serve-expired-client-timeout: noob issue
George Thessalonikefs
george at nlnetlabs.nl
Mon Mar 2 15:24:35 UTC 2020
Hi Chris,
I was unable to reproduce the behavior here.
Could you perhaps increase verbosity (4) and share the logfile when that
happens?
I assume
include: /etc/unbound/dnsbl1.conf
just includes local data for blacklisting, is that the case?
Also a couple of notes on your config:
- tls-session-ticket-keys:
expects a filename not a yes/no value; you can read more at the
unbound.conf man page. But it is also not used with your configuration
as you don't do downstream TLS.
- forward-addr:
you can also specify the hostname to use when doing DNS over TLS like
<ip>@<port>#<hostname>
You can find more info at
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers#DNSPrivacyPublicResolvers-DNS-over-TLS(DoT)
Best regards,
-- George
On 29/02/2020 17:50, Chris via Unbound-users wrote:
> I am unskilled at DNS. I have just enough knowldge to be annoying.
>
> Ive been running Unbound at rDNS for years on a home server to get
> better performance, DNSSEC and DoTLS 1.3 using 1.1.1.1
>
> This has worked great. Movng to 1.10.0 was uneventful.
>
> Until... I set the serve-expired stuff to draft-ietf recommendations.
> Specifically if I set serve-expired-client-timeout: to any value other
> then 0 ( enable it ) then after like 5 mins things stop resolving.
>
> I get a strange issue that appears. "Number of queries dropped due to
> lack of space" shows EVERY query is dropped. This is very odd as my
> request list is near empty. This starts like 5-10 mins after starting
> Unbound.
>
> I do have a weird config for sure tho. I am compiling with
> --with-libevent --without-pthreads --without-solaris-threads my conf is
> below.
>
> daily graph
>
>
> unbound.conf:
>
> server:
> val-log-level: 1
> use-syslog: yes
> verbosity: 0
> access-control: 10.0.0.0/8 allow
> access-control: 192.168.88.0/24 allow
> access-control: 127.0.0.0/8 allow
> tls-session-ticket-keys: yes
> aggressive-nsec: yes
> cache-max-ttl: 7200
> cache-min-ttl: 360
> do-ip4: yes
> do-ip6: no
> do-tcp: yes
> harden-below-nxdomain: yes
> harden-glue: yes
> harden-referral-path: yes
> harden-large-queries: yes
> harden-dnssec-stripped: yes
> harden-short-bufsize: yes
> harden-algo-downgrade: yes
> target-fetch-policy: "4 3 2 1 0"
> hide-identity: yes
> hide-version: yes
> hide-trustanchor: yes
> root-hints: "/usr/local/etc/unbound/root.hints"
> interface: 10.1.1.7
> interface: 10.1.1.8
> interface: 10.1.1.6
> interface: 10.1.1.11
> interface: 192.168.88.50
> interface: 192.168.88.51
> outgoing-interface: 192.168.88.50
> outgoing-interface: 192.168.88.51tls-session-ticket-keys:
> outgoing-port-permit: 25000-45000
> outgoing-num-tcp: 100
> incoming-num-tcp: 30
> minimal-responses: yes
> num-threads: 6
> outgoing-range: 4096
> num-queries-per-thread: 2048
> pidfile: "/var/run/unbound.pid"
> port: 53
> prefetch: yes
> prefetch-key: yes
> rrset-roundrobin: yes
> so-reuseport: yes
> tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt"
> use-caps-for-id: yes
> statistics-cumulative: no
> extended-statistics: yes
> statistics-interval: 0
> private-address: 10.0.0.0/8
> private-address: 192.168.88.0/24
> val-clean-additional: yes
>
> include: /etc/unbound/dnsbl1.conf
>
> serve-expired: yes
> serve-expired-ttl: 259200
> serve-expired-ttl-reset: yes
> serve-expired-reply-ttl: 30
> # serve-expired-client-timeout: 1800
>
> # Speed tweaks
> msg-cache-slabs: 1
> rrset-cache-slabs: 1
> infra-cache-slabs: 1
> key-cache-slabs: 1
> rrset-cache-size: 100m
> msg-cache-size: 50m
> so-rcvbuf: 4m
> so-sndbuf: 4m
>
> remote-control:
> control-enable: yes
> control-interface: 0.0.0.0
> control-use-cert: no
>
> forward-zone:
> name: "."
>
> #Secure DNS over TLS
>
> forward-tls-upstream: yes
> forward-addr: 1.1.1.1 at 853 #Cloudflare
> forward-addr: 1.0.0.1 at 853 #Cloudflare
> # forward-addr: 8.8.8.8 at 853 #Google
> # forward-addr: 8.8.4.4 at 853 #Google
> # forward-addr: 9.9.9.9 at 853 # quad9.net
> # forward-addr: 149.112.112.112 at 853 # quad9.net
>
>
>
More information about the Unbound-users
mailing list