Hi,
We want to migrate our BIND servers to Unbound.
We just install a single VM for testing purposes. Both Unbound and BIND are installed as DNS resolvers (Internet by default and local authorities).
A single server is using this DNS resolver and everything work fine. Now to have a valuable test for performance, we choose to proceed a Web stats report with awstats from an Nginx huge LogFile (thousands IP addresses to resolves).
When Unbound is started, stats are 5 times longer to produce than with BIND. Is it normal ??
Second point, a firewall is installed on the VM and only with Unbound I notice some reject on the firewall as follow :
TESTDNS kernel: [541975.554683] OUTPUT DFLT REJECT IN= OUT=eth0 SRC=192.168.100.177 DST=192.168.100.79 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=8206 PROTO=UDP SPT=53 DPT=4
It’s like some hazardous packets are not kept in the conntrack table!!
Thanks for your help.
Here is our Unbound configuration file :
server:
The following line will configure unbound to perform cryptographic
DNSSEC validation using the root trust anchor.
dlv-anchor-file: “dlv.isc.org.key”
val-permissive-mode:yes
interface: 0.0.0.0
interface-automatic: yes
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
pidfile: “/var/run/unbound.pid”
Access list
access-control: 192.168.100.0/24 allow
chroot: “/etc/unbound”
root-hints: “/etc/unbound/db.root”
Log
verbosity: 1
val-log-level: 2
use-syslog: no
logfile: /var/log/unbound.log
Stats for munin
statistics-cumulative: no
extended-statistics: yes
statistics-interval: 0
hide-identity: yes
hide-version: yes
harden-dnssec-stripped: yes
harden-glue: yes
use-caps-for-id: yes
do-not-query-localhost: no