Cascading timeouts on forwarders leading to DoS
Graeme Lee
graeme at ercwyne.com
Mon Oct 20 23:08:11 UTC 2025
I have a weird problem with timeouts blocking upstream forwarders when there are excessive timeouts on lookups.
Here's a quick outline of the setup:
Core DNS (Unbound) -> Edge Forwarder DNS (Unbound) -> Internet
When a request originates from the core to the internet (eg for zone . ), if the destination DNS server is unresponsive for whatever reason, the Core DNS times out BEFORE the edge forwarder. This increases the eto timeout, and eventually, under enough load and unresponsiveness from the offending off-network DNS, the egde forwarder is blocked, even though there is actually no problem with it. And no DNS stops the network.
The forwarding zone is . so it will still eventually time out. Adjusting infra-cache-min-rtt and max-rtt seems only to delay the onset of this issue.
Any clues to prevent forwarders from ever being blocked (or even moving into 'probing') would be greatly appreciated.
Kind regards,
Graeme
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20251021/9b09c9cb/attachment.htm>
More information about the Unbound-users
mailing list