[Unbound-users] resolver & performance issues
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Sat Oct 4 09:04:11 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Chris,
I notice that the servers for 2.112.119.209.in-addr.arpa. are
recursion-lame. They are not authoritative, but recursive for that zone.
This is why unbound refuses to accept the answer, and tries other
servers. However, the servers are identical.
The servers are also open recursors.
As for the run time, that could be because you have a freshly started
unbound, with an empty cache. That means it has to spend time to fetch
com, org, root data. I tested quickly, empty cache + query for
www.google.com and google.org, then www.xo.com and it takes 250 msec
only (twice as fast as your number), although that could be just luck.
I am prepared to make fallback code that handles 'all servers are
recursive instead of authoritative'-error, and send a +RD(recursion
desired) query there, but only as a last resort. It is unsafe you see,
that caching recursive server may have been cache poisoned.
Thank you for the detailed error report.
Best regards,
Wouter
Chris Smith wrote:
> Hello,
>
> New to the list and running unbound svn rev 1281.
>
> With unbound I'm not able to successfully resolve a particular IP address and
> the query times are very long compared to bind. Also dig's "+trace" does not
> appear to work from systems on my lan.
> =====================================================================
> BIND:
> =====================================================================
> davinci ~ # dig www.xo.com
>
> ; <<>> DiG 9.5.0-P2 <<>> www.xo.com
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10842
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.xo.com. IN A
>
> ;; ANSWER SECTION:
> www.xo.com. 10800 IN A 205.158.160.76
>
> ;; AUTHORITY SECTION:
> . 517541 IN NS E.ROOT-SERVERS.NET.
> . 517541 IN NS H.ROOT-SERVERS.NET.
> . 517541 IN NS A.ROOT-SERVERS.NET.
> . 517541 IN NS J.ROOT-SERVERS.NET.
> . 517541 IN NS F.ROOT-SERVERS.NET.
> . 517541 IN NS M.ROOT-SERVERS.NET.
> . 517541 IN NS L.ROOT-SERVERS.NET.
> . 517541 IN NS K.ROOT-SERVERS.NET.
> . 517541 IN NS G.ROOT-SERVERS.NET.
> . 517541 IN NS D.ROOT-SERVERS.NET.
> . 517541 IN NS B.ROOT-SERVERS.NET.
> . 517541 IN NS C.ROOT-SERVERS.NET.
> . 517541 IN NS I.ROOT-SERVERS.NET.
>
> ;; Query time: 96 msec
> ;; SERVER: 192.168.107.4#53(192.168.107.4)
> ;; WHEN: Fri Oct 3 10:19:18 2008
> ;; MSG SIZE rcvd: 255
>
> davinci ~ # dig -x 205.158.160.76
>
> ; <<>> DiG 9.5.0-P2 <<>> -x 205.158.160.76
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38857
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;76.160.158.205.in-addr.arpa. IN PTR
>
> ;; ANSWER SECTION:
> 76.160.158.205.in-addr.arpa. 43200 IN PTR xonlbvip.pla.dc.xo.com.
>
> ;; AUTHORITY SECTION:
> . 517534 IN NS M.ROOT-SERVERS.NET.
> . 517534 IN NS K.ROOT-SERVERS.NET.
> . 517534 IN NS H.ROOT-SERVERS.NET.
> . 517534 IN NS A.ROOT-SERVERS.NET.
> . 517534 IN NS E.ROOT-SERVERS.NET.
> . 517534 IN NS D.ROOT-SERVERS.NET.
> . 517534 IN NS B.ROOT-SERVERS.NET.
> . 517534 IN NS J.ROOT-SERVERS.NET.
> . 517534 IN NS I.ROOT-SERVERS.NET.
> . 517534 IN NS F.ROOT-SERVERS.NET.
> . 517534 IN NS C.ROOT-SERVERS.NET.
> . 517534 IN NS G.ROOT-SERVERS.NET.
> . 517534 IN NS L.ROOT-SERVERS.NET.
>
> ;; Query time: 69 msec
> ;; SERVER: 192.168.107.4#53(192.168.107.4)
> ;; WHEN: Fri Oct 3 10:19:25 2008
> ;; MSG SIZE rcvd: 292
>
> davinci ~ # dig -x 209.119.112.2
>
> ; <<>> DiG 9.5.0-P2 <<>> -x 209.119.112.2
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45146
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;2.112.119.209.in-addr.arpa. IN PTR
>
> ;; ANSWER SECTION:
> 2.112.119.209.in-addr.arpa. 10800 IN PTR smtp.hq.theauditors.com.
>
> ;; AUTHORITY SECTION:
> . 517521 IN NS D.ROOT-SERVERS.NET.
> . 517521 IN NS B.ROOT-SERVERS.NET.
> . 517521 IN NS C.ROOT-SERVERS.NET.
> . 517521 IN NS A.ROOT-SERVERS.NET.
> . 517521 IN NS M.ROOT-SERVERS.NET.
> . 517521 IN NS K.ROOT-SERVERS.NET.
> . 517521 IN NS L.ROOT-SERVERS.NET.
> . 517521 IN NS E.ROOT-SERVERS.NET.
> . 517521 IN NS I.ROOT-SERVERS.NET.
> . 517521 IN NS J.ROOT-SERVERS.NET.
> . 517521 IN NS F.ROOT-SERVERS.NET.
> . 517521 IN NS G.ROOT-SERVERS.NET.
> . 517521 IN NS H.ROOT-SERVERS.NET.
>
> ;; Query time: 63 msec
> ;; SERVER: 192.168.107.4#53(192.168.107.4)
> ;; WHEN: Fri Oct 3 10:19:38 2008
> ;; MSG SIZE rcvd: 292
> =====================================================================
> UNBOUND-SVN revision 1281:
> =====================================================================
> davinci ~ # dig www.xo.com
>
> ; <<>> DiG 9.5.0-P2 <<>> www.xo.com
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20202
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
>
> ;; QUESTION SECTION:
> ;www.xo.com. IN A
>
> ;; ANSWER SECTION:
> www.xo.com. 10800 IN A 205.158.160.76
>
> ;; AUTHORITY SECTION:
> xo.com. 10800 IN NS ns2.xo.com.
> xo.com. 10800 IN NS ns3.xo.com.
> xo.com. 10800 IN NS ns1.xo.com.
>
> ;; ADDITIONAL SECTION:
> ns1.xo.com. 10800 IN A 207.155.248.16
> ns2.xo.com. 10800 IN A 207.155.252.16
> ns3.xo.com. 10800 IN A 207.88.20.31
>
> ;; Query time: 562 msec
> ;; SERVER: 192.168.107.4#53(192.168.107.4)
> ;; WHEN: Fri Oct 3 10:19:55 2008
> ;; MSG SIZE rcvd: 146
>
> davinci ~ # dig -x 205.158.160.76
>
> ; <<>> DiG 9.5.0-P2 <<>> -x 205.158.160.76
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28887
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;76.160.158.205.in-addr.arpa. IN PTR
>
> ;; ANSWER SECTION:
> 76.160.158.205.in-addr.arpa. 43200 IN PTR xonlbvip.pla.dc.xo.com.
>
> ;; AUTHORITY SECTION:
> 160.158.205.in-addr.arpa. 43200 IN NS nameserver.concentric.net.
> 160.158.205.in-addr.arpa. 43200 IN NS nameserver1.concentric.net.
> 160.158.205.in-addr.arpa. 43200 IN NS nameserver2.concentric.net.
> 160.158.205.in-addr.arpa. 43200 IN NS nameserver3.concentric.net.
> 160.158.205.in-addr.arpa. 10800 IN NS ns1.pla.dc.xo.com.
> 160.158.205.in-addr.arpa. 43200 IN NS ns1.pla.dc.xo.com.
>
> ;; Query time: 731 msec
> ;; SERVER: 192.168.107.4#53(192.168.107.4)
> ;; WHEN: Fri Oct 3 10:20:06 2008
> ;; MSG SIZE rcvd: 230
>
> davinci ~ # dig -x 209.119.112.2
>
> ; <<>> DiG 9.5.0-P2 <<>> -x 209.119.112.2
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62990
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;2.112.119.209.in-addr.arpa. IN PTR
>
> ;; Query time: 765 msec
> ;; SERVER: 192.168.107.4#53(192.168.107.4)
> ;; WHEN: Fri Oct 3 10:20:17 2008
> ;; MSG SIZE rcvd: 44
> =====================================================================
>
> Notice that "dig -x 209.119.112.2" receives no answer when using unbound.
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjnMYsACgkQkDLqNwOhpPjA7ACfckD4TmNQXunRnu3ekuGuYpGx
OwMAnjZy1o1cVkx8RogHXJEzuryQrPqt
=WGC2
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list