I've blatantly copied tedu@'s subject line from
http://www.tedunangst.com/flak/post/the-day-some-of-the-DNS-stopped
since he's a developer and I believe I've run into the same issue.
Almost every time the Internet connection goes down at home, unbound
1.5.7 on my 5.9-release router partly goes down with it and continues
to do so even when the Internet comes back up. After the Internet is
back up, unbound is doing the following even an hour afterwards and
all local and non-local queries to the names in dump_requestlist
simply timeout:
$ unbound-control dump_requestlist
thread #0
# type cl name seconds module status
0 A IN 0.asia.pool.ntp.org. 3946.913123 iterator wants (empty_list)
1 A IN au.v4.download.windowsupdate.com. 5064.308753 iterator
wants (empty_list)
2 A IN api.branch.io. 2327.015803 iterator wants (empty_list)
3 A IN app.adjust.com. 2326.984225 iterator wants (empty_list)
4 A IN fe2.update.microsoft.com. 5170.824266 iterator wants (empty_list)
5 A IN v10.vortex-win.data.microsoft.com. 5064.296510 iterator
wants (empty_list)
6 A IN www.apple.com. 5609.053946 iterator wants (empty_list)
7 A IN chat.us.freenode.net. 3386.286994 iterator wants (empty_list)
8 A IN apple.com. 5608.955094 iterator wants (empty_list)
9 A IN usapi.hik-online.com. 2463.221212 iterator wants (empty_list)
10 A IN guzzoni.apple.com. 5612.065951 iterator wants (empty_list)
11 A IN time-ios.apple.com. 5612.013224 iterator wants (empty_list)
12 A IN alt1-mtalk.google.com. 5460.098682 iterator wants (empty_list)
13 A IN init-p01st.push.apple.com. 2461.748309 iterator wants (empty_list)
14 A IN safebrowsing.clients.google.com. 5612.854753 iterator
wants (empty_list)
15 A IN settings-win.data.microsoft.com. 5609.266007 iterator
wants (empty_list)
16 A IN media-cache-ak0.pinimg.com. 2317.233661 iterator wants (empty_list)
17 A IN p06-ckdatabase-current.edge.icloud.apple-dns.net.
2768.238111 iterator wants (empty_list)
18 AAAA IN 0.asia.pool.ntp.org. 3976.946286 iterator wants (empty_list)
19 AAAA IN 0.africa.pool.ntp.org. 3916.874747 iterator wants (empty_list)
20 AAAA IN connectivitycheck.gstatic.com. 5422.074636 iterator wants
(empty_list)
$ unbound-control dump_infra
67.212.140.4 winisp.net. expired rto 120000
198.41.0.4 . expired rto 120000
198.97.190.53 . expired rto 120000
192.58.128.30 . expired rto 120000
192.228.79.201 . expired rto 120000
75.75.76.76 . ttl 140 ping 10 var 39 rtt 166 rto 166 tA 0 tAAAA 0
tother 0 ednsknown 1 edns 0 delay 0 lame dnssec 0 rec 0 A 0 other 0
199.7.83.42 . expired rto 120000
204.236.132.56 searchfleet.com. expired rto 120000
75.75.75.75 . ttl 136 ping 9 var 15 rtt 69 rto 69 tA 0 tAAAA 0 tother
0 ednsknown 1 edns 0 delay 0 lame dnssec 0 rec 0 A 0 other 0
192.36.148.17 . expired rto 120000
202.12.27.33 . expired rto 120000
unbound-control flush_requestlist resolves the problem, but I'd like
this to be resolved without outside intervention and the expired
entries in dump_infra still remain afterward. Any unbound experts
care to chime in? I figured I'd try here first since unbound is in
base, but I might send this to the unbound-users mailing lists as
well. My unbound.conf is below with some personal information
removed.
remote-control:
control-enable: yes
# control-use-cert: no
server-key-file: "/var/unbound/etc/unbound_server.key"
server-cert-file: "/var/unbound/etc/unbound_server.pem"
control-key-file: "/var/unbound/etc/unbound_control.key"
control-cert-file: "/var/unbound/etc/unbound_control.pem"
server:
extended-statistics: yes
num-threads: 2
msg-cache-size: 8m # default is 4m
# Should be double msg-cache-size
rrset-cache-size: 16m
# This was increased from 1024 since the recommendation is to
have the outgoing-range be twice
# this value and this value is 1024 by default
num-queries-per-thread: 2048
interface: 0.0.0.0
interface: ::1
# do-ip6: no
# Reduce TTL for hosts. Hopefully this will resolve DNS issues
when connectivity issues occur.
# Default is 900 seconds.
infra-host-ttl: 300
access-control: 0.0.0.0/0 allow
access-control: ::0/0 refuse
access-control: ::1 allow
# root-hints: "/var/unbound/etc/root.hints"
hide-identity: yes
hide-version: yes
prefetch: yes
forward-zone:
name: "." # use for ALL queries
forward-addr: 75.75.75.75 # Comcast
forward-addr: 75.75.76.76 # Comcast
forward-first: yes # try direct if forwarder fails
