unbound_request_list_dropped.md 2.3 KB
Understand the alert
The unbound_request_list_dropped alert indicates that the Unbound DNS resolver is dropping new incoming requests because its request queue is full. This situation may be caused by a high volume of DNS queries, possibly from a Denial of Service (DoS) attack or poor server optimization.
Troubleshoot the alert
Check the request queue length: Inspect the Unbound configuration file (usually located at
/etc/unbound/unbound.conf) and check thenum-queries-per-threadsetting. If the value is too low for your system, you may encounter issues with dropped requests.Increase the queue length: If necessary, increase the
num-queries-per-threadvalue in the Unbound configuration file. For example, if the current value is 1024, you can try setting it to a higher value, such as 2048 or 4096. Save the changes and restart the Unbound service:sudo systemctl restart unboundMonitor dropped requests: Use the
unbound-controlcommand to monitor the number of dropped requests in real-time:sudo unbound-control stats_noreset | grep num.requestlist.dropped
If you see the dropped requests decreasing, your changes to the num-queries-per-thread value may have resolved the issue.
Inspect server logs: Check the Unbound log file (usually located at
/var/log/unbound.log) for any suspicious activity or error messages that may indicate the cause of the increased DNS queries.Check for potential DoS attacks: Use tools like
iftop,nload, ornethogsto monitor network traffic and identify any potential DoS attacks or unusual traffic patterns.
If you believe your server is experiencing a DoS attack:
- Investigate the source IP addresses of the high-volume traffic
- Block malicious traffic using firewall tools like
iptablesorufw - Contact your hosting provider, ISP, or network administrator for assistance
- Optimize Unbound: Review the official Unbound documentation and tune the settings in the Unbound configuration file to ensure optimal performance for your specific environment.