unbound asks for A record, when txt requested

Oliver unbound at t8.de
Thu Sep 12 10:20:48 UTC 2019 

Hello,

I found a strange behavior with unbound 1.6.0 as resolver. When I send a
request for a "TXT" record unbound first asks for a "A" record.

Normally this is not a problem, but we now have a problem with a DNS server
which only answers to "TXT" records. When you ask for a "A" record you
get no response and you have to wait for the timeout.

Here is an example:
DNS-Name: urvfr.qr.m.05.s.sophosxl.net
authoritative name server for m.05.s.sophosxl.net: ns.sxl31.sophosxl.net.
DNS-IP1: 34.252.84.252
DNS-IP2: 52.19.19.59

Unbound tries to fetch the "A" records from both nameserver and runs into
a timeout and after the timeout there is the "TXT" record request.
12:01:31.279241 34.252.84.252.53: 19073% [1au] A?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:31.329441 34.252.84.252.53: 49899% [1au] A?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:31.430434 52.19.19.59.53: 55169% [1au] A?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:31.530833 52.19.19.59.53: 20653% [1au] A?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:31.731961 34.252.84.252.53: 18091% [1au] A?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:32.132984 34.252.84.252.53: 54968% [1au] A?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:32.933638 52.19.19.59.53: 1330% [1au] TXT?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:32.963046 52.19.19.59.53: 47544% [1au] TXT?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:32.994500 52.19.19.59.53: 9287% [1au] TXT?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:33.026025 52.19.19.59.53: 28622% [1au] TXT?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:33.057624 34.252.84.252.53: 8529% [1au] TXT?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:33.088539 34.252.84.252.53: 30851% [1au] TXT?  urvfr.qr.m.05.s.sophosxl.net. (57)

Because the TTL for the entry is only 10 seconds this problems happens very
often. Also the part before m.05.s.sophosxl.net is dynamic.

This is used by some kind of sophos endpoint protection. The client sends
several request for each website he tries to reach. So this endsup in a total
wait time of 60 seconds for every website the client tries to reach.

Here is the config:
server:
   # localhost
   access-control: 127.0.0.0/8 allow
   access-control: 192.168.0.0/16 allow
   access-control: 172.16.0.0/12 allow
   access-control: 10.0.0.0/8 allow
   hide-identity: yes
   hide-version: yes
   minimal-responses: yes
   prefetch: yes
   qname-minimisation: yes
   rrset-roundrobin: yes
   use-caps-for-id: yes
   verbosity: 1
   cache-max-negative-ttl: 300

Can I change this behavior or is this fixed in a newer version?

I can provide captures if needed.

Best regards,

Oliver

More information about the Unbound-users mailing list