From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [RFC] unbound: Increase timeout value for unknown dns-server
Date: Wed, 06 Jan 2021 15:14:52 +0000
Message-ID: <89BEBEA5-D070-49A3-899E-12CED79D6A95@ipfire.org>
In-Reply-To: <29ea1ac3-a966-23d6-62b1-a6ebdc216716@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8226906889165480669=="
List-Id: <development.lists.ipfire.org>

--===============8226906889165480669==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

> On 6 Jan 2021, at 12:02, Paul Simmons <mbatranch(a)gmail.com> wrote:
>=20
> On 1/6/21 4:17 AM, Jonatan Schlag wrote:
>> When unbound has no information about a DNS-server
>> a timeout of 376 msec is assumed. This works well in a lot of situations,
>> but they mention in their documentation that this could be way too low.
>> They recommend a timeout of 1126 msec for satellite connections
>> (https://nlnetlabs.nl/documentation/unbound/unbound.conf).
>> Settings this value to 1126 msec should make the first queries to an
>> unknown server, more useful.
>> They do not timeout and so these queries do not need to be sent again.
>>=20
>> On a stable link, this behaviour should not have negative implications.
>> As the first result of queries arrive the timeout value gets updated,
>> and the high value of 1126 msec gets set to something useful.
>>=20
>> Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
>> ---
>>  config/unbound/unbound.conf | 1 +
>>  1 file changed, 1 insertion(+)
>>=20
>> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
>> index f78aaae8c..02f093015 100644
>> --- a/config/unbound/unbound.conf
>> +++ b/config/unbound/unbound.conf
>> @@ -62,6 +62,7 @@ server:
>>    	# Timeout behaviour
>>  	infra-keep-probing: yes
>> +	unknown-server-time-limit: 1128
>>    	# Bootstrap root servers
>>  	root-hints: "/etc/unbound/root.hints"

I am not entirely sure what this is supposed to fix.

It is possible that a DNS response takes longer than 376ms, indeed. Does it h=
arm us if we send another packet? No.

So what is this changing in real life?

> This sounds promising to me, as I have many DNS lookup timeouts (ISP is Hug=
hesNot, er, HughesNet).

@Paul: I am not sure if the solution is to increase timeouts. In my point of =
view, you should change the name servers.

>=20
> +1
>=20
> Paul


--===============8226906889165480669==--