<div>Hi, we are looking an odd behavior in our public firewall after migrating to unbound. Apparently the dns is not replying some queries to client and the firewall has to close the pseudo-session by timeout (set to 1 minute, the minimum possible). This is causing to maintain a lot of useless connetions at the firewall with our 45k qps traffic. As I could see, this problem is happening only with broken delegations, is there any workaround to solve this or it could be a bug or it is expected to work this way?. I would not like to think what could happen to the firewall conn pool if we receive an attack with all broken pipes.</div>
<div> </div>
<div>1) What is the maximun time that a request (recursive lookup) stays in the request list ? It seems to be more than 10 minutes.</div>
<div> </div>
<div># unbound-control dump_requestlist |grep winsecureservice<br> 90 A IN <a href="http://winsecureservice.com">winsecureservice.com</a>. 621.230546 iterator wait for 208.76.63.100</div>
<div> </div>
<div>2) Is there any way to reduce or adjust this time? Ie. 120 o 60 seconds maybe less?</div>
<div>3) On the other hand, what is the time that unbound takes before it sends a servfail for a lame delegation to the client like in this case? Is there any way to add a specific configuration to customize this?</div>
<div> </div>
<div># dig @127.1 <a href="http://winsecureservice.com">winsecureservice.com</a></div>
<div>; <<>> DiG 9.7.0-P1 <<>> @127.1 <a href="http://winsecureservice.com">winsecureservice.com</a><br>; (1 server found)<br>;; global options: +cmd<br>;; connection timed out; no servers could be reached<br>
# dig @127.1 <a href="http://winsecureservice.com">winsecureservice.com</a></div>
<div>; <<>> DiG 9.7.0-P1 <<>> @127.1 <a href="http://winsecureservice.com">winsecureservice.com</a><br>; (1 server found)<br>;; global options: +cmd<br>;; connection timed out; no servers could be reached<br>
# dig @127.1 <a href="http://winsecureservice.com">winsecureservice.com</a></div>
<div>; <<>> DiG 9.7.0-P1 <<>> @127.1 <a href="http://winsecureservice.com">winsecureservice.com</a><br>; (1 server found)<br>;; global options: +cmd<br>;; connection timed out; no servers could be reached<br>
# dig @127.1 <a href="http://winsecureservice.com">winsecureservice.com</a></div>
<div>; <<>> DiG 9.7.0-P1 <<>> @127.1 <a href="http://winsecureservice.com">winsecureservice.com</a><br>; (1 server found)<br>;; global options: +cmd<br>;; connection timed out; no servers could be reached</div>
<div> </div>
<div> </div>
<div>[root@est-dnsl2c-05 named]# unbound-control lookup <a href="http://winsecureservice.com">winsecureservice.com</a><br>The following name servers are used for lookup of <a href="http://winsecureservice.com">winsecureservice.com</a>.<br>
;rrset 85167 4 0 2 0<br><a href="http://winsecureservice.com">winsecureservice.com</a>. 171567 IN NS <a href="http://ns1.everydns.net">ns1.everydns.net</a>.<br><a href="http://winsecureservice.com">winsecureservice.com</a>. 171567 IN NS <a href="http://ns2.everydns.net">ns2.everydns.net</a>.<br>
<a href="http://winsecureservice.com">winsecureservice.com</a>. 171567 IN NS <a href="http://ns3.everydns.net">ns3.everydns.net</a>.<br><a href="http://winsecureservice.com">winsecureservice.com</a>. 171567 IN NS <a href="http://ns4.everydns.net">ns4.everydns.net</a>.<br>
;rrset 86187 1 0 8 2<br><a href="http://ns4.everydns.net">ns4.everydns.net</a>. 86187 IN A 208.76.60.100<br>;rrset 86187 1 0 8 2<br><a href="http://ns3.everydns.net">ns3.everydns.net</a>. 86187 IN A 208.76.63.100<br>
;rrset 86187 1 0 8 2<br><a href="http://ns2.everydns.net">ns2.everydns.net</a>. 86187 IN A 208.76.62.100<br>;rrset 85166 1 0 8 2<br><a href="http://ns1.everydns.net">ns1.everydns.net</a>. 85166 IN A 208.76.61.100<br>
Delegation with 4 names, of which 4 can be examined to query further addresses.<br>It provides 4 IP addresses.<br>208.76.61.100 rtt 257980 msec, 0 lost. noEDNS probed.<br>208.76.62.100 rtt 232028 msec, 0 lost. EDNS 0 probed.<br>
208.76.63.100 rtt 314581 msec, 0 lost. noEDNS probed.<br>208.76.60.100 rtt 317964 msec, 0 lost. noEDNS probed.
<div> </div>
<div>
<div>[root@est-dnsl2c-05 named]# dig @<a href="http://a.gtld-servers.net">a.gtld-servers.net</a> <a href="http://winsecureservice.com">winsecureservice.com</a> ns </div>
<div>; <<>> DiG 9.7.0-P1 <<>> @<a href="http://a.gtld-servers.net">a.gtld-servers.net</a> <a href="http://winsecureservice.com">winsecureservice.com</a> ns<br>; (2 servers found)<br>;; global options: +cmd<br>
;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33380<br>;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4<br>;; WARNING: recursion requested but not available</div>
<div>;; QUESTION SECTION:<br>;<a href="http://winsecureservice.com">winsecureservice.com</a>. IN NS</div>
<div>;; AUTHORITY SECTION:<br><a href="http://winsecureservice.com">winsecureservice.com</a>. 172800 IN NS <a href="http://ns1.everydns.net">ns1.everydns.net</a>.<br><a href="http://winsecureservice.com">winsecureservice.com</a>. 172800 IN NS <a href="http://ns2.everydns.net">ns2.everydns.net</a>.<br>
<a href="http://winsecureservice.com">winsecureservice.com</a>. 172800 IN NS <a href="http://ns3.everydns.net">ns3.everydns.net</a>.<br><a href="http://winsecureservice.com">winsecureservice.com</a>. 172800 IN NS <a href="http://ns4.everydns.net">ns4.everydns.net</a>.</div>
<div>;; ADDITIONAL SECTION:<br><a href="http://ns1.everydns.net">ns1.everydns.net</a>. 172800 IN A 208.76.61.100<br><a href="http://ns2.everydns.net">ns2.everydns.net</a>. 172800 IN A 208.76.62.100<br>
<a href="http://ns3.everydns.net">ns3.everydns.net</a>. 172800 IN A 208.76.63.100<br><a href="http://ns4.everydns.net">ns4.everydns.net</a>. 172800 IN A 208.76.60.100</div>
<div>;; Query time: 132 msec<br>;; SERVER: 192.5.6.30#53(192.5.6.30)<br>;; WHEN: Fri May 21 17:44:21 2010<br>;; MSG SIZE rcvd: 186</div></div>
<div> </div>
<div>EFECTIVELY we are talking about a lame-delegation or broken pipi, so why unbound didn´t reply with a SERVFAIL instead of keeping for more than 10 minutes the query in the request list and not answer the client either??</div>
<div><br>[root@est-dnsl2c-05 ~]# unbound-host <a href="http://winsecureservice.com">winsecureservice.com</a><br>Host <a href="http://winsecureservice.com">winsecureservice.com</a> not found: 2(SERVFAIL).<br>Host <a href="http://winsecureservice.com">winsecureservice.com</a> not found: 2(SERVFAIL).<br>
Host <a href="http://winsecureservice.com">winsecureservice.com</a> not found: 2(SERVFAIL).</div>
<div> </div></div>
<div><br>[root@est-dnsl2c-05 named]# dig @208.76.6x/1/2/3.100 <a href="http://winsecureservice.com">winsecureservice.com</a> ns </div>
<div>; <<>> DiG 9.7.0-P1 <<>> @<a href="http://208.76.60.100">208.76.60.100</a> <a href="http://winsecureservice.com">winsecureservice.com</a> ns<br>; (1 server found)<br>;; global options: +cmd<br>
;; connection timed out; no servers could be reached</div>
<div><br> </div>
<div> </div>
<div>best regards, </div>
<div> </div>
<div>Dario.</div>
<div> </div>
<div> </div>