[Unbound-users] forward-zone bug (out of query targets -- returning SERVFAIL)
wouter at NLnetLabs.nl
Tue Nov 25 08:22:51 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
What is happening is that the server has blacklisted the forwarder IP
address. Because it does not answer any queries (it has to be
unreachable for about 2 minutes or more for that to happen).
This blacklist has a TTL of 15 minutes, by default.
You can set it in the config file.
infra-host-ttl: 900 # default 900 seconds
You could set it to infra-host-ttl: 60
It would then come back up within a minute after the connection is
This config parameter also sets how long roundtrip times and
EDNS-support is cached. This cache is not cleared when you do a reload
So, although this all exactly explains what is happening to you. And
there is a config setting to workaround the problem. I do not know how
I can help to fix it.
Dmitriy Demidov wrote:
> Hi Wouter.
> Looks like there is a problem with forward-zone: mechanism. If I'l setup
> unbound for request forwarding to my ISP's DNS cache server, and during this
> time of operations my Internet connection fails for a couple of minutes (3-7
> min average), then unbound freazes in strange condition and do not makes any
> queing at all until hard restarting (restarting using unbound-control do not
> helps - only via rc.d script). In the same time, unbound continues to answer
> for names what remained in it's cache, but if I do nslookup for something
> what is not cached, then it says SERVFAIL in the same moment - SERVFAIL
> without any timeout for queuing. And bad news is that unbound stays in
> this "freaze condition" after Internet connection has been reistablished...
> Internet connection do not fails physically (ethernet no-carrier) but only
> logicaly (no respons from GW or somthing like this).
> How to repeate:
> 1) start unbound in ' forward-zone name: "." ' mode
> 2) prevent it's communication with forward-addr: DNS server
> 3) wait for ~5min and make during this time a lot of resolving queues
> 4) connect internet back - unbound will stays in "freaze"
> My system is FreeBSD 7.1-PRERELEASE, unbound is compilled from ports with
> threads and are linked with libevent-1.4.8.
> My unbound.conf
> verbosity: 5
> statistics-interval: 120
> num-threads: 1
> interface: 0.0.0.0
> outgoing-range: 512
> msg-cache-size: 16m
> msg-cache-slabs: 4
> num-queries-per-thread: 1024
> rrset-cache-size: 32m
> rrset-cache-slabs: 4
> cache-max-ttl: 86400
> do-ip4: yes
> do-ip6: no
> do-udp: yes
> do-tcp: yes
> do-daemonize: yes
> access-control: 0.0.0.0/0 refuse
> access-control: 192.168.1.0/24 allow
> access-control: 127.0.0.0/8 allow
> chroot: "/usr/local/etc/unbound"
> username: "unbound"
> directory: "/usr/local/etc/unbound"
> logfile: "/usr/local/etc/unbound/unbound.log"
> use-syslog: no
> pidfile: "/usr/local/etc/unbound/unbound.pid"
> root-hints: "/usr/local/etc/unbound/named.cache"
> harden-glue: yes
> do-not-query-address: 127.0.0.1/8
> module-config: "iterator"
> control-enable: yes
> control-interface: 0.0.0.0
> name: "."
> forward-addr: 18.104.22.168
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Unbound-users