From nobody Mon Aug  8 22:21:14 2022
X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M1rJp5CR6z4YLq1
	for <freebsd-questions@mlmmj.nyi.freebsd.org>; Mon,  8 Aug 2022 22:21:30 +0000 (UTC)
	(envelope-from csf.server.bag@gmail.com)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4M1rJn73LVz45cT
	for <freebsd-questions@freebsd.org>; Mon,  8 Aug 2022 22:21:29 +0000 (UTC)
	(envelope-from csf.server.bag@gmail.com)
Received: by mail-yb1-xb2b.google.com with SMTP id 204so15835223yba.1
        for <freebsd-questions@freebsd.org>; Mon, 08 Aug 2022 15:21:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:from:date:message-id:subject:to;
        bh=/OsGq4NmbFOS+/dsMjJePlNi9Td1VRlFgUj/TLBRFIo=;
        b=T7d3bY8VKskpF1n82YXss0rSDkFiq2zqZR+3etYgthbKmDTo6fNhnpg+f1GU3i9ZWP
         b7v9wtLmr3z4GiMUZ5LhRqv6+Opduu5btbhNzd82keqWt94vUo+I27lgBA4TktvK5nws
         vpcReGtVAL+Pzm/Vl3CxWv6DhB/Bpo+CyIoMq9i+v6gf0d30xySG2VubwrdrxpQRAUzP
         xENU8RJPbqpgcYp7wYyIsMvv5rycGZvJFJ8WrhBJjuosvYw7B74/5kToiKKGAq653bGe
         UGtsUKVtvhwggdTwbpk2yj0+Q6h47VXYk0nKJVls/h60cKjUFDHyHLqM7NGKlrJNHUky
         sMRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=/OsGq4NmbFOS+/dsMjJePlNi9Td1VRlFgUj/TLBRFIo=;
        b=VAgYtuURFE1ikQXJzF3Xv1ksk+JSTepwewUZuaR7S+wz19+QluaHBRCbyg/mSnhtLx
         lO8ilb8SDyAqO94b5hlg5F5cFTLC7rBZBpn1QfL0/82ycIKJ+cHRMKgQJaMvS8Po0pbt
         xye64MdnUNDHEnYIx9K2smQh+yt9BrPwqGCOf9qBEgNER/NoNSkVl8owvWlUIOjLTKWM
         98i3aSEG/YTwvVUpECCVhwxeCFdkUuCjGgWFD3AqdfB1U+/krB1xZ7LzbldJT4qmT0Iu
         96U3Xp3yqU4dtjEyEM7+knlljgrnIFwsAbVZipXnVWJp0m4x5FOHGQ/oaJmutb+MKAsh
         2FIQ==
X-Gm-Message-State: ACgBeo1Lrmkl4OeItDvLzXO2nMMlUo2fintpoNMNLasFCcq31b2U8fU5
	vUhNpYc/rHjD/HJ67sCFW8CMTNFPKT5DgpMfMPZTLqVGLPo=
X-Google-Smtp-Source: AA6agR4RGmFBjzrR7IgoN/QQljR7bXke7kLTV6A/dpwj8aJ3hUZk69xS54gOSPCudqGLdsQo0889VKonuGOfMHeABKE=
X-Received: by 2002:a25:9c87:0:b0:671:82fd:9106 with SMTP id
 y7-20020a259c87000000b0067182fd9106mr17835117ybo.546.1659997289073; Mon, 08
 Aug 2022 15:21:29 -0700 (PDT)
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
MIME-Version: 1.0
From: Bahagia BAG <csf.server.bag@gmail.com>
Date: Tue, 9 Aug 2022 05:21:14 +0700
Message-ID: <CAM6iT5SRubV-vcHPANz-2fmzSTCbZeXeywOG=VnvF7BhyF5WxA@mail.gmail.com>
Subject: Heavy duty unbound
To: freebsd-questions@freebsd.org
Content-Type: multipart/alternative; boundary="000000000000be508205e5c23c13"
X-Rspamd-Queue-Id: 4M1rJn73LVz45cT
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=T7d3bY8V;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (mx1.freebsd.org: domain of csf.server.bag@gmail.com designates 2607:f8b0:4864:20::b2b as permitted sender) smtp.mailfrom=csf.server.bag@gmail.com
X-Spamd-Result: default: False [-0.21 / 15.00];
	URI_COUNT_ODD(1.00)[7];
	HTTP_TO_IP(1.00)[];
	NEURAL_HAM_SHORT(-1.00)[-0.995];
	NEURAL_HAM_LONG(-0.89)[-0.893];
	NEURAL_SPAM_MEDIUM(0.68)[0.683];
	DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112];
	R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	FROM_HAS_DN(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
	RCPT_COUNT_ONE(0.00)[1];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::b2b:from];
	ARC_NA(0.00)[];
	TAGGED_FROM(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	DKIM_TRACE(0.00)[gmail.com:+];
	TO_DN_NONE(0.00)[];
	FREEMAIL_FROM(0.00)[gmail.com];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim];
	FROM_EQ_ENVFROM(0.00)[];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	RCVD_TLS_LAST(0.00)[];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	RCVD_COUNT_TWO(0.00)[2]
X-ThisMailContainsUnwantedMimeParts: N

--000000000000be508205e5c23c13
Content-Type: text/plain; charset="UTF-8"

Hello All,

I have unbound setup as a dns cache server
The problem is if I give dns query traffic from my network, the server is
very lagging
and if i run top, unbound  is 166.43%
sometimes I can't ssh login to the server
I received an error log like this

Limiting icmp unreach response from 203 to 193 packets/sec
Limiting icmp unreach response from 222 to 197 packets/sec
Limiting icmp unreach response from 228 to 194 packets/sec

How can I tweak and optimize this server?

Thanks in advance

Baha Gia
======================================================================
22 processes:  2 running, 20 sleeping
CPU: 25.4% user,  0.0% nice, 31.6% system,  0.0% interrupt, 43.0% idle
Mem: 341M Active, 9786M Inact, 80M Laundry, 1581M Wired, 936M Buf, 4382M
Free
Swap: 4095M Total, 4095M Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU
COMMAND
 3363 unbound       8  31    0   784M   408M kqread   3 102.7H 166.43%
unbound
  183 root          3  20    0    32M    13M select   3   4:49   0.11%
vmtoolsd
======================================================================
OS: FreeBSD amd64
Version: 12.3-STABLE

more /usr/local/etc/unbound/unbound.conf
server:
        verbosity: 5
        num-threads: 8
        #interface: 127.0.0.1@53
        #interface: 127.0.0.1@443
        interface: 172.28.16.66@53
        interface: 172.28.16.66@443
        interface: 203.80.158.64@53
        interface: 203.80.158.64@443
        port: 53
        outgoing-num-tcp: 100
        incoming-num-tcp: 100
        outgoing-range: 7250
        so-rcvbuf: 8m
        so-sndbuf: 8m
        so-reuseport: no
        max-udp-size: 4096
        stream-wait-size: 6m
        msg-buffer-size: 65552
        msg-cache-size: 100m
        msg-cache-slabs: 8
logfile: /var/log/unbound.log
log-queries: yes
log-servfail: yes
val-log-level: 2
verbosity: 1
log-time-ascii: yes
use-syslog: no
        num-queries-per-thread: 1024
        rrset-cache-size: 100m
        rrset-cache-slabs: 8
        infra-cache-slabs: 8
        do-ip4: yes
        do-ip6: yes
        do-udp: yes
        do-tcp: yes
        do-daemonize: yes
access-control: 203.27.165.32/27 allow
access-control: 203.44.75.128/25 allow
access-control: 203.41.147.0/24 allow
access-control: 203.44.127.128/25 allow
access-control: 203.44.70.128/25 allow
access-control: 203.89.107.0/25 allow
access-control: 203.90.146.0/24 allow
access-control: 260.102.140.163/24 allow #testing
access-control: 102.262.113.140/29 allow #testing
        chroot: "/usr/local/etc/unbound"
        username: "unbound"
        directory: "/usr/local/etc/unbound"
        pidfile: "/usr/local/etc/unbound/unbound.pid"
        root-hints: "/usr/local/etc/unbound/named.cache"
        hide-identity: yes
        hide-version: yes
remote-control:
control-enable: yes
control-use-cert: no
forward-zone:
        name: "."
        forward-addr: 8.8.8.8
        forward-addr: 1.1.1.1

=====================================================================
sysctl -a | egrep -i 'hw.machine|hw.model|hw.ncpu'
hw.machine: amd64
hw.model: Intel(R) Xeon(R) CPU E5-2620 v2 @ 2.10GHz
hw.ncpu: 6
hw.machine_arch: amd64


grep memory /var/run/dmesg.boot
real memory  = 17179869184 (16384 MB)
avail memory = 16628293632 (15857 MB)
======================================================================

--000000000000be508205e5c23c13
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hello All,</div><div><br></div>I have unbound setup a=
s a dns cache server <br>The problem is if I give dns query traffic from my=
 network, the server is very lagging<br>and if i run top, unbound=C2=A0 is =
166.43%<br>sometimes I can&#39;t ssh login to the server<br>I received an e=
rror log like this<div><br>Limiting icmp unreach response from 203 to 193 p=
ackets/sec<br>Limiting icmp unreach response from 222 to 197 packets/sec<br=
>Limiting icmp unreach response from 228 to 194 packets/sec<br><br>How can =
I tweak and optimize this server?<br><br><div>Thanks in advance<div>=C2=A0<=
/div><div>Baha Gia<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D<br>22 processes: =C2=A02 running, 20 sleeping<br>CPU: 25.4% user,=
 =C2=A00.0% nice, 31.6% system, =C2=A00.0% interrupt, 43.0% idle<br>Mem: 34=
1M Active, 9786M Inact, 80M Laundry, 1581M Wired, 936M Buf, 4382M Free<br>S=
wap: 4095M Total, 4095M Free<br><br>=C2=A0 PID USERNAME =C2=A0 =C2=A0THR PR=
I NICE =C2=A0 SIZE =C2=A0 =C2=A0RES STATE =C2=A0 =C2=A0C =C2=A0 TIME =C2=A0=
 =C2=A0WCPU COMMAND<br>=C2=A03363 unbound =C2=A0 =C2=A0 =C2=A0 8 =C2=A031 =
=C2=A0 =C2=A00 =C2=A0 784M =C2=A0 408M kqread =C2=A0 3 102.7H 166.43% unbou=
nd<br>=C2=A0 183 root =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A03 =C2=A020 =C2=A0 =
=C2=A00 =C2=A0 =C2=A032M =C2=A0 =C2=A013M select =C2=A0 3 =C2=A0 4:49 =C2=
=A0 0.11% vmtoolsd<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D<br>OS: FreeBSD amd64<br>Version: 12.3-STABLE<br><br>more /usr/loc=
al/etc/unbound/unbound.conf<br>server:<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 verbo=
sity: 5<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 num-threads: 8<br>=C2=A0 =C2=A0 =C2=
=A0 =C2=A0 #interface: 127.0.0.1@53<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 #interfa=
ce: 127.0.0.1@443<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 interface: 172.28.16.66@53=
<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 interface: 172.28.16.66@443<br>=C2=A0 =C2=
=A0 =C2=A0 =C2=A0 interface: 203.80.158.64@53<br>=C2=A0 =C2=A0 =C2=A0 =C2=
=A0 interface: 203.80.158.64@443<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 port: 53<br=
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 outgoing-num-tcp: 100<br>=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 incoming-num-tcp: 100<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 outgoing-range:=
 7250<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 so-rcvbuf: 8m<br>=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 so-sndbuf: 8m<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 so-reuseport: no<br>=C2=
=A0 =C2=A0 =C2=A0 =C2=A0 max-udp-size: 4096<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =
stream-wait-size: 6m<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 msg-buffer-size: 65552<=
br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 msg-cache-size: 100m<br>=C2=A0 =C2=A0 =C2=A0=
 =C2=A0 msg-cache-slabs: 8<br>logfile: /var/log/unbound.log<br>log-queries:=
 yes<br>log-servfail: yes<br>val-log-level: 2<br>verbosity: 1<br>log-time-a=
scii: yes<br>use-syslog: no<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 num-queries-per-=
thread: 1024<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 rrset-cache-size: 100m<br>=C2=
=A0 =C2=A0 =C2=A0 =C2=A0 rrset-cache-slabs: 8<br>=C2=A0 =C2=A0 =C2=A0 =C2=
=A0 infra-cache-slabs: 8<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 do-ip4: yes<br>=C2=
=A0 =C2=A0 =C2=A0 =C2=A0 do-ip6: yes<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 do-udp:=
 yes<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 do-tcp: yes<br>=C2=A0 =C2=A0 =C2=A0 =C2=
=A0 do-daemonize: yes<br>access-control: <a href=3D"http://203.27.165.32/27=
">203.27.165.32/27</a> allow <br>access-control: <a href=3D"http://203.44.7=
5.128/25">203.44.75.128/25</a> allow <br>access-control: <a href=3D"http://=
203.41.147.0/24">203.41.147.0/24</a> allow =C2=A0 =C2=A0<br>access-control:=
 <a href=3D"http://203.44.127.128/25">203.44.127.128/25</a> allow <br>acces=
s-control: <a href=3D"http://203.44.70.128/25">203.44.70.128/25</a> allow <=
br>access-control: <a href=3D"http://203.89.107.0/25">203.89.107.0/25</a> a=
llow =C2=A0 <br>access-control: <a href=3D"http://203.90.146.0/24">203.90.1=
46.0/24</a> allow =C2=A0 =C2=A0<br>access-control: 260.102.140.163/24 allow=
 #testing<br>access-control: 102.262.113.140/29 allow #testing<br>=C2=A0 =
=C2=A0 =C2=A0 =C2=A0 chroot: &quot;/usr/local/etc/unbound&quot;<br>=C2=A0 =
=C2=A0 =C2=A0 =C2=A0 username: &quot;unbound&quot;<br>=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 directory: &quot;/usr/local/etc/unbound&quot;<br>=C2=A0 =C2=A0 =C2=
=A0 =C2=A0 pidfile: &quot;/usr/local/etc/unbound/unbound.pid&quot;<br>=C2=
=A0 =C2=A0 =C2=A0 =C2=A0 root-hints: &quot;/usr/local/etc/unbound/named.cac=
he&quot;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 hide-identity: yes<br>=C2=A0 =C2=A0=
 =C2=A0 =C2=A0 hide-version: yes<br>remote-control:<br>control-enable: yes<=
br>control-use-cert: no<br>forward-zone:<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 nam=
e: &quot;.&quot;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 forward-addr: 8.8.8.8<br>=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 forward-addr: 1.1.1.1<br><br>=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>sysctl -a | egrep -i &#39;hw.mac=
hine|hw.model|hw.ncpu&#39;<br>hw.machine: amd64<br>hw.model: Intel(R) Xeon(=
R) CPU E5-2620 v2 @ 2.10GHz<br>hw.ncpu: 6<br>hw.machine_arch: amd64<br><br>=
<br>grep memory /var/run/dmesg.boot<br>real memory =C2=A0=3D 17179869184 (1=
6384 MB)<br>avail memory =3D 16628293632 (15857 MB)<br>=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br></div></div></div></div>

--000000000000be508205e5c23c13--