From: Bernhard Bitsch <bbitsch@ipfire.org>
To: Michael Tremer <michael.tremer@ipfire.org>
Cc: IPFire Development <development@lists.ipfire.org>
Subject: Re: Feedback about the DNS FW
Date: Thu, 30 Apr 2026 00:19:53 +0200 [thread overview]
Message-ID: <6d3f21de-40c8-4f6d-8946-6b6e28e50bc0@ipfire.org> (raw)
In-Reply-To: <BA0FF1E8-B735-4954-8BD3-B3CC9C49D8A6@ipfire.org>
Hello Michael,
Am 29.04.2026 um 22:09 schrieb Michael Tremer:
> Hello Bernhard,
>
>> On 29 Apr 2026, at 18:43, Bernhard Bitsch <bbitsch@ipfire.org> wrote:
>>
>> Hi,
>>
>> after using the new DNS FW ( congrats to this nice feature! ), I found some issues.
>
> Thanks. I believe that the entire feature has received very poor testing. Considering how many people have stated how important it is to them, really critical issues have been reported very late in the release process which indicates that the feature has not been tested, or if people found those bugs, they have not been reported.
>
> I have to say that I am very disappointed about this. But it has nothing to do with your question.
>
>> - Each 'save' in WUI page increases the memory consumption. Even if nothing changed. A restart of unbound frees this huge allocation.
>
> Yes, this is known. It is a problem inside Unbound and there is nothing we can do about it. I did not report it to Unbound, but I am sure they should be made aware.
>
> Unbound in general is using a lot of memory when it is downloading the lists. I have imported the lists into PowerDNS Recursor and it raises its memory consumption by about ~300 MiB when Unbound is going into 1.6-1.7 GiB.
>
Some more investigation in unbound docs about the operation fast_reload
("This command is experimental at this time.") and some experiments I
can state, that the fast_reload doesn't free the copy of the state. This
gives the increase in memory consumption.
The runtime for the 'reload_keep_cache' operation is about the same as
for 'fast_reload' ( just my feeling ). But the memory load doesn't
increase ( measured just with the WUI memory stats ).
> For now we are stuck with Unbound, but it has always been giving us a lot of trouble.
>
Does this mean we are switching to PowerDNs? But we should have a stable
system meantime. What about going back to the 'reload_keep_cache' operation?
Regards,
Bernhard
>> - Knowing from using Jon's RPZ prototype, I checked whether a single reload ( used in DNS FW? ) propagates the changes, new list and/or allow/deny entries, really. I found cases where this isn't true. A unbound restart yielded the right behaviour.
>>
>>
>> I must apologize not to have tested the release. But I haven't the equipment, yet ( only one production system ).
>>
>> Regards,
>> Bernhard
>>
>
next prev parent reply other threads:[~2026-04-29 22:20 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-29 17:43 Bernhard Bitsch
2026-04-29 20:09 ` Michael Tremer
2026-04-29 22:19 ` Bernhard Bitsch [this message]
2026-04-30 10:06 ` Michael Tremer
[not found] ` <210f08e2-c1ed-46c9-9e51-65ec200fe487@Canary>
2026-05-02 20:23 ` Bernhard Bitsch
2026-05-06 8:29 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6d3f21de-40c8-4f6d-8946-6b6e28e50bc0@ipfire.org \
--to=bbitsch@ipfire.org \
--cc=development@lists.ipfire.org \
--cc=michael.tremer@ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox