simon+unbound at sdeziel.info
Wed Mar 9 20:43:04 CET 2016
I noticed that sometimes, Unbound takes many seconds before replying to
a client that a lookup failed (ServFail):
# client: 192.0.2.25
$ tcpdump -ttt -nr dns.pcap udp port 56379 2>/dev/null
00:00:00.000000 IP 192.0.2.25.56379 > 172.20.21.10.53: 15985+ PTR?
00:00:46.092701 IP 172.20.21.10.53 > 192.0.2.25.56379: 15985 ServFail
In this particular case, it seems to be a dead upstream NS so Unbound is
not to blame.
What I'd like to know is if there is a way to configure Unbound to fail
earlier? Something like sending a ServFail to the client if the answers
isn't received inside of X milliseconds.
Thanks in advance,
P.S.: Those delayed replies sent by Unbound to the client are dropped by
iptables as UDP connections expire after 30 seconds
(net.netfilter.nf_conntrack_udp_timeout). This in turn, spams my logs
and my inbox. We all love logcheck don't we?
More information about the Unbound-users