Maintained by: NLnet Labs

slow responses

Simon Deziel
Wed Mar 9 20:43:04 CET 2016


Hi .*,

I noticed that sometimes, Unbound takes many seconds before replying to
a client that a lookup failed (ServFail):

# client: 192.0.2.25
# unbound:172.20.21.10
$ tcpdump -ttt -nr dns.pcap udp port 56379 2>/dev/null
00:00:00.000000 IP 192.0.2.25.56379 > 172.20.21.10.53: 15985+ PTR?
69.82.133.155.in-addr.arpa. (44)
00:00:46.092701 IP 172.20.21.10.53 > 192.0.2.25.56379: 15985 ServFail
0/0/0 (44)

In this particular case, it seems to be a dead upstream NS so Unbound is
not to blame.

What I'd like to know is if there is a way to configure Unbound to fail
earlier? Something like sending a ServFail to the client if the answers
isn't received inside of X milliseconds.

Thanks in advance,
Simon


P.S.: Those delayed replies sent by Unbound to the client are dropped by
iptables as UDP connections expire after 30 seconds
(net.netfilter.nf_conntrack_udp_timeout). This in turn, spams my logs
and my inbox. We all love logcheck don't we?