Maintained by: NLnet Labs

[Unbound-users] Caching 'invalid response' or at least knowing not to look it up again...

Karl Pielorz
Sat Sep 15 10:04:52 CEST 2012


Hi,

We're running Unbound 1.4.18 on a number of FreeBSD machines now - and this 
generally, seems to be running well.

Initially we had an issue with our forwarders being 'overrun' for queries 
when domains were invalid - this was fixed by setting our "forward only" 
unbound.conf to use 'forward-first: no'

However, our BIND based forwarders (which unbound forwards onto) still see 
a large percentage of queries for domains, which they cannot resolve 
properly - and therefore return "invalid response", e.g.

"
15-Sep-2012 06:02:08.484 resolver: notice: DNS format error from 
195.189.226.227#53 resolving iumdoctors.com/NS for client 192.168.0.2#5828: 
invalid response
"

Unbound running on 192.168.0.2 will keep asking for data about 
"iumdoctors.com" quite often, for quite a while. This may well be in 
response to software on that host, asking a lot for NS records for 
'iumdoctors.com'.

Is there any setting in 1.4.18 that we can use to tell Unbound to cache the 
fact this query failed / gave an invalid response, so it can answer to 
clients for say the next 5 or 10 minutes from cache - without bothering the 
main forwarders?

This would dramatically cut the number of these queries being issued 
against our forwarders.

We did look at this before - but were more concerned with other issues 
(which as I said were resolved by setting 'forward-first: no') - now the 
system has been running a while, we can see that the query load on BIND has 
been reduced, but by caching this kind of lookup it'd drop even further.

Thanks,

-Karl