Maintained by: NLnet Labs

Unbound Srvfail cache

W.C.A. Wijngaards
Thu Jul 6 09:23:06 CEST 2017


Hi Mahdi,

Unbound only probes every 15 minutes (infra-ttl) to see if servers are
back up.  You could lower infra-ttl in your config.

Also, you could update, 1.4.20 is from 2012.  Perhaps the newer version
does not have this issue in this manner.

You can also flush the infra cache, with unbound-control flush_infra
all, that way you don't lose the DNS cache.

Best regards, Wouter

On 06/07/17 08:05, Mahdi Adnan via Unbound-users wrote:
> Hi folks,
> 
> 
> We have a situation here with Unbound, during internet outage for an
> hour or so, Unbound keeps replying with server servfail for valid
> domains even after it gain access to internet, to fix this, i have to
> reload or restart Unbound.
> 
> This happens every time we lose internet for more than 30 minutes or so.
> 
> Any way to fix this ?
> 
> Appreciate your time.
> 
> 
> OS: CentOS 7.3
> 
> Unbound: Version 1.4.20
> 
> 
> Config:
> 
> 
> server:
> 
> access-control: 0.0.0.0/0 deny
> access-control: x.x.x.x/x allow
> verbosity: 1
> statistics-interval: 0
> statistics-cumulative: no
> extended-statistics: yes
> num-threads: 16
> interface: xx.xx.xx.xx
> interface: xx.xx.xx.xx
> interface: xx.xx.xx.xx
> interface: xx.xx.xx.xx
> interface: 127.0.0.1
> interface-automatic: no
> port: 53
> outgoing-range: 8196
> num-queries-per-thread: 1600
> outgoing-num-tcp: 100
> incoming-num-tcp: 100
> so-rcvbuf: 8m
> so-sndbuf: 8m
> msg-cache-size: 2G
> rrset-cache-size: 4G
> msg-cache-slabs: 16
> rrset-cache-slabs: 16
> infra-cache-slabs: 16
> infra-cache-numhosts: 10000000
> do-ip4: yes
> do-ip6: yes
> do-udp: yes
> do-tcp: yes
> do-daemonize: yes
> chroot: ""
> username: "unbound"
> directory: "/etc/unbound"
> logfile: "/var/log/unbound.log"
> log-queries: no
> use-syslog: yes
> log-time-ascii: yes
> pidfile: "/var/run/unbound/unbound.pid"
> root-hints: "/etc/unbound/root.hints"
> hide-identity: yes
> hide-version: yes
> harden-glue: yes
> harden-dnssec-stripped: yes
> harden-below-nxdomain: yes
> harden-referral-path: yes
> use-caps-for-id: no
> unwanted-reply-threshold: 100000
> prefetch: yes
> prefetch-key: yes
> rrset-roundrobin: yes
> minimal-responses: yes
> trusted-keys-file: /etc/unbound/keys.d/*.key
> auto-trust-anchor-file: "/var/lib/unbound/root.key"
> val-log-level: 1
> key-cache-size: 1G
> key-cache-slabs: 16
> neg-cache-size: 1k
> include: /etc/unbound/local.d/*.conf
> # Remote control config section.
> remote-control:
> control-enable: yes
> # control-interface: 127.0.0.1
> # control-port: 953
> server-key-file: "/etc/unbound/unbound_server.key"
> server-cert-file: "/etc/unbound/unbound_server.pem"
> control-key-file: "/etc/unbound/unbound_control.key"
> control-cert-file: "/etc/unbound/unbound_control.pem"
> # Stub and Forward zones
> include: /etc/unbound/conf.d/*.conf
> 
> 
> 
> -- 
> 
> Respectfully*
> **Mahdi A. Mahdi*
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20170706/33d22d5c/attachment.sig>