I will try to help myself & others. The "iterator validator" option will not work/validate.
Below config file gave me better result (on Windows XP), you may try this out and suit to your need: - - - - - - - - - - - - - - - - # BEGIN of service.conf / unbound.conf file # Last Modified 2012-08-31 01:30 # Copyright (C) 2012 Bry8Star. (bry8 star a.t ya hoo d.o.t c om) server: verbosity: 1 # logs errors & operational info #verbosity: 0 # logs errors statistics-interval: 0 statistics-cumulative: "no" extended-statistics: "no" num-threads: 1 interface: 127.0.0.1 interface: 192.168.0.10 # My Network Adapter's IP adrs interface: ::1 interface-automatic: "no" port: 53 outgoing-interface: 192.168.0.10 outgoing-range: 950 outgoing-port-permit: 52000-56096 outgoing-port-avoid: "22,25,26,37,53,54,55,67,68,69,80,110,123,135,137,138,139,143,443,445,465,500,587,843,990,912,993,995,1025,1863,1935,2082,2083,2096,2400,4242,4400,4421,4444,4445,4480,4500,4569,5038,5050,5060,5061,5062,5063,5064,5065,5198,5199,5200,5222,5555,5800,5801,5900,5901,6666,6667,6668,6669,7000,7001,7002,7003,7004,7005,7006,7658,7659,7660,7777,8050,8052,8054,8056,8058,8060,8080,8110,8118,8120,8123,8125,8143,8210,8225,8243,8998,9001,9022,9030,9050,9051,9052,9053,9054,9055,9056,9057,9058,9059,9060,9080,10000,15000,15001,15002,15003,15004,16001,16999,20000,20001,25000,26999,30600,31000,32000,36999,50300" outgoing-num-tcp: 25 incoming-num-tcp: 25 so-rcvbuf: 8m so-sndbuf: 8m edns-buffer-size: 4096 msg-buffer-size: 65552 msg-cache-size: 48m msg-cache-slabs: 1 num-queries-per-thread: 475 jostle-timeout: 200 rrset-cache-size: 96m rrset-cache-slabs: 1 cache-min-ttl: 0 cache-max-ttl: 21600 # 6 hours infra-host-ttl: 900 infra-cache-slabs: 1 infra-cache-numhosts: 10000 do-ip4: "yes" do-ip6: "no" # for now do-udp: "yes" do-tcp: "yes" tcp-upstream: "no" do-daemonize: "yes" access-control: 0.0.0.0/0 refuse access-control: ::0/0 refuse access-control: 127.0.0.0/8 allow access-control: 192.168.0.10/24 allow access-control: ::1 allow logfile: "C:\Program Files\Unbound\unbound.log" use-syslog: "no" log-time-ascii: "yes" log-queries: "no" root-hints: "C:\Program Files\Unbound\named.cache" hide-identity: "yes" hide-version: "yes" identity: "DNS" version: "1.0.0" target-fetch-policy: "0 0 0 0 0 0" harden-short-bufsize: "no" harden-large-queries: "no" harden-glue: "yes" harden-dnssec-stripped: "yes" harden-below-nxdomain: "no" harden-referral-path: "no" use-caps-for-id: "no" unwanted-reply-threshold: 8000 prefetch: "yes" prefetch-key: "yes" rrset-roundrobin: "yes" minimal-responses: "no" module-config: "validator iterator" dlv-anchor-file: "C:\Program Files\Unbound\dlv.isc.org.key" # Downloaded from http://ftp.isc.org/www/dlv/dlv.isc.org.key # DLV, DNS Lookaside Validation, for the root auto-trust-anchor-file: "C:\Program Files\Unbound\root.key" #domain-insecure: "TLD" # TLDs from various TLD providers val-bogus-ttl: 60 val-sig-skew-max: 86400 val-clean-additional: "yes" val-permissive-mode: "no" ignore-cd-flag: "yes" val-log-level: 1 # log validation failed queries #val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" key-cache-size: 48m key-cache-slabs: 1 neg-cache-size: 36m # Blocking below TLDs, can also be used to block sites local-zone: "onion." refuse # disallow to go via public route local-zone: "i2p." refuse # suppose to go via proxy route remote-control: control-enable: "no" # stub-zones SZ, for TLDs from other TLD providers (root opr) # Forward zones FZ, if used hostname/namesrvr in stub-zones # Default Forward Root Zone: #forward-zone: #name: "." # You may use your ISP dns, for bit faster results. #forward-addr: i.p.adrs.1 # ISP DNS / Recursive/Caching #forward-addr: i.p.adrs.2 # ISP DNS / Recursive/Caching # Or use other root caching or recursive dns servers. # END of service.conf / unbound.conf file - - - - - - - - - - - - - - - - I express thanks to various users from various IRC channels who has helped with various suggestions. If you have better performing config file, then please share, thanks in advance. And use this below technique to run the 'Unbound DNS Validator' with "Below Normal" Priority, so it does not affect other processes, it is temporary fix. (1) Start Windows Task Manager like this: ntsd -c qd taskmgr.exe (2) goto "Processes" tab > select "Show Processes from All Users". (3) find 'Unbound.exe" in the process list. Right click on it > Set Priority > select "BelowNormal". Ok. (4) close Task manager. There are script/batch file as well to do automatically like above when windows starts up. Dont know of a registry hack to do that. If any1 knows, then please share. -- Bry8Star. On 8/29/2012 8:08 PM, Bry8 Star wrote: > I'm using 'Unbound' v1.4.18 on Windows XP SP3 4GB RAM 32bit Dual Core > AMD CPU. Unbound is configured with "validator iterator" mode. > "target-fetch-policy" is currently "2 1 0 0 0 0". DLV option is enabled. > It stops responding periodically in my side as well :-( > I installed windows process monitoring tools like, Process Hacker, > Process Explorer, etc and also have firewall able to show, warn, block > any active network connections. Nothing is blocked for unbound in > firewall, only set to show messages/info on what unbound is doing. > Firewall is also set to show message/info what app is trying to > communicate (send DNS query) with local resolver (the unbound). > When user like me tries to do a ping or do a nslookup or do a DiG on an > internet host, or when a web-browser or any other internet service > client app tries to send DNS query via unbound (working on 127.0.0.1 udp > port 53), then at first attempt, unbound internally does its query very > slowly (or sometime does not work), then query sender app shows server > could not be reached or servfail, etc error/result. 'Unbound' starts to > use around 98% or more cpu resources at that point. So other apps, mouse > becomes non or less responsive. After about 1 min or 2 mins, cpu usage > goes down to normal level. And then, if 2nd attempt is done on the same > internet site or host, then 'unbound' usually sends the answer back very > quickly and can reach sites. > If a different fetch policy is used then how will it affect? We need a > better fetch policy. Even when i specified it to use 1 Thread, it > sometime uses even 3 or 4 threads. If "iterator validator" is used, then > will it work better ? then what fetch policy will be better ? > -- Bry8Star. > > > > On 8/29/2012 5:40 PM, Will Roberts wrote: >> On 04/06/2011 02:06 AM, W.C.A. Wijngaards wrote: >>> Well it should respond to the unbound-control utility. If it does not >>> this means it is somehow no longer processing the main loop, or that >>> network traffic does not reach it. >> >> To add some resolution to this issue, this is clearly not unbound's >> fault. When this situation is triggered I cannot locally ping any of the >> IPv4 addresses on the machine, so clearly the communication to unbound >> as a DNS lookup or via unbound-control are going to fail. I'm at a loss >> as to explain why this happens :) >> >> Regards, >> --Will >> _______________________________________________ >> Unbound-users mailing list >> [email protected] >> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
