Maintained by: NLnet Labs

[Unbound-users] Resolving of some special host very slow

lst_hoe02 at kwsoft.de
Thu Mar 6 21:26:27 CET 2014


Zitat von Wouter Wijngaards <wouter at nlnetlabs.nl>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> On 03/06/2014 02:31 PM, lst_hoe02 at kwsoft.de wrote:
>>
>> Zitat von staticsafe <me at staticsafe.ca>:
>>
>>> On 3/5/2014 08:24, lst_hoe02 at kwsoft.de wrote:
>>>>
>>>> Hello,
>>>>
>>>> today we discovered a hostname which is very slow to resolv
>>>> with Unbound 1.4.21 as validating resolver. It works fine with
>>>> all knid of other resolvers and oddly enough even with another
>>>> Unbound instance. The host in question is esta.cbp.dhs.gov and
>>>> resolve time after it is not in the cache range from around 2
>>>> to 5 seconds. I have take a tcpdump and can only see that the
>>>> first answer come much faster but Unbound keeps asking for the
>>>> same A record on different nameservers again and again.
>>>>
>>>> Any idea what is going wrong?
>
> The zone is not signed, but it is hosted on the same servers that also
> host its parent zone, which is signed.  Unbound is searching for
> dnssec information.  Then it does not find it.  Then it tries to build
> a chain of trust and finds the nsec3optout and then you get the answer.
>
> Apart from a lot of traffic to those servers, as it is trying all of
> them for every query, it should actually work fairly fast.  Are these
> servers somehow blocking access to you (with timeouts) ?
>
> Since the servers are all responsive (for me, from an IETF address),
> and in total the resolution is very fast (not near 5-10 sec), I think
> something else is going one.  This could have been triggered by the
> extra traffic that unbound sends towards those servers because it is
> trying to find out the co-hosted-parent problem as well as an optout
> that happens while it did not see the optout-referral.
>
> Looking for workarounds, try domain-insecure for cbp.dhs.gov.
>
> Best regards,
>    Wouter


As of now they are much faster but still slow:

Main site:
; <<>> DiG 9.8.1-P1 <<>> esta.cbp.dhs.gov A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22953
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;esta.cbp.dhs.gov.              IN      A

;; ANSWER SECTION:
esta.cbp.dhs.gov.       900     IN      A       216.81.87.20

;; Query time: 1503 msec
;; SERVER: 10.5.0.3#53(10.5.0.3)
;; WHEN: Thu Mar  6 21:18:24 2014
;; MSG SIZE  rcvd: 50

was more that 4000ms at report time

Hosted VPS:
; <<>> DiG 9.8.1-P1 <<>> esta.cbp.dhs.gov A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46389
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;esta.cbp.dhs.gov.              IN      A

;; ANSWER SECTION:
esta.cbp.dhs.gov.       900     IN      A       216.81.87.20

;; Query time: 387 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar  6 21:19:04 2014
;; MSG SIZE  rcvd: 50

was around 1500ms at report time

Pfoblem is that we have a cascade with unbound1 asking unbound2 at the  
gateway and with resolve-time of  around 4 seconds unbound1 will  
report timeout and access to this site will block. I could capture a  
tcpdump and send you in private if you like to have a look at it. I'm  
a little out of ideas because as said it looks like the answer is  
flowing in fast but unbound is searching over and over again...

Thanks

Andreas