search

klutchell / unbound-docker

unofficial unbound multiarch docker image
BSD 3-Clause "New" or "Revised" License
107 stars 19 forks source link

Unbound SLOW queries #52

Open DFlexy opened 2 years ago

DFlexy commented 2 years ago

kutchell good evening I've been noticing that unbound is too slow for queries. Can you tell me what it could be? Version (start of service (unbound 1.15.0)

image

klutchell commented 2 years ago

That's much slower than I'm seeing. I'm running on Raspberry Pi 3 and my results are all below 60ms.

What kind of device are you running on? Are you running any other services on that device that may be using resources? Have you tried adjusting the settings in your unbound.conf to see if you can improve performance?

The provided configuration file is the bare minimum to get the container running. Any advanced performance tuning is up to the user and would be different depending on the device being used. Here are some docs that may help you get started.

If you are able to squeeze additional performance out of your setup I would appreciate if you shared your configuration here for other users to reference!

typkrft commented 2 years ago

Just to chime in on performance. I'm one of the documented configs mostly verbatim, with no issue in a proxmox vm. I've a had a couple hits in the 400ms range, subsequent looks to the same domain are cached and and are listed as 0.0 or 0.1ms.

The docker image mvance/unbound mentions using the host network mode specifically for performace, minding security issues of course. Maybe this would help here as well.

zilexa commented 2 years ago

It's just 6ms for me according to AdGuard Home. It uses Unbound as the only DNS server.

churchofnoise commented 2 years ago

@DFlexy could you share your conf file(s)? I recently noticed that that could strongly influence performance...

DFlexy commented 2 years ago

@DFlexy could you share your conf file(s)? I recently noticed that that could strongly influence performance...

hello sorry for the delay About my configuration follows. Use in bridge mode

docker run -d \ --name unbound \ --hostname unbound \ --network=lan \ --ip=172.20.0.2 \ --restart=unless-stopped \ --cap-add=sys_nice \ crazymax/unbound:latest

Another point you might notice is that I'm using the crazymax image instead of the klutchell image. What I noticed was that the klutchell image takes longer to respond to queries.

And regarding the UNBOUND.CONF configuration file, I don't have any customized ones, I just use the image itself

churchofnoise commented 2 years ago

Could you check if the problem still exists? (with the klutchell image that is)

DFlexy commented 2 years ago

Could you check if the problem still exists? (with the klutchell image that is)

Info: I'm in Brazil Only default config no have volume for custom config

root@Rasphouse:/home/pi# docker exec unbound dig sigok.verteiltesysteme.net @127.0.0.1 +dnssec

; <<>> DiG 9.16.27 <<>> sigok.verteiltesysteme.net @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51700
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60  IN      A       134.91.78.139
sigok.verteiltesysteme.net. 60  IN      RRSIG   A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=

**;; Query time: 1443 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 14 22:35:16 UTC 2022
;; MSG SIZE  rcvd: 251
root@Rasphouse:/home/pi# docker exec unbound dig dyndns.com @127.0.0.1 +dnssec

; <<>> DiG 9.16.27 <<>> dyndns.com @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5125
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com.                    IN      A

;; ANSWER SECTION:
dyndns.com.             300     IN      A       138.1.125.45

;; Query time: 2383 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 14 22:38:34 UTC 2022
;; MSG SIZE  rcvd: 55
DFlexy commented 2 years ago

Using crazymax

root@Rasphouse:/home/pi# dig sigok.verteiltesysteme.net @172.30.0.254 +dnssec

; <<>> DiG 9.16.27-Debian <<>> sigok.verteiltesysteme.net @172.30.0.254 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27811
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60  IN      A       134.91.78.139
sigok.verteiltesysteme.net. 60  IN      RRSIG   A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=

;; Query time: 695 msec
;; SERVER: 172.30.0.254#53(172.30.0.254)
;; WHEN: Sun Aug 14 19:43:27 -03 2022
;; MSG SIZE  rcvd: 251
root@Rasphouse:/home/pi# dig dyndns.com @172.30.0.254 +dnssec

; <<>> DiG 9.16.27-Debian <<>> dyndns.com @172.30.0.254 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com.                    IN      A

;; ANSWER SECTION:
dyndns.com.             300     IN      A       138.1.125.45

;; Query time: 371 msec
;; SERVER: 172.30.0.254#53(172.30.0.254)
;; WHEN: Sun Aug 14 19:41:46 -03 2022
;; MSG SIZE  rcvd: 55
DFlexy commented 2 years ago

The tests were run after starting the container to not use any cache

here crazy-max config default too https://github.com/crazy-max/docker-unbound/blob/master/rootfs/etc/unbound/unbound.conf

Here my tests config

docker run -d \ --name unbound \ --hostname unbound \ --network=lan \ --ip=172.20.0.2 \ --restart=unless-stopped \ --cap-add=sys_nice \ klutchell/unbound:latest

docker run -d \ --name=unbound \ --hostname=unbound \ --network=lan \ --ip=172.20.0.2 \ -v unbound:/config \ --restart=unless-stopped \ --cap-add=sys_nice \ crazymax/unbound:latest

klutchell commented 2 years ago

@DFlexy can you try again with the :main tag? You can also try :sha-3ed0699 to be certain. The latest tag hasn't been updated with the performance improvements.

DFlexy commented 2 years ago

Tests done

With MAIN TAG
root@Rasphouse:/home/pi# docker exec unbound dig dyndns.com @127.0.0.1 +dnssec

; <<>> DiG 9.16.27 <<>> dyndns.com @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2831
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com.                    IN      A

;; ANSWER SECTION:
dyndns.com.             300     IN      A       138.1.125.45

**;; Query time: 731 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 15 12:10:41 UTC 2022
;; MSG SIZE  rcvd: 55

root@Rasphouse:/home/pi# docker exec unbound dig sigok.verteiltesysteme.net @127.0.0.1 +dnssec

; <<>> DiG 9.16.27 <<>> sigok.verteiltesysteme.net @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23622
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60  IN      A       134.91.78.139
sigok.verteiltesysteme.net. 60  IN      RRSIG   A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=

**;; Query time: 671 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 15 12:10:48 UTC 2022
;; MSG SIZE  rcvd: 251
With SHA TAG

root@Rasphouse:/home/pi# docker exec unbound dig dyndns.com @127.0.0.1 +dnssec

; <<>> DiG 9.16.27 <<>> dyndns.com @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57476
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com.                    IN      A

;; ANSWER SECTION:
dyndns.com.             300     IN      A       138.1.125.45

**;; Query time: 567 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 15 12:11:55 UTC 2022
;; MSG SIZE  rcvd: 55

root@Rasphouse:/home/pi# docker exec unbound dig sigok.verteiltesysteme.net @127.0.0.1 +dnssec

; <<>> DiG 9.16.27 <<>> sigok.verteiltesysteme.net @127.0.0.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40131
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60  IN      A       134.91.78.139
sigok.verteiltesysteme.net. 60  IN      RRSIG   A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=

**;; Query time: 431 msec**
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 15 12:11:59 UTC 2022
;; MSG SIZE  rcvd: 251
Again with crazymax/unbound:latest

root@Rasphouse:/home/pi# dig dyndns.com @172.30.0.254 +dnssec

; <<>> DiG 9.16.27-Debian <<>> dyndns.com @172.30.0.254 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41402
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com.                    IN      A

;; ANSWER SECTION:
dyndns.com.             300     IN      A       138.1.125.45

**;; Query time: 387 msec**
;; SERVER: 172.30.0.254#53(172.30.0.254)
;; WHEN: Mon Aug 15 09:13:04 -03 2022
;; MSG SIZE  rcvd: 55

root@Rasphouse:/home/pi# dig sigok.verteiltesysteme.net @172.30.0.254 +dnssec

; <<>> DiG 9.16.27-Debian <<>> sigok.verteiltesysteme.net @172.30.0.254 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38347
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60  IN      A       134.91.78.139
sigok.verteiltesysteme.net. 60  IN      RRSIG   A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=

**;; Query time: 679 msec**
;; SERVER: 172.30.0.254#53(172.30.0.254)
;; WHEN: Mon Aug 15 09:13:08 -03 2022
;; MSG SIZE  rcvd: 251
churchofnoise commented 2 years ago

Those are VERY high numbers, regardless of which image you use... I'd even dare say that both images perform somewhat similarly.

For reference, here's mine using the main tag version of the klutchell image:


dig dyndns.com @172.16.0.3 +dnssec

; <<>> DiG 9.16.1-Ubuntu <<>> dyndns.com @172.16.0.3 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7498
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dyndns.com.                    IN      A

;; ANSWER SECTION:
dyndns.com.             86400   IN      A       138.1.125.45

;; Query time: 44 msec
;; SERVER: 172.16.0.3#53(172.16.0.3)
;; WHEN: Mon Aug 15 14:20

dig sigok.verteiltesysteme.net @172.16.0.3 +dnssec

; <<>> DiG 9.16.1-Ubuntu <<>> sigok.verteiltesysteme.net @172.16.0.3 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54129
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 86399 IN    A       134.91.78.139
sigok.verteiltesysteme.net. 86399 IN    RRSIG   A 5 3 60 20221030020001 20220731020001 30665 verteiltesysteme.net. bfrDMUqZ9pYmDhqBh4Egr0EcGdoOsnEhebAaZGdv0WVEJXbRs8lCcJf7 mwseSdZGD+/Ij8g0OROdaMtsbsXbZjbkd754X3LOqFBgXIoYwxU5vQnS H/cmHD/1xiQ7OApwBpRpYGpCjgrALaFNsef1ZH49g1lIBzWAWKExnmiu kEg=

;; Query time: 88 msec
;; SERVER: 172.16.0.3#53(172.16.0.3)
;; WHEN: Mon Aug 15 14:18:14 CEST 2022
;; MSG SIZE  rcvd: 251
DFlexy commented 2 years ago

i'm in brazil my ping average for the USA is an average of 160ms

C:>ping sigok.verteiltesysteme.net Disparando sigok.verteiltesysteme.net [134.91.78.139] com 32 bytes de dados: Resposta de 134.91.78.139: bytes=32 tempo=248ms TTL=46 Resposta de 134.91.78.139: bytes=32 tempo=254ms TTL=46 Resposta de 134.91.78.139: bytes=32 tempo=249ms TTL=46 Resposta de 134.91.78.139: bytes=32 tempo=247ms TTL=46

C:>ping cisco.com Disparando cisco.com [72.163.4.185] com 32 bytes de dados: Resposta de 72.163.4.185: bytes=32 tempo=162ms TTL=233 Resposta de 72.163.4.185: bytes=32 tempo=160ms TTL=233 Resposta de 72.163.4.185: bytes=32 tempo=160ms TTL=233 Resposta de 72.163.4.185: bytes=32 tempo=165ms TTL=233

DFlexy commented 2 years ago

@klutchell

Good Morning I have a question the closest ROOT server to me is ICANN's can I prioritize somehow for him to use this first?

l.root-servers.net | 199.7.83.42, 2001:500:9f::42 | ICANN

root@Rasphouse:/home/pi# ping 199.7.83.42 PING 199.7.83.42 (199.7.83.42) 56(84) bytes of data. 64 bytes from 199.7.83.42: icmp_seq=1 ttl=61 time=14.3 ms 64 bytes from 199.7.83.42: icmp_seq=2 ttl=61 time=12.8 ms 64 bytes from 199.7.83.42: icmp_seq=3 ttl=61 time=8.56 ms 64 bytes from 199.7.83.42: icmp_seq=4 ttl=61 time=10.6 ms 64 bytes from 199.7.83.42: icmp_seq=5 ttl=61 time=12.9 ms

klutchell commented 2 years ago

@DFlexy You could try blocking queries to the other root servers so it is forced to use ICANN, like they've done in this post: https://discourse.pi-hole.net/t/is-there-a-way-to-avoid-russian-root-servers-using-unbound/54033/6

However I'm not confident that will actually speed up your queries since it should be loaded into cache at startup.

klutchell commented 11 months ago

@DFlexy is this still an issue for you? Can it be closed?