Maintained by: NLnet Labs

[Unbound-users] Resolving of some special host very slow

staticsafe
Wed Mar 5 18:45:46 CET 2014


On 3/5/2014 08:24, lst_hoe02 at kwsoft.de wrote:
> 
> Hello,
> 
> today we discovered a hostname which is very slow to resolv with Unbound
> 1.4.21 as validating resolver. It works fine with all knid of other
> resolvers and oddly enough even with another Unbound instance.
> The host in question is esta.cbp.dhs.gov and resolve time after it is
> not in the cache range from around 2 to 5 seconds. I have take a tcpdump
> and can only see that the first answer come much faster but Unbound
> keeps asking for the same A record on different nameservers again and
> again.
> 
> Any idea what is going wrong?
> 
> Thanks
> 
> Andreas

Noticing the same issue:

[root at lasciel system]# time dig esta.cbp.dhs.gov @::1

; <<>> DiG 9.9.2-P2 <<>> esta.cbp.dhs.gov @::1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33583
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;esta.cbp.dhs.gov.              IN      A

;; ANSWER SECTION:
esta.cbp.dhs.gov.       900     IN      A       216.81.87.20

;; Query time: 2097 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Mar  5 12:42:40 2014
;; MSG SIZE  rcvd: 61


real    0m12.201s
user    0m0.060s
sys     0m0.010s

[root at ferrovax ~]# time dig esta.cbp.dhs.gov

; <<>> DiG 9.9.5 <<>> esta.cbp.dhs.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14872
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;esta.cbp.dhs.gov.              IN      A

;; ANSWER SECTION:
esta.cbp.dhs.gov.       900     IN      A       216.81.87.20

;; AUTHORITY SECTION:
dhs.gov.                86398   IN      NS      use1.akam.net.
dhs.gov.                86398   IN      NS      use3.akam.net.
dhs.gov.                86398   IN      NS      usw4.akam.net.
dhs.gov.                86398   IN      NS      asia2.akam.net.
dhs.gov.                86398   IN      NS      eur2.akam.net.
dhs.gov.                86398   IN      NS      usc2.akam.net.
dhs.gov.                86398   IN      NS      usw3.akam.net.
dhs.gov.                86398   IN      NS      asia3.akam.net.

;; Query time: 2406 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Mar 05 17:43:57 UTC 2014
;; MSG SIZE  rcvd: 223


real    0m2.519s
user    0m0.009s
sys     0m0.103s

First one is against an unbound instance, second is against a BIND instance.

Perhaps one of the authoritative NSes are slow to respond for whatever
reason?

-- 
staticsafe