Maintained by: NLnet Labs

[Unbound-users] resolver & performance issues

W.C.A. Wijngaards
Sat Oct 4 11:04:11 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Chris,

I notice that the servers for 2.112.119.209.in-addr.arpa. are
recursion-lame. They are not authoritative, but recursive for that zone.
This is why unbound refuses to accept the answer, and tries other
servers. However, the servers are identical.

The servers are also open recursors.

As for the run time, that could be because you have a freshly started
unbound, with an empty cache.  That means it has to spend time to fetch
com, org, root data.  I tested quickly, empty cache + query for
www.google.com and google.org, then www.xo.com and it takes 250 msec
only (twice as fast as your number), although that could be just luck.

I am prepared to make fallback code that handles 'all servers are
recursive instead of authoritative'-error, and send a +RD(recursion
desired) query there, but only as a last resort.  It is unsafe you see,
that caching recursive server may have been cache poisoned.

Thank you for the detailed error report.

Best regards,
   Wouter

Chris Smith wrote:
> Hello,
> 
> New to the list and running unbound svn rev 1281.
> 
> With unbound I'm not able to successfully resolve a particular IP address and 
> the query times are very long compared to bind. Also dig's "+trace" does not 
> appear to work from systems on my lan.
> =====================================================================
> BIND:
> =====================================================================
> davinci ~ # dig www.xo.com                                                                               
> 
> ; <<>> DiG 9.5.0-P2 <<>> www.xo.com
> ;; global options:  printcmd       
> ;; Got answer:                     
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10842
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;www.xo.com.                    IN      A
> 
> ;; ANSWER SECTION:
> www.xo.com.             10800   IN      A       205.158.160.76
> 
> ;; AUTHORITY SECTION:
> .                       517541  IN      NS      E.ROOT-SERVERS.NET.
> .                       517541  IN      NS      H.ROOT-SERVERS.NET.
> .                       517541  IN      NS      A.ROOT-SERVERS.NET.
> .                       517541  IN      NS      J.ROOT-SERVERS.NET.
> .                       517541  IN      NS      F.ROOT-SERVERS.NET.
> .                       517541  IN      NS      M.ROOT-SERVERS.NET.
> .                       517541  IN      NS      L.ROOT-SERVERS.NET.
> .                       517541  IN      NS      K.ROOT-SERVERS.NET.
> .                       517541  IN      NS      G.ROOT-SERVERS.NET.
> .                       517541  IN      NS      D.ROOT-SERVERS.NET.
> .                       517541  IN      NS      B.ROOT-SERVERS.NET.
> .                       517541  IN      NS      C.ROOT-SERVERS.NET.
> .                       517541  IN      NS      I.ROOT-SERVERS.NET.
> 
> ;; Query time: 96 msec
> ;; SERVER: 192.168.107.4#53(192.168.107.4)
> ;; WHEN: Fri Oct  3 10:19:18 2008         
> ;; MSG SIZE  rcvd: 255                    
> 
> davinci ~ # dig -x 205.158.160.76
> 
> ; <<>> DiG 9.5.0-P2 <<>> -x 205.158.160.76
> ;; global options:  printcmd              
> ;; Got answer:                            
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38857
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;76.160.158.205.in-addr.arpa.   IN      PTR
> 
> ;; ANSWER SECTION:
> 76.160.158.205.in-addr.arpa. 43200 IN   PTR     xonlbvip.pla.dc.xo.com.
> 
> ;; AUTHORITY SECTION:
> .                       517534  IN      NS      M.ROOT-SERVERS.NET.
> .                       517534  IN      NS      K.ROOT-SERVERS.NET.
> .                       517534  IN      NS      H.ROOT-SERVERS.NET.
> .                       517534  IN      NS      A.ROOT-SERVERS.NET.
> .                       517534  IN      NS      E.ROOT-SERVERS.NET.
> .                       517534  IN      NS      D.ROOT-SERVERS.NET.
> .                       517534  IN      NS      B.ROOT-SERVERS.NET.
> .                       517534  IN      NS      J.ROOT-SERVERS.NET.
> .                       517534  IN      NS      I.ROOT-SERVERS.NET.
> .                       517534  IN      NS      F.ROOT-SERVERS.NET.
> .                       517534  IN      NS      C.ROOT-SERVERS.NET.
> .                       517534  IN      NS      G.ROOT-SERVERS.NET.
> .                       517534  IN      NS      L.ROOT-SERVERS.NET.
> 
> ;; Query time: 69 msec
> ;; SERVER: 192.168.107.4#53(192.168.107.4)
> ;; WHEN: Fri Oct  3 10:19:25 2008         
> ;; MSG SIZE  rcvd: 292                    
> 
> davinci ~ # dig -x 209.119.112.2
> 
> ; <<>> DiG 9.5.0-P2 <<>> -x 209.119.112.2
> ;; global options:  printcmd             
> ;; Got answer:                           
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45146
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;2.112.119.209.in-addr.arpa.    IN      PTR
> 
> ;; ANSWER SECTION:
> 2.112.119.209.in-addr.arpa. 10800 IN    PTR     smtp.hq.theauditors.com.
> 
> ;; AUTHORITY SECTION:
> .                       517521  IN      NS      D.ROOT-SERVERS.NET.
> .                       517521  IN      NS      B.ROOT-SERVERS.NET.
> .                       517521  IN      NS      C.ROOT-SERVERS.NET.
> .                       517521  IN      NS      A.ROOT-SERVERS.NET.
> .                       517521  IN      NS      M.ROOT-SERVERS.NET.
> .                       517521  IN      NS      K.ROOT-SERVERS.NET.
> .                       517521  IN      NS      L.ROOT-SERVERS.NET.
> .                       517521  IN      NS      E.ROOT-SERVERS.NET.
> .                       517521  IN      NS      I.ROOT-SERVERS.NET.
> .                       517521  IN      NS      J.ROOT-SERVERS.NET.
> .                       517521  IN      NS      F.ROOT-SERVERS.NET.
> .                       517521  IN      NS      G.ROOT-SERVERS.NET.
> .                       517521  IN      NS      H.ROOT-SERVERS.NET.
> 
> ;; Query time: 63 msec
> ;; SERVER: 192.168.107.4#53(192.168.107.4)
> ;; WHEN: Fri Oct  3 10:19:38 2008         
> ;; MSG SIZE  rcvd: 292                    
> =====================================================================
> UNBOUND-SVN revision 1281:
> =====================================================================
> davinci ~ # dig www.xo.com                                                                             
> 
> ; <<>> DiG 9.5.0-P2 <<>> www.xo.com
> ;; global options:  printcmd       
> ;; Got answer:                     
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20202
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
> 
> ;; QUESTION SECTION:
> ;www.xo.com.                    IN      A
> 
> ;; ANSWER SECTION:
> www.xo.com.             10800   IN      A       205.158.160.76
> 
> ;; AUTHORITY SECTION:
> xo.com.                 10800   IN      NS      ns2.xo.com.
> xo.com.                 10800   IN      NS      ns3.xo.com.
> xo.com.                 10800   IN      NS      ns1.xo.com.
> 
> ;; ADDITIONAL SECTION:
> ns1.xo.com.             10800   IN      A       207.155.248.16
> ns2.xo.com.             10800   IN      A       207.155.252.16
> ns3.xo.com.             10800   IN      A       207.88.20.31  
> 
> ;; Query time: 562 msec
> ;; SERVER: 192.168.107.4#53(192.168.107.4)
> ;; WHEN: Fri Oct  3 10:19:55 2008         
> ;; MSG SIZE  rcvd: 146                    
> 
> davinci ~ # dig -x 205.158.160.76
> 
> ; <<>> DiG 9.5.0-P2 <<>> -x 205.158.160.76
> ;; global options:  printcmd              
> ;; Got answer:                            
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28887
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;76.160.158.205.in-addr.arpa.   IN      PTR
> 
> ;; ANSWER SECTION:
> 76.160.158.205.in-addr.arpa. 43200 IN   PTR     xonlbvip.pla.dc.xo.com.
> 
> ;; AUTHORITY SECTION:
> 160.158.205.in-addr.arpa. 43200 IN      NS      nameserver.concentric.net.
> 160.158.205.in-addr.arpa. 43200 IN      NS      nameserver1.concentric.net.
> 160.158.205.in-addr.arpa. 43200 IN      NS      nameserver2.concentric.net.
> 160.158.205.in-addr.arpa. 43200 IN      NS      nameserver3.concentric.net.
> 160.158.205.in-addr.arpa. 10800 IN      NS      ns1.pla.dc.xo.com.         
> 160.158.205.in-addr.arpa. 43200 IN      NS      ns1.pla.dc.xo.com.         
> 
> ;; Query time: 731 msec
> ;; SERVER: 192.168.107.4#53(192.168.107.4)
> ;; WHEN: Fri Oct  3 10:20:06 2008         
> ;; MSG SIZE  rcvd: 230                    
> 
> davinci ~ # dig -x 209.119.112.2
> 
> ; <<>> DiG 9.5.0-P2 <<>> -x 209.119.112.2
> ;; global options:  printcmd             
> ;; Got answer:                           
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62990
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;2.112.119.209.in-addr.arpa.    IN      PTR
> 
> ;; Query time: 765 msec
> ;; SERVER: 192.168.107.4#53(192.168.107.4)
> ;; WHEN: Fri Oct  3 10:20:17 2008
> ;; MSG SIZE  rcvd: 44
> =====================================================================
> 
> Notice that "dig -x 209.119.112.2" receives no answer when using unbound.
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjnMYsACgkQkDLqNwOhpPjA7ACfckD4TmNQXunRnu3ekuGuYpGx
OwMAnjZy1o1cVkx8RogHXJEzuryQrPqt
=WGC2
-----END PGP SIGNATURE-----