[Unbound-users] forward-zone bug (out of query targets -- returning SERVFAIL)

Wouter Wijngaards wouter at NLnetLabs.nl
Tue Nov 25 08:22:51 UTC 2008

Hash: SHA1

Hi Dmitriy,

What is happening is that the server has blacklisted the forwarder IP
address.  Because it does not answer any queries (it has to be
unreachable for about 2 minutes or more for that to happen).

This blacklist has a TTL of 15 minutes, by default.
You can set it in the config file.

infra-host-ttl: 900   # default 900 seconds
You could set it to infra-host-ttl: 60

It would then come back up within a minute after the connection is

This config parameter also sets how long roundtrip times and
EDNS-support is cached.  This cache is not cleared when you do a reload

So, although this all exactly explains what is happening to you.  And
there is a config setting to workaround the problem.  I do not know how
I can help to fix it.

Best regards,

Dmitriy Demidov wrote:
> Hi Wouter.
> Looks like there is a problem with forward-zone: mechanism. If I'l setup 
> unbound for request forwarding to my ISP's DNS cache server, and during this 
> time of operations my Internet connection fails for a couple of minutes (3-7 
> min average), then unbound freazes in strange condition and do not makes any 
> queing at all until hard restarting (restarting using unbound-control do not 
> helps - only via rc.d script). In the same time, unbound continues to answer 
> for names what remained in it's cache, but if I do nslookup for something 
> what is not cached, then it says SERVFAIL in the same moment - SERVFAIL 
> without any timeout for queuing. And bad news is that unbound stays in 
> this "freaze condition" after Internet connection has been reistablished...
> Internet connection do not fails physically (ethernet no-carrier) but only 
> logicaly (no respons from GW or somthing like this). 
> How to repeate:
> 1) start unbound in ' forward-zone name: "." ' mode
> 2) prevent it's communication with forward-addr: DNS server
> 3) wait for ~5min and make during this time a lot of resolving queues
> 4) connect internet back - unbound will stays in "freaze" 
> My system is FreeBSD 7.1-PRERELEASE, unbound is compilled from ports with 
> threads and are linked with libevent-1.4.8.
> ==============
> My unbound.conf
> server:
>         verbosity: 5
>         statistics-interval: 120
>         num-threads: 1
>         interface:
>         outgoing-range: 512
>         msg-cache-size: 16m
>         msg-cache-slabs: 4
>         num-queries-per-thread: 1024
>         rrset-cache-size: 32m
>         rrset-cache-slabs: 4
>         cache-max-ttl: 86400
>         do-ip4: yes
>         do-ip6: no
>         do-udp: yes
>         do-tcp: yes
>         do-daemonize: yes
>         access-control: refuse
>         access-control: allow
>         access-control: allow
>         chroot: "/usr/local/etc/unbound"
>         username: "unbound"
>         directory: "/usr/local/etc/unbound"
>         logfile: "/usr/local/etc/unbound/unbound.log"
>         use-syslog: no
>         pidfile: "/usr/local/etc/unbound/unbound.pid"
>         root-hints: "/usr/local/etc/unbound/named.cache"
>         harden-glue: yes
>         do-not-query-address:
>         module-config: "iterator"
> remote-control:
>         control-enable: yes
>         control-interface:
> forward-zone: 
>        name: "."
>        forward-addr:
> ==========
Version: GnuPG v1.4.9 (GNU/Linux)


More information about the Unbound-users mailing list