Unbound can be made unresponsive when using DoT

RayG rgsub1 at btinternet.com
Sat Jun 27 16:16:15 UTC 2020

Hi Eric,

Thanks for your thoughts - did you have any suggestions as to which
parameters should be adjusted to what sort of value?

It seems that a lot of the issues I am seeing revolve around these entries:

7/06/2020 16:55:33 C:\Program Files\Unbound\unbound.exe[1756:0] info:
Capsforid: reply is equal. go to next fallback
27/06/2020 16:55:33 C:\Program Files\Unbound\unbound.exe[1756:0] info:
processQueryTargets: cid-d42a2173fbacf7ce.users.storage.live.com. AAAA IN
27/06/2020 16:55:33 C:\Program Files\Unbound\unbound.exe[1756:0] debug:
request cid-d42a2173fbacf7ce.users.storage.live.com. has exceeded the
maximum number of glue fetches 17 to a single delegation point
27/06/2020 16:55:33 C:\Program Files\Unbound\unbound.exe[1756:0] debug:
return error response SERVFAIL

I see many of them and there seems to be a limit of 17 - I have to admit I
am not sure which parameter to tweak, I have tried many of the more obvious
ones but to no avail. Apart from the unresponsiveness the errors above are
random in that the queries work sometimes but not every time. This causes
processes to fail as they think they can no longer access the resource they
are after on the internet, some retry but others just give up and exit.

With respect to the Capsforid This changes queries to a random
upper/lowercase characters which is present to thwart spoofing. That said
unbound does not as far as I can see show you what was sent and what was
received so its difficult to ascertain if it's a specific server or
something else. The query example above will go around a number of servers
each look as above and then the whole thing gives up. I really am not sure
what is going on here?

I saw this bug:
which is still unresolved I think but I have 'qname-minimisation:' set to no

Any further suggestions willing accepted and tried out.



2-----Original Message-----
From: Eric Luehrsen <ericluehrsen at gmail.com> 
Sent: 27 June 2020 02:34
To: unbound-users at nlnetlabs.nl
Subject: Re: Unbound can be made unresponsive when using DoT

On 6/23/20 11:38 AM, RayG via Unbound-users wrote:
> Hi,
> I have DoT & DNSSEC all set up and working and was carrying out some 
> tests to ensure that the server and the forward servers (Cloudflare) 
> was working as I expected.
> To that end I was using this test:
> https://www.grc.com/dns/dns.htm
> down the page you will see a button:
> "Initiate standard DNS spoofability test"
> When run, it carries out the test and returns results. If however you 
> try using Dig or even a browser while the test is running nothing will 
> function, Unbound is unresponsive.
> After the test returns you still have to wait some time before Unbound 
> recovers and is once again useable.
> I am on Windows 10/64 (B18363.900-V1909) with an Intel Core i7 4930K @ 
> 3.40GHz Ivy Bridge-E 22nm with 32GB Memory. Using Unbound v1.10.1
> When I run the same test without DoT to the same forward servers 
> everything seems to be OK and there is no hang or unresponsiveness.
> I appreciate that there is much more TCP traffic when using DoT but 
> should Unbound become unresponsive?
> Is this an Unbound problem or something that I can resolve in the 
> configuration?

There are more than a few Unbound resource settings. These include the
number of TCP and UDP ports to allow to be open at the same time. It is
probably best to give "unbound.conf" a read on the documentation page. 
Also Windows home-style editions often have some down tuning of these
available resources with respect to Windows professional-style editions.

- Eric

More information about the Unbound-users mailing list