unbound dropping all queries with empty request list when used as a dns-over-tls forwarder

Mike Kazantsev mk.fraggod at gmail.com
Mon Apr 20 13:57:52 UTC 2020

On Mon, 20 Apr 2020 17:22:20 +0500
Mike Kazantsev <mk.fraggod at gmail.com> wrote:

> On Mon, 20 Apr 2020 13:44:22 +0200
> Renaud Allard <renaud at allard.it> wrote:
> > On 4/20/20 12:16 PM, Mike Kazantsev via Unbound-users wrote:  
> > > 
> > > I've tried setting up unbound for the first time (to replace existing
> > > dns setup based around venerable djbdns), and seem to have stumbled
> > > into following problem.
> > > 
> > > After as little as dozen minutes and as much as several hours, unbound
> > > daemon stops responding to queries without any kind of overt errors
> > > (e.g. warning/error-level logging) or indication that anything is abnormal.  
> > 
> > Could you try with "so-reuseport: no" to see if that improves the situation?  
> Thank you for suggestion.
> Did enable it now, switching back to using Cloudflare directly.
> Will report back if I'll see any issues or if it won't happen for a day
> or so (as none of previous configurations worked that long).

Unfortunately, same issue happened after 1:20:00 (1 hour 20 minutes,
checked logs for when I restarted it before and now).

To be clear, I've added "so-reuseport: no" to main "server:" section,
commented-out using stubby backend (over regular tcp/udp), uncommented
mandatory dns-tls one, and restarted unbound after that.

From what I can tell, dns queries were failing (responses timing-out)
for at least couple minutes after unbound stopped responding to these.

Now reverted config back and restarted unbound again to fix the issue.

After writing initial ML email (not being entirely sure if it's a bug),
I've also checked github issues and see that it's been planned to change
how DNS-over-TLS connections are handled (i.e. optimize/reuse them) in
near future, so not entirely sure if this is worth addressing, even if
it's a bug in unbound and not some quirk of my setup or misconfiguration.
(i.e. relevant code will be likely rewritten anyway)

But if anyone can think of any other things to try or check here,
let me know, will be happy to do it.

Mike Kazantsev // fraggod.net

More information about the Unbound-users mailing list