unbound asks for A record, when txt requested

Oliver unbound at t8.de
Thu Sep 12 10:20:48 UTC 2019


I found a strange behavior with unbound 1.6.0 as resolver. When I send a
request for a "TXT" record unbound first asks for a "A" record.

Normally this is not a problem, but we now have a problem with a DNS server
which only answers to "TXT" records. When you ask for a "A" record you
get no response and you have to wait for the timeout.

Here is an example:
DNS-Name: urvfr.qr.m.05.s.sophosxl.net
authoritative name server for m.05.s.sophosxl.net: ns.sxl31.sophosxl.net.

Unbound tries to fetch the "A" records from both nameserver and runs into
a timeout and after the timeout there is the "TXT" record request.
12:01:31.279241 19073% [1au] A?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:31.329441 49899% [1au] A?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:31.430434 55169% [1au] A?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:31.530833 20653% [1au] A?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:31.731961 18091% [1au] A?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:32.132984 54968% [1au] A?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:32.933638 1330% [1au] TXT?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:32.963046 47544% [1au] TXT?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:32.994500 9287% [1au] TXT?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:33.026025 28622% [1au] TXT?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:33.057624 8529% [1au] TXT?  urvfr.qr.m.05.s.sophosxl.net. (57)
12:01:33.088539 30851% [1au] TXT?  urvfr.qr.m.05.s.sophosxl.net. (57)

Because the TTL for the entry is only 10 seconds this problems happens very
often. Also the part before m.05.s.sophosxl.net is dynamic.

This is used by some kind of sophos endpoint protection. The client sends
several request for each website he tries to reach. So this endsup in a total
wait time of 60 seconds for every website the client tries to reach.

Here is the config:
   # localhost
   access-control: allow
   access-control: allow
   access-control: allow
   access-control: allow
   hide-identity: yes
   hide-version: yes
   minimal-responses: yes
   prefetch: yes
   qname-minimisation: yes
   rrset-roundrobin: yes
   use-caps-for-id: yes
   verbosity: 1
   cache-max-negative-ttl: 300

Can I change this behavior or is this fixed in a newer version?

I can provide captures if needed.

Best regards,


More information about the Unbound-users mailing list