Unbound can be made unresponsive when using DoT

[Eric Luehrsen]

On 6/23/20 11:38 AM, RayG via Unbound-users wrote:
> Hi,
> 
> I have DoT & DNSSEC all set up and working and was carrying out some 
> tests to ensure that the server and the forward servers (Cloudflare) was 
> working as I expected.
> 
> To that end I was using this test:
> 
> https://www.grc.com/dns/dns.htm
> 
> down the page you will see a button:
> 
> “Initiate standard DNS spoofability test”
> 
> When run, it carries out the test and returns results. If however you 
> try using Dig or even a browser while the test is running nothing will 
> function, Unbound is unresponsive.
> 
> After the test returns you still have to wait some time before Unbound 
> recovers and is once again useable.
> 
> I am on Windows 10/64 (B18363.900-V1909) with an Intel Core i7 4930K @ 
> 3.40GHz Ivy Bridge-E 22nm with 32GB Memory. Using Unbound v1.10.1
> 
> When I run the same test without DoT to the same forward servers 
> everything seems to be OK and there is no hang or unresponsiveness.
> 
> I appreciate that there is much more TCP traffic when using DoT but 
> should Unbound become unresponsive?
> 
> Is this an Unbound problem or something that I can resolve in the 
> configuration?

There are more than a few Unbound resource settings. These include the 
number of TCP and UDP ports to allow to be open at the same time. It is 
probably best to give "unbound.conf" a read on the documentation page. 
Also Windows home-style editions often have some down tuning of these 
available resources with respect to Windows professional-style editions.

- Eric