From patchwork Wed Jan 6 10:17:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonatan Schlag X-Patchwork-Id: 3787 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4D9lg96cQgz3wgR for ; Wed, 6 Jan 2021 10:17:57 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4D9lg9430Vz1fd; Wed, 6 Jan 2021 10:17:57 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4D9lg93ZHBz2yRn; Wed, 6 Jan 2021 10:17:57 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4D9lg86hHQz2xZr for ; Wed, 6 Jan 2021 10:17:56 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4D9lg81z4cz18V; Wed, 6 Jan 2021 10:17:56 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1609928276; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=dHaqbtZIqzQOSSHGGLyTLflvO7kICp1pWTCbYTtpbzU=; b=8Ab4o/FHfJ/XtwgnDnqkn4tJfAHu72q8CsKzKyC8WLusR2kdUbAzq/vNBSXE8mxZ8hCE9o 2EjnkQ3DWtAnoUDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1609928276; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=dHaqbtZIqzQOSSHGGLyTLflvO7kICp1pWTCbYTtpbzU=; b=dzr5ymdeG8TCa1TDm9PHRo3vPSOsNjj6hSxHDlsLhFLJBpnxsjHweqiQusivHfr+O6EW30 lszbeK9+Z9Z6B7BVuy6jdCfamK8WblkAzcTM8LpxWot6lc5WMy/C1sfB5FP3qs4hupvrnr 5MgWZORx4oDsW5Wz3zqfFs7vA22tqZ2gJBl4OXrUs7PrbUapm2Cfd7fVBUEfPL1PQszBEZ FNnRiLRZu1YeDkL/nF5A0tWg5yJcgkj2dyAs21azk6gz2V8LNeJsbdDLLiwFq+5OZSN/g/ 6y3DfAYp32w+LlHQ9La5gpWvZQjpdLcTy6VztLTUT5PgBief5maU401/IdA8YA== From: Jonatan Schlag To: development@lists.ipfire.org Subject: [RFC] unbound: Increase timeout value for unknown dns-server Date: Wed, 6 Jan 2021 10:17:42 +0000 Message-Id: <20210106101742.6561-1-jonatan.schlag@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" When unbound has no information about a DNS-server a timeout of 376 msec is assumed. This works well in a lot of situations, but they mention in their documentation that this could be way too low. They recommend a timeout of 1126 msec for satellite connections (https://nlnetlabs.nl/documentation/unbound/unbound.conf). Settings this value to 1126 msec should make the first queries to an unknown server, more useful. They do not timeout and so these queries do not need to be sent again. On a stable link, this behaviour should not have negative implications. As the first result of queries arrive the timeout value gets updated, and the high value of 1126 msec gets set to something useful. Signed-off-by: Jonatan Schlag --- config/unbound/unbound.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index f78aaae8c..02f093015 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -62,6 +62,7 @@ server: # Timeout behaviour infra-keep-probing: yes + unknown-server-time-limit: 1128 # Bootstrap root servers root-hints: "/etc/unbound/root.hints"