Update guide for Unbound
bigfootvsyeti opened this issue · 6 comments
Hello
Followed the guide and found a few things that were causing me issues. But with a bit of support and some searches I've found some answers and would like to see the guide updated so others don't have to struggle.
Was unable to get unbound stats with this command
sudo unbound-control stats_noreset
Solution was to add to the unbound config file
remote-control:
control-enable: yesI found unbound extremly slow compared to a couple other dnscrypt and cloudflare https guides but posts mentioned it took some time to build your cache and it should speed up. Well after a month and seeing response times ranging from 200 to 1100 ms i started doing some searches and found this reddit post
https://www.reddit.com/r/pihole/comments/d9j1z6/unbound_as_recursive_dns_server_slow_performance/
level 1
Khaare
27 points ·
3 months ago
Silver2
One thing that guide doesn't tell you is to completely turn off caching in your pi-hole instance, as well as DNSSEC validation (required to completely turn off caching). When you're using unbound you're relying on that for DNSSEC validation and caching, and pi-hole doing those same things are just going to waste time validating DNSSEC twice and confusing unbound's cache by not passing through commonly requested entries. This was the most impactful change I made on my setup.
Setting it up to serve expired entries turned out to be a big time-save as well. Most recursive replies are actually already in the cache, but the TTL has expired. By serving the expired entry and then refreshing the cache entry instead of waiting for the refresh to be completed before replying you retain the cache speedup. An alternative is to set the minimum TTL to something like 3600 seconds, but I found just serving expired entries to work a little better. This didn't really have any impact on the perceived speed, DNS is really fast already, but it did make the tests I ran look nicer.
(I run archlinux arm on my pi, and I think the location of the configuration files are slightly different from the default pi-hole locations, so you might find them somewhere else).
You can turn off DNSSEC in the admin-interface under settings->DNS.
In /etc/dnsmasq.d/01-pihole.conf make sure it contains:
cache-size=0
The file says it shouldn't be modified and to use other configuration files instead, but you're not allowed to duplicate keys so you're forced to either edit or remove the existing entry anyway ¯_(ツ)_/¯
You could also tune your unbound cache. Here's the relevant part from my /etc/unbound/unbound.conf:
server:
# These options should be added to the existing server configuration,
# overwriting existing values if they're there.
# This refreshes expiring cache entries if they have been accessed with
# less than 10% of their TTL remaining
prefetch: yes
# This attempts to reduce latency by serving the outdated record before
# updating it instead of the other way around. Alternative is to increase
# cache-min-ttl to e.g. 3600.
cache-min-ttl: 0
serve-expired: yes
# I had best success leaving this next entry unset.
# serve-expired-ttl: 3600 # 0 or not set means unlimited (I think)
# Use about 2x more for rrset cache, total memory use is about 2-2.5x
# total cache size. Current setting is way overkill for a small network.
# Judging from my used cache size you can get away with 8/16 and still
# have lots of room, but I've got the ram and I'm not using it on anything else.
# Default is 4m/4m
msg-cache-size: 128m
rrset-cache-size: 256mWhen you're looking at unbound's stats, they only show recursive replies. It doesn't take into account cached replies, which should be the majority of the replies. There average response time also seems inflated due to a few requests taking much longer than they should, probably due to the connection temporarily failing due to packet loss or something similar, which DNS is fairly prone to. These hiccups are mostly completely unnoticed by humans and programs alike, but they do inflate the stats quite a bit in my experience.
Using unbound in recursive mode it's going to be slower than other DNS servers for entries that aren't cached. It has to do potentially multiple lookups against name servers that could be anywhere in the world, while commercial DNS servers run with giant caches that in all probability already contain the entries you're looking for. However, the cache of your local unbound server shouldn't take long to get up to speed, and even when it's missing some entries now and then it shouldn't be noticeable to users. Cached entries should be served in 1ms at most from an instance running on your local network, which beats any other DNS, and makes unbound faster most of the time, slower every now and then, but you shouldn't notice any difference in day-to-day use anyway.
After adjusting the piholes dns cache to 0 and adding to my config file its now blazing fast
I'm still learning so i am not 100% sure i did the config file correctly but it all seems to pass the tests
Here's my config file
server:
# These options should be added to the existing server configuration,
# overwriting existing values if they're there.
# This refreshes expiring cache entries if they have been accessed with
# less than 10% of their TTL remaining
prefetch: yes
# This attempts to reduce latency by serving the outdated record before
# updating it instead of the other way around. Alternative is to increase
# cache-min-ttl to e.g. 3600.
cache-min-ttl: 0
serve-expired: yes
# I had best success leaving this next entry unset.
# serve-expired-ttl: 3600 # 0 or not set means unlimited (I think)
# Use about 2x more for rrset cache, total memory use is about 2-2.5x
# total cache size. Current setting is way overkill for a small network.
# Judging from my used cache size you can get away with 8/16 and still
# have lots of room, but I've got the ram and I'm not using it on anything else.
# Default is 4m/4m
msg-cache-size: 128m
rrset-cache-size: 256m
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
port: 5353
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# Use this only when you downloaded the list of primary root servers!
root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the servers authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
# prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine it should be unne$
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
remote-control:
control-enable: yesI'm using unbound 1.10.0 on a RPi4 and while playing around with the unbound config I got no noticeable performance difference when using options such as msg-cache-size: 128m or serve-expired: yes. For home usage, the defaults seem to be just fine.
What does seem to make a difference is disabling the dnsmasq cache and DNSSEC in pihole. I don't even understand the need for having another cache if unbound is doing the job, and the guide should explicitly state that DNSSEC should be disabled because otherwise unbound doesn't work.
Also, the following are already default in unbound, they aren't necessary:
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: no
I'm unsure if so-rcvbuf: 1m and edns-buffer-size: 1472 are even necessary. I have no issues with the defaults and don't see anything in the logs so idk ¯_(ツ)_/¯
Most guides out there for unbound optimization just seem to be copies of one another, and I cannot determine from my own experience what can be useful or not. Most of those options seem to be something that should only apply to what the "Howto Optimise" guide on nlnetlabs.nl says: "Most users do not have to do this, but it could be useful for large resolver installations".
In the end, I only enable prefetch and prefetch-key in unbound.conf, as well as num-threads, which should be set equal to the number of cores (because why not?). My conf is the following:
server:
verbosity: 0
port: 5353
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: yes
# Use this only when you downloaded the list of primary root servers!
root-hints: "/var/lib/unbound/root.hints"
#Enable DNSSEC (Not needed if unbound is installed by apt)
auto-trust-anchor-file: "/etc/unbound/root.key"
prefetch: yes
prefetch-key: yes
num-threads: 4
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
remote-control:
control-enable: yes
I hope someone who knows more can contribute in building the guide.
This issue has been mentioned on Pi-hole Userspace. There might be relevant details there:
https://discourse.pi-hole.net/t/no-internet-connection-with-pihole-unbound-wireguard/41554/15
Looks like the official Pi-Hole guide is still not updated with this information. How? This is so important.
@thericeking Which part do you consider "so important" ?
It's wrong.