-
-
Notifications
You must be signed in to change notification settings - Fork 331
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FR] Managing Cache Deletion and Fallback to Forwarding During Unbound Recursive DNS Failures #1061
Comments
Not an answer - however what is the benefit of setting serve-expired-reply-ttl to zero? I'm not using Redis or anything - just straight Unbound. Thanks! |
|
Excellent - thanks for explaining. Is there any benefit to also using serve-expired-ttl-reset? I never really could get my head around understanding exactly what this does - and I note that by default it's set to no by Unbound. |
I have been using Unbound for about four to five years, greatly benefiting from its robust caching capabilities, which generally result in very fast DNS responses. I employ the following primary configuration to enable Unbound's optimistic caching:
My expected operational outcomes are:
This configuration works well under most circumstances, and I have also shared it as a Docker image with others. However, due to the unstable network quality of some ISPs, particularly for authoritative DNS servers located abroad, there are consistent connectivity issues, leading to:
For the first issue, I have implemented a simple plugin that uses a third-party DNS as a downstream fallback for Unbound. The server first attempts to resolve via Unbound, and if it fails to get a response within a specific time frame (e.g., 200 ms), it forwards the request to a public DNS. This is also applicable for fault tolerance when the Unbound service is interrupted.
For the second issue, I found it challenging to make decisions downstream because once a domain's recursive query succeeds, its result is continuously cached, even if set with a long
serve-expired-ttl
. This means the cache keeps serving the data with a TTL of 0. Hence, if I use TTL=0 as a criterion for fallback DNS, it negates the benefit ofserve-expired: yes
. The crux of the problem is that I cannot use downstream DNS to determine if Unbound has successfully completed a recursive query.To address this, I propose two possible solutions:
serve-expired-fetch-fail: 5
. If a DNS refresh query fails more than five times, the expired result should be removed from the cache. This would allow downstream DNS to recognize Unbound's unavailability and switch to a public DNS result, a process feasible for most DNS servers with parallel query capabilities.recursive-first: yes
:This approach ensures that if recursive querying fails, a request is made to a public DNS, thus refreshing the DNS cache.
As I am not a professional programmer, these are just some of my thoughts and suggestions. I am open to hearing if there are more viable solutions or improvements to my approach.
The text was updated successfully, but these errors were encountered: