Unbound Srvfail cache

Unbound
1

Hi folks,

We have a situation here with Unbound, during internet outage for an hour or so, Unbound keeps replying with server servfail for valid domains even after it gain access to internet, to fix this, i have to reload or restart Unbound.

This happens every time we lose internet for more than 30 minutes or so.

Any way to fix this ?

Appreciate your time.

OS: CentOS 7.3

Unbound: Version 1.4.20

Config:

server:

access-control: 0.0.0.0/0 deny
access-control: x.x.x.x/x allow

verbosity: 1
statistics-interval: 0
statistics-cumulative: no
extended-statistics: yes
num-threads: 16
interface: xx.xx.xx.xx
interface: xx.xx.xx.xx
interface: xx.xx.xx.xx
interface: xx.xx.xx.xx
interface: 127.0.0.1
interface-automatic: no
port: 53
outgoing-range: 8196
num-queries-per-thread: 1600
outgoing-num-tcp: 100
incoming-num-tcp: 100
so-rcvbuf: 8m
so-sndbuf: 8m
msg-cache-size: 2G
rrset-cache-size: 4G
msg-cache-slabs: 16
rrset-cache-slabs: 16
infra-cache-slabs: 16
infra-cache-numhosts: 10000000
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
chroot: “”
username: “unbound”
directory: “/etc/unbound”
logfile: “/var/log/unbound.log”
log-queries: no
use-syslog: yes
log-time-ascii: yes
pidfile: “/var/run/unbound/unbound.pid”
root-hints: “/etc/unbound/root.hints”
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
use-caps-for-id: no
unwanted-reply-threshold: 100000
prefetch: yes
prefetch-key: yes
rrset-roundrobin: yes
minimal-responses: yes
trusted-keys-file: /etc/unbound/keys.d/.key
auto-trust-anchor-file: “/var/lib/unbound/root.key”
val-log-level: 1
key-cache-size: 1G
key-cache-slabs: 16
neg-cache-size: 1k
include: /etc/unbound/local.d/.conf

Remote control config section.

remote-control:
control-enable: yes

control-interface: 127.0.0.1

control-port: 953

server-key-file: “/etc/unbound/unbound_server.key”
server-cert-file: “/etc/unbound/unbound_server.pem”
control-key-file: “/etc/unbound/unbound_control.key”
control-cert-file: “/etc/unbound/unbound_control.pem”

Stub and Forward zones

include: /etc/unbound/conf.d/*.conf

2

Hi Mahdi,

Unbound only probes every 15 minutes (infra-ttl) to see if servers are
back up. You could lower infra-ttl in your config.

Also, you could update, 1.4.20 is from 2012. Perhaps the newer version
does not have this issue in this manner.

You can also flush the infra cache, with unbound-control flush_infra
all, that way you don't lose the DNS cache.

Best regards, Wouter

3

Including unbound users.