Re: [RFC] unbound: Increase timeout value for unknown dns-server

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 1889 bytes --]

Hello,

> On 6 Jan 2021, at 12:02, Paul Simmons <mbatranch(a)gmail.com> wrote:
> 
> On 1/6/21 4:17 AM, Jonatan Schlag wrote:
>> When unbound has no information about a DNS-server
>> a timeout of 376 msec is assumed. This works well in a lot of situations,
>> but they mention in their documentation that this could be way too low.
>> They recommend a timeout of 1126 msec for satellite connections
>> (https://nlnetlabs.nl/documentation/unbound/unbound.conf).
>> Settings this value to 1126 msec should make the first queries to an
>> unknown server, more useful.
>> They do not timeout and so these queries do not need to be sent again.
>> 
>> On a stable link, this behaviour should not have negative implications.
>> As the first result of queries arrive the timeout value gets updated,
>> and the high value of 1126 msec gets set to something useful.
>> 
>> Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
>> ---
>>  config/unbound/unbound.conf | 1 +
>>  1 file changed, 1 insertion(+)
>> 
>> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
>> index f78aaae8c..02f093015 100644
>> --- a/config/unbound/unbound.conf
>> +++ b/config/unbound/unbound.conf
>> @@ -62,6 +62,7 @@ server:
>>    	# Timeout behaviour
>>  	infra-keep-probing: yes
>> +	unknown-server-time-limit: 1128
>>    	# Bootstrap root servers
>>  	root-hints: "/etc/unbound/root.hints"

I am not entirely sure what this is supposed to fix.

It is possible that a DNS response takes longer than 376ms, indeed. Does it harm us if we send another packet? No.

So what is this changing in real life?

> This sounds promising to me, as I have many DNS lookup timeouts (ISP is HughesNot, er, HughesNet).

@Paul: I am not sure if the solution is to increase timeouts. In my point of view, you should change the name servers.

> 
> +1
> 
> Paul