From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Simmons To: development@lists.ipfire.org Subject: Re: [RFC] unbound: Increase timeout value for unknown dns-server Date: Fri, 08 Jan 2021 02:25:59 -0600 Message-ID: <94482533-2b11-9af4-1b08-b8b8f0f6332e@gmail.com> In-Reply-To: <89BEBEA5-D070-49A3-899E-12CED79D6A95@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5657242663908482392==" List-Id: --===============5657242663908482392== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 1/6/21 9:14 AM, Michael Tremer wrote: > Hello, > >> On 6 Jan 2021, at 12:02, Paul Simmons wrote: >> >> On 1/6/21 4:17 AM, Jonatan Schlag wrote: >>> When unbound has no information about a DNS-server >>> a timeout of 376 msec is assumed. This works well in a lot of situations, >>> but they mention in their documentation that this could be way too low. >>> They recommend a timeout of 1126 msec for satellite connections >>> (https://nlnetlabs.nl/documentation/unbound/unbound.conf). >>> Settings this value to 1126 msec should make the first queries to an >>> unknown server, more useful. >>> They do not timeout and so these queries do not need to be sent again. >>> >>> On a stable link, this behaviour should not have negative implications. >>> As the first result of queries arrive the timeout value gets updated, >>> and the high value of 1126 msec gets set to something useful. >>> >>> Signed-off-by: Jonatan Schlag >>> --- >>> config/unbound/unbound.conf | 1 + >>> 1 file changed, 1 insertion(+) >>> >>> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf >>> index f78aaae8c..02f093015 100644 >>> --- a/config/unbound/unbound.conf >>> +++ b/config/unbound/unbound.conf >>> @@ -62,6 +62,7 @@ server: >>> # Timeout behaviour >>> infra-keep-probing: yes >>> + unknown-server-time-limit: 1128 >>> # Bootstrap root servers >>> root-hints: "/etc/unbound/root.hints" > I am not entirely sure what this is supposed to fix. > > It is possible that a DNS response takes longer than 376ms, indeed. Does it= harm us if we send another packet? No. > > So what is this changing in real life? > >> This sounds promising to me, as I have many DNS lookup timeouts (ISP is Hu= ghesNot, er, HughesNet). > @Paul: I am not sure if the solution is to increase timeouts. In my point o= f view, you should change the name servers. > >> +1 >> >> Paul Greetings, Michael.=C2=A0 The two DNS servers I use have ping times of 631ms = (addr 9.9.9.10) and 742ms (addr 81.3.27.54). I tested the ping times of the first 27 IPV4 address of servers listed=20 in the wiki. The times ranged from 596ms to 857ms, so I question if changing servers=20 will afford any measurable relief. Thank you, Paul --===============5657242663908482392==--