Date: Fri, 12 Aug 2022 11:07:38 -0700 From: jin guojun <jguojun@gmail.com> To: Bahagia BAG <csf.server.bag@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: Heavy duty unbound Message-ID: <CAE6yT5tJDJycE0Z5RkOzyf8XyiQ5PP=2XGqn0XYt6b8=AQSyhw@mail.gmail.com> In-Reply-To: <CAM6iT5TGuSq2QPsHv=uQzq=%2BGVofYFUtw0UpsLiH6q4tpYdUNw@mail.gmail.com> References: <CAM6iT5SRubV-vcHPANz-2fmzSTCbZeXeywOG=VnvF7BhyF5WxA@mail.gmail.com> <CAE6yT5uwVc=NEvKdU6ZabF2pZjy49RPahRCuc_1PytdaU6%2BtdQ@mail.gmail.com> <CAM6iT5TGuSq2QPsHv=uQzq=%2BGVofYFUtw0UpsLiH6q4tpYdUNw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000fe05ea05e60f28ff
Content-Type: text/plain; charset="UTF-8"
Hi Baha,
>From your original message, it sounds like the issue is only from the local
network.
If everything works well from the rest of the world, then AS should be set
correctly in BGP configuration.
Configuring AS can be different in different brands of router. AS
configuration commands for Cisco are below for your reference. For other
routers, please read their configuration manuals.
Here are some things to check to diagnose the problem:
Is only some host having the issue or every host in the same network has
the issue?
if everyone has the problem, you need to sniff the traffic to see what
the issue is.
if only some hosts have the problem, then the issue likely is at the
host configuration, but it can be a combination of configurations in both
router and host. For example, when both IPV4 and IPV6 were enabled, then
SMP service is not working properly on some Linux hosts, but no problem for
BSD hosts and other Linux hosts. The traffic sometimes goes to the V4
address and sometimes flows at the V6 address. Since I am not a Linux guy,
I have to disable the IPV6 on those machines.
If a http server is running on the same host of DNS running, will local
machines can access the http service by either IP or host name?
if using IP works, but using hostname is sluggish, then the issue is
more at name resolving; otherwise, the issue is more likely at routing path.
Generally, sniffing the traffic should help to see the problem.
-Jin
enable
configure terminal
router bgp autonomous-system-number
neighbor ip-address remote-as autonomous-system-number
Repeat neighbor command to define other BGP neighbors, as needed.
address-family ipv4 [unicast | multicast | vrf vrf-name ]
neighbor ip-address activate
Repeat neighbor command to activate other BGP neighbors, as needed.
network network-number [mask network-mask ] [route-map route-map-name ]
end
show ip bgp [network ] [network-mask ]
show ip bgp summary
On Tue, Aug 9, 2022 at 10:18 PM Bahagia BAG <csf.server.bag@gmail.com>
wrote:
> Hello Jin
>
> Thanks for your reply, Can you show me where can I learn how to setup with
> ASN, since this server is for ISP and have ASN
>
> Best Regards
>
> Baha Gia
>
> On Tue, Aug 9, 2022 at 6:37 AM jin guojun <jguojun@gmail.com> wrote:
>
>> This could be related to your network topology.
>>
>> If you have a real gateway with AS # (ASN) set properly, you should not
>> see this problem.
>>
>> If you have a home router that serves your NAT, and your gateway is an
>> ISP port, and this port IP is mapped to your service IP (DNS, HTTP, etc)
>> via NAT, then any of your local network traffic to use your services tied
>> to this IP may experience the problem you had.
>> This is depending on what kind of internal router is behind the ISP modem.
>> If you have all in one Modem/Router, it is likely to see the problem.
>> Some routers may even prevent such traffic flow. This is because of the
>> All-in-one internal traffic rerouting.
>> If you have a separate Modem and Router, you can sniff the traffic
>> between the router and the modem, the traffic between the client and the
>> router, as well as between the router and the server, then you may find
>> some redirecting traffic issues, which causes CPU usage due to massive
>> packet dropping and resending.
>>
>> -Jin
>>
>> On Mon, Aug 8, 2022 at 3:21 PM Bahagia BAG <csf.server.bag@gmail.com>
>> wrote:
>>
>>> Hello All,
>>>
>>> I have unbound setup as a dns cache server
>>> The problem is if I give dns query traffic from my network, the server
>>> is very lagging
>>> and if i run top, unbound is 166.43%
>>> sometimes I can't ssh login to the server
>>> I received an error log like this
>>>
>>> Limiting icmp unreach response from 203 to 193 packets/sec
>>> Limiting icmp unreach response from 222 to 197 packets/sec
>>> Limiting icmp unreach response from 228 to 194 packets/sec
>>>
>>> How can I tweak and optimize this server?
>>>
>>> Thanks in advance
>>>
>>> Baha Gia
>>>
>>>
--000000000000fe05ea05e60f28ff
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>Hi Baha,</div><div><br></div><div>From your original =
message, it sounds like the issue is only from the local network.</div><div=
>If everything works well from the rest of the world, then AS should be set=
correctly in BGP configuration.</div><div>Configuring AS can be different =
in different brands of router. AS configuration commands for Cisco are belo=
w for your reference. For other routers, please read their configuration ma=
nuals.<br></div><div><br></div><div>Here are some things to check to diagno=
se the problem:</div><div>Is only some host having the issue or every host =
in the same network has the issue?</div><div>=C2=A0=C2=A0 if everyone has t=
he problem, you need to sniff the traffic to see what the issue is.</div><d=
iv>=C2=A0=C2=A0 if only some hosts have the problem, then the issue likely =
is at the host configuration, but it can be a combination of configurations=
in both router and host. For example, when both IPV4 and IPV6 were enabled=
, then SMP service is not working properly on some Linux hosts, but no prob=
lem for BSD hosts and other Linux hosts. The traffic sometimes goes to the =
V4 address and sometimes flows at the V6 address. Since I am not a Linux gu=
y, I have to disable the IPV6 on those machines.</div><div><br></div><div>I=
f a http server is running on the same host of DNS running, will local mach=
ines can access the http service by either IP or host name?</div><div>=C2=
=A0=C2=A0 if using IP works, but using hostname is sluggish, then the issue=
is more at name resolving; otherwise, the issue is more likely at routing =
path.<br></div><div><br></div><div>Generally, sniffing the traffic should h=
elp to see the problem.</div><div><br></div><div>-Jin<br></div><div><br></d=
iv><div>enable<br>configure terminal<br>router bgp autonomous-system-number=
<br>neighbor ip-address remote-as autonomous-system-number<br>=C2=A0=C2=A0 =
Repeat neighbor command to define other BGP neighbors, as needed.<br>addres=
s-family ipv4 [unicast | multicast | vrf vrf-name ]<br>neighbor ip-address =
activate<br>=C2=A0=C2=A0=C2=A0 Repeat neighbor command to activate other BG=
P neighbors, as needed.<br>network network-number [mask network-mask ] [rou=
te-map route-map-name ]<br>end<br>show ip bgp [network ] [network-mask ]<br=
>show ip bgp summary</div><br><div class=3D"gmail_quote"><div dir=3D"ltr" c=
lass=3D"gmail_attr">On Tue, Aug 9, 2022 at 10:18 PM Bahagia BAG <<a href=
=3D"mailto:csf.server.bag@gmail.com">csf.server.bag@gmail.com</a>> wrote=
:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.=
8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"lt=
r">Hello Jin<div><br></div><div>Thanks for your=C2=A0reply, Can you show me=
where can I learn how to setup=C2=A0with ASN, since this server is for ISP=
and have ASN</div><div><br></div><div>Best Regards</div><div><br></div><di=
v>Baha Gia</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=
=3D"gmail_attr">On Tue, Aug 9, 2022 at 6:37 AM jin guojun <<a href=3D"ma=
ilto:jguojun@gmail.com" target=3D"_blank">jguojun@gmail.com</a>> wrote:<=
br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8e=
x;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"=
><div>This could be related to your network topology.</div><div><br></div><=
div>If you have a real gateway with AS # (ASN) set properly, you should not=
see this problem.</div><div><br></div><div>If you have a home router that =
serves your NAT, and your gateway is an ISP port, and this port IP is mappe=
d to your service IP (DNS, HTTP, etc) via NAT, then any of your local netwo=
rk traffic to use your services tied to this IP may experience the problem =
you had.</div><div>This is depending on what kind of internal router is beh=
ind the ISP modem.</div><div>If you have all in one Modem/Router, it is lik=
ely to see the problem. Some routers may even prevent such traffic flow. Th=
is is because of the All-in-one internal traffic rerouting.<br></div><div>I=
f you have a separate Modem and Router, you can sniff the traffic between t=
he router and the modem, the traffic between the client and the router, as =
well as between the router and the server, then you may find some redirecti=
ng traffic issues, which causes CPU usage due to massive packet dropping an=
d resending.<br></div><div><br></div><div>-Jin</div><div><br></div><div cla=
ss=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Aug 8, 202=
2 at 3:21 PM Bahagia BAG <<a href=3D"mailto:csf.server.bag@gmail.com" ta=
rget=3D"_blank">csf.server.bag@gmail.com</a>> wrote:<br></div><blockquot=
e class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px s=
olid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div>Hello All,</d=
iv><div><br></div>I have unbound setup as a dns cache server <br>The proble=
m is if I give dns query traffic from my network, the server is very laggin=
g<br>and if i run top, unbound=C2=A0 is 166.43%<br>sometimes I can't ss=
h login to the server<br>I received an error log like this<div><br>Limiting=
icmp unreach response from 203 to 193 packets/sec<br>Limiting icmp unreach=
response from 222 to 197 packets/sec<br>Limiting icmp unreach response fro=
m 228 to 194 packets/sec<br><br>How can I tweak and optimize this server?<b=
r><br><div>Thanks in advance<div>=C2=A0</div><div>Baha Gia<br><br></div></d=
iv></div></div>
</blockquote></div></div>
</blockquote></div>
</blockquote></div></div>
--000000000000fe05ea05e60f28ff--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAE6yT5tJDJycE0Z5RkOzyf8XyiQ5PP=2XGqn0XYt6b8=AQSyhw>