Unbound can be made unresponsive when using DoT

RayG rgsub1 at btinternet.com
Sun Jun 28 14:57:38 UTC 2020

Hi Renaud,

Thanks for that suggestion - there is a definite improvement and it is possible to use DIG etc to carry out other queries when that DNS Spoofability test is running. That test runs MUCH quicker and the results are excellent (which is good)

>From that I can see that the Quad9 servers are not as well set up as Cloudflare.

I am still looking at the performance side along with testing some other parameters that may (or may not) improve things.

I will let you know if there is interest?

So far that one single change has made a world of difference - thanks.


-----Original Message-----
From: Renaud Allard <renaud at allard.it> 
Sent: 27 June 2020 17:56
To: RayG <rgsub1 at btinternet.com>
Subject: Re: Unbound can be made unresponsive when using DoT

Hi Ray,

Could you test with "so-reuseport: no" in your config? I don't know if 
windows uses this, but I had stalling issues with DoT on BSD and they 
all stopped when I disabled port reuse.


On 27/06/2020 18:16, RayG via Unbound-users wrote:
> Hi Eric,
> Thanks for your thoughts - did you have any suggestions as to which
> parameters should be adjusted to what sort of value?
> It seems that a lot of the issues I am seeing revolve around these entries:
> 7/06/2020 16:55:33 C:\Program Files\Unbound\unbound.exe[1756:0] info:
> Capsforid: reply is equal. go to next fallback
> 27/06/2020 16:55:33 C:\Program Files\Unbound\unbound.exe[1756:0] info:
> processQueryTargets: cid-d42a2173fbacf7ce.users.storage.live.com. AAAA IN
> 27/06/2020 16:55:33 C:\Program Files\Unbound\unbound.exe[1756:0] debug:
> request cid-d42a2173fbacf7ce.users.storage.live.com. has exceeded the
> maximum number of glue fetches 17 to a single delegation point
> 27/06/2020 16:55:33 C:\Program Files\Unbound\unbound.exe[1756:0] debug:
> return error response SERVFAIL
> I see many of them and there seems to be a limit of 17 - I have to admit I
> am not sure which parameter to tweak, I have tried many of the more obvious
> ones but to no avail. Apart from the unresponsiveness the errors above are
> random in that the queries work sometimes but not every time. This causes
> processes to fail as they think they can no longer access the resource they
> are after on the internet, some retry but others just give up and exit.
> With respect to the Capsforid This changes queries to a random
> upper/lowercase characters which is present to thwart spoofing. That said
> unbound does not as far as I can see show you what was sent and what was
> received so its difficult to ascertain if it's a specific server or
> something else. The query example above will go around a number of servers
> each look as above and then the whole thing gives up. I really am not sure
> what is going on here?
> I saw this bug:
> https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4243
> which is still unresolved I think but I have 'qname-minimisation:' set to no
> anyway.
> Any further suggestions willing accepted and tried out.
> Thanks
> Ray
> 2-----Original Message-----
> From: Eric Luehrsen <ericluehrsen at gmail.com>
> Sent: 27 June 2020 02:34
> To: unbound-users at nlnetlabs.nl
> Subject: Re: Unbound can be made unresponsive when using DoT
> On 6/23/20 11:38 AM, RayG via Unbound-users wrote:
>> Hi,
>> I have DoT & DNSSEC all set up and working and was carrying out some
>> tests to ensure that the server and the forward servers (Cloudflare)
>> was working as I expected.
>> To that end I was using this test:
>> https://www.grc.com/dns/dns.htm
>> down the page you will see a button:
>> "Initiate standard DNS spoofability test"
>> When run, it carries out the test and returns results. If however you
>> try using Dig or even a browser while the test is running nothing will
>> function, Unbound is unresponsive.
>> After the test returns you still have to wait some time before Unbound
>> recovers and is once again useable.
>> I am on Windows 10/64 (B18363.900-V1909) with an Intel Core i7 4930K @
>> 3.40GHz Ivy Bridge-E 22nm with 32GB Memory. Using Unbound v1.10.1
>> When I run the same test without DoT to the same forward servers
>> everything seems to be OK and there is no hang or unresponsiveness.
>> I appreciate that there is much more TCP traffic when using DoT but
>> should Unbound become unresponsive?
>> Is this an Unbound problem or something that I can resolve in the
>> configuration?
> There are more than a few Unbound resource settings. These include the
> number of TCP and UDP ports to allow to be open at the same time. It is
> probably best to give "unbound.conf" a read on the documentation page.
> Also Windows home-style editions often have some down tuning of these
> available resources with respect to Windows professional-style editions.
> - Eric

More information about the Unbound-users mailing list