Maintained by: NLnet Labs

[Unbound-users] Resolving of some special host very slow

lst_hoe02 at kwsoft.de
Thu Mar 6 14:31:53 CET 2014


Zitat von staticsafe <me at staticsafe.ca>:

> On 3/5/2014 08:24, lst_hoe02 at kwsoft.de wrote:
>>
>> Hello,
>>
>> today we discovered a hostname which is very slow to resolv with Unbound
>> 1.4.21 as validating resolver. It works fine with all knid of other
>> resolvers and oddly enough even with another Unbound instance.
>> The host in question is esta.cbp.dhs.gov and resolve time after it is
>> not in the cache range from around 2 to 5 seconds. I have take a tcpdump
>> and can only see that the first answer come much faster but Unbound
>> keeps asking for the same A record on different nameservers again and
>> again.
>>
>> Any idea what is going wrong?
>>
>> Thanks
>>
>> Andreas
>
> Noticing the same issue:
>
> [root at lasciel system]# time dig esta.cbp.dhs.gov @::1
>
> ; <<>> DiG 9.9.2-P2 <<>> esta.cbp.dhs.gov @::1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33583
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;esta.cbp.dhs.gov.              IN      A
>
> ;; ANSWER SECTION:
> esta.cbp.dhs.gov.       900     IN      A       216.81.87.20
>
> ;; Query time: 2097 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Wed Mar  5 12:42:40 2014
> ;; MSG SIZE  rcvd: 61
>
>
> real    0m12.201s
> user    0m0.060s
> sys     0m0.010s
>
> [root at ferrovax ~]# time dig esta.cbp.dhs.gov
>
> ; <<>> DiG 9.9.5 <<>> esta.cbp.dhs.gov
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14872
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 8, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;esta.cbp.dhs.gov.              IN      A
>
> ;; ANSWER SECTION:
> esta.cbp.dhs.gov.       900     IN      A       216.81.87.20
>
> ;; AUTHORITY SECTION:
> dhs.gov.                86398   IN      NS      use1.akam.net.
> dhs.gov.                86398   IN      NS      use3.akam.net.
> dhs.gov.                86398   IN      NS      usw4.akam.net.
> dhs.gov.                86398   IN      NS      asia2.akam.net.
> dhs.gov.                86398   IN      NS      eur2.akam.net.
> dhs.gov.                86398   IN      NS      usc2.akam.net.
> dhs.gov.                86398   IN      NS      usw3.akam.net.
> dhs.gov.                86398   IN      NS      asia3.akam.net.
>
> ;; Query time: 2406 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Wed Mar 05 17:43:57 UTC 2014
> ;; MSG SIZE  rcvd: 223
>
>
> real    0m2.519s
> user    0m0.009s
> sys     0m0.103s
>
> First one is against an unbound instance, second is against a BIND instance.
>
> Perhaps one of the authoritative NSes are slow to respond for whatever
> reason?

These are the values we got on the second (faster) Unbound instance.  
On the primary we have > 4 seconds which lead to timeout on the  
downstream resolver, so the host is not accessible from time to time :-(
It would be nice to know if we have any chance to get this fixed by  
excluding some NS or pin something in the cache, because i doubt they  
will fix whatever might be on theri side.

Regards

Andreas