unbound without internet

Unbound
1

Hi

Yesteday we lost connection to internet. I supposed that dns would be ok for our internal hosts. But unbound became very slow, sometimes did not respond at all. We use nsd and unbound.

What can I do to prevent this in the future?

/etc/unbound/unbound.conf.d/ contains tree files:
KSPT.conf qname-minimisation.conf root-auto-trust-anchor-file.conf

KSPT.conf:

server:
verbosity: 1
interface: 0.0.0.0
access-control: 192.168.0.0/16 allow
access-control: 10.0.0.0/8 allow
access-control: 127.0.0.0/8 allow
port: 53
do-ip4: yes
do-ip6: no
root-hints: “/etc/unbound/root.hints”
cache-min-ttl: 300
cache-max-ttl: 86400
prefetch: yes
num-threads: 1
minimal-responses: yes
prefetch: no
do-not-query-localhost: no
local-zone: “domain.no” nodefault
local-zone: “168.192.in-addr.arpa” nodefault
local-zone: “10.in-addr.arpa” nodefault
domain-insecure: “domain.no”
domain-insecure: “168.192.in-addr.arpa”
domain-insecure: “10.in-addr.arpa”
private-domain: “domain.no”
stub-zone:
name: “168.192.in-addr.arpa.”
stub-addr: 127.0.0.1@1053
stub-zone:
name: “10.in-addr.arpa.”
stub-addr: 127.0.0.1@1053
stub-zone:
name: “spacetec.no”
stub-addr: 127.0.0.1@1053

remote-control:
control-enable: yes

qname-minimisation.conf:

server:

Send minimum amount of information to upstream servers to enhance

privacy. Only sends minimum required labels of the QNAME and sets

QTYPE to NS when possible.

See RFC 7816 “DNS Query Name Minimisation to Improve Privacy” for

details.

qname-minimisation: yes

root-auto-trust-anchor-file.conf:

server:

The following line will configure unbound to perform cryptographic

DNSSEC validation using the root trust anchor.

auto-trust-anchor-file: “/var/lib/unbound/root.key”

CONFIDENTIALITY
This e-mail and any attachment contain KONGSBERG information which may be proprietary, confidential or subject to export regulations, and is only meant or the intended recipient(s). Any disclosure, copying, distribution or use is prohibited, if not otherwise explicitly agreed with KONGSBERG. If received in error, please delete it immediately from your system and notify the sender properly.

2

Hi,

    infra-keep-probing: <yes or no>
              If enabled the server keeps probing hosts that are down, in the one probe at a time regime. Default is no.
              Hosts that are down, eg. they did not respond during the one probe at a time period, are marked as down
              and it may take infra-host-ttl time to get probed again.

This fixed it for me. Hope this helps.

Ciao,
Tito

3

The default is no, so you set it to yes?

4

Hi,

what I understood (after reading some comments in the patch introducing it, something is missing in the doc about it) is that, about infra-keep-probing:

  • off: dead servers will be tried again (probed) in infra-host-ttl seconds (that is 15 minutes per default)
  • on: they will be tried again every two minutes
5

Hi,

what I understood (after reading some comments in the patch introducing it,
something is missing in the doc about it) is that, about infra-keep-probing:
- off: dead servers will be tried again (probed) in infra-host-ttl seconds
(that is 15 minutes per default)
- on: they will be tried again every two minutes

This is my empiric experience.
By default when line goes down hosts are marked offline and not queried
before 15 minutes so you have no DNS even if the line comes up again after
a few minutes. Setting infra-keep-probing to yes and lowering infra-host-ttl to
e.g. 15 seconds gives you DNS resolution ASAP.