
l.root-servers.net | 199.7.83.42, 2001:500:9f::42 | ICANN
root@Rasphouse:/home/pi# ping 199.7.83.42 PING 199.7.83.42 (199.7.83.42) 56(84) bytes of data. 64 bytes from 199.7.83.42: icmp_seq=1 ttl=61 time=14.3 ms 64 bytes from 199.7.83.42: icmp_seq=2 ttl=61 time=12.8 ms 64 bytes from 199.7.83.42: icmp_seq=3 ttl=61 time=8.56 ms 64 bytes from 199.7.83.42: icmp_seq=4 ttl=61 time=10.6 ms 64 bytes from 199.7.83.42: icmp_seq=5 ttl=61 time=12.9 ms
@DFlexy You could try blocking queries to the other root servers so it is forced to use ICANN, like they've done in this post: https://discourse.pi-hole.net/t/is-there-a-way-to-avoid-russian-root-servers-using-unbound/54033/6
However I'm not confident that will actually speed up your queries since it should be loaded into cache at startup.