From 03772d10fb6840c517f1fff63180797eef8290ef Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 13 May 2025 15:04:32 +0200 Subject: [PATCH] - Change default for so-sndbuf to 1m, to mitigate a cross-layer issue where the UDP socket send buffers are exhausted waiting for ARP/NDP resolution. Thanks to Reflyable for the report. --- doc/Changelog | 5 +++++ doc/example.conf.in | 2 +- doc/unbound.conf.5.in | 13 ++++++++----- services/listen_dnsport.c | 3 ++- util/config_file.c | 2 +- 5 files changed, 17 insertions(+), 8 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index c44bf4f22..b7bcabb6d 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -3,6 +3,11 @@ by adding a log_assert() to safeguard future development. - Fix #1282: log-destaddr fail on long ipv6 addresses. +13 May 2025: Wouter + - Change default for so-sndbuf to 1m, to mitigate a cross-layer + issue where the UDP socket send buffers are exhausted waiting + for ARP/NDP resolution. Thanks to Reflyable for the report. + 12 May 2025: Yorgos - Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on broken auth zones that include unsigned out of zone (above apex) diff --git a/doc/example.conf.in b/doc/example.conf.in index db54f9739..c2bc6e9d8 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -117,7 +117,7 @@ server: # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). # 0 is system default. Use 4m to handle spikes on very busy servers. - # so-sndbuf: 0 + # so-sndbuf: 1m # use SO_REUSEPORT to distribute queries over threads. # at extreme load it could be better to turn it off to distribute even. diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index e963a3e3a..3407b3414 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -355,11 +355,14 @@ If not 0, then set the SO_SNDBUF socket option to get more buffer space on UDP port 53 outgoing queries. This for very busy servers handles spikes in answer traffic, otherwise 'send: resource temporarily unavailable' can get logged, the buffer overrun is also visible by netstat \-su. -Default is 0 (use system value). Specify the number of bytes to ask -for, try "4m" on a very busy server. The OS caps it at a maximum, on -linux Unbound needs root permission to bypass the limit, or the admin -can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar -to so\-rcvbuf. +Default is 1M. If set to 0 it uses the system value. Specify the number +of bytes to ask for, try "4m" on a very busy server. It needs some space +to be able to deal with packets that wait for local address resolution, +from like ARP and NDP discovery, before they are sent out, hence +it is elevated above the system default by default. The OS caps it at +a maximum, on linux Unbound needs root permission to bypass the limit, +or the admin can use sysctl net.core.wmem_max. On BSD, Solaris changes +are similar to so\-rcvbuf. .TP .B so\-reuseport: \fI If yes, then open dedicated listening sockets for incoming queries for each diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c index 26efadc15..a3b4d4941 100644 --- a/services/listen_dnsport.c +++ b/services/listen_dnsport.c @@ -473,7 +473,8 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr, "Got %u. To fix: start with " "root permissions(linux) or sysctl " "bigger net.core.wmem_max(linux) or " - "kern.ipc.maxsockbuf(bsd) values.", + "kern.ipc.maxsockbuf(bsd) values. or " + "set so-sndbuf: 0 (use system value).", (unsigned)snd, (unsigned)got); } # ifdef SO_SNDBUFFORCE diff --git a/util/config_file.c b/util/config_file.c index f1a26674e..328b62df8 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -210,7 +210,7 @@ config_create(void) cfg->if_automatic = 0; cfg->if_automatic_ports = NULL; cfg->so_rcvbuf = 0; - cfg->so_sndbuf = 0; + cfg->so_sndbuf = 1024*1024; cfg->so_reuseport = REUSEPORT_DEFAULT; cfg->ip_transparent = 0; cfg->ip_freebind = 0; -- 2.47.2