Bug #11773
closed
Using SSL/TLS for outgoing DNS Queries in forwarding mode can cause DNS to hang following the restoration of WAN connectivity
0%
Description
I have unbound setup in forwarding mode to use "SSL/TLS for outgoing DNS Queries to Forwarding Servers". Unfortunately, I have been having internet connectivity problems. When the internet connection comes back online with an IP address change, DNS stays offline. unbound is presumably trying to use long lived TCP connections that no longer work following an IP address change. I don't know when unbound would realize that the connections are dead, but after 5 minutes of it not being aware of this, I end up just restarting it. I thought that keep alives might enable unbound to recover from this more gracefully, so after checking the man page, I set these custom options, but they had no effect:
edns-tcp-keepalive: yes
edns-tcp-keepalive-timeout: 200
Without looking at the source code, it occurs to me that hanging on a dead connection is not the only theoretical way for unbound to become non-responsive. It might instead hang on `connect()` until the kernel returns ETIMEDOUT.
Would you please modify unbound to gracefully handle dead connections when configured to use TLS in forwarding mode? I assume that taking it out of forwarding mode would fix things, but then my outgoing DNS queries would be sent in plaintext, which is a security concern.
Updated by Jim Pingle about 3 years ago
- Status changed from New to Rejected
Those would be issues in unbound itself -- we don't have that kind of control over Unbound code. What you should do is try to reproduce the issue with Unbound directly and report it upstream to the Unbound project. I think there may already be some open issues with DNS over TLS and connections of that nature, however.