Bug #11773
closedUsing SSL/TLS for outgoing DNS Queries in forwarding mode can cause DNS to hang following the restoration of WAN connectivity
0%
Description
I have unbound setup in forwarding mode to use "SSL/TLS for outgoing DNS Queries to Forwarding Servers". Unfortunately, I have been having internet connectivity problems. When the internet connection comes back online with an IP address change, DNS stays offline. unbound is presumably trying to use long lived TCP connections that no longer work following an IP address change. I don't know when unbound would realize that the connections are dead, but after 5 minutes of it not being aware of this, I end up just restarting it. I thought that keep alives might enable unbound to recover from this more gracefully, so after checking the man page, I set these custom options, but they had no effect:
edns-tcp-keepalive: yes
edns-tcp-keepalive-timeout: 200
Without looking at the source code, it occurs to me that hanging on a dead connection is not the only theoretical way for unbound to become non-responsive. It might instead hang on `connect()` until the kernel returns ETIMEDOUT.
Would you please modify unbound to gracefully handle dead connections when configured to use TLS in forwarding mode? I assume that taking it out of forwarding mode would fix things, but then my outgoing DNS queries would be sent in plaintext, which is a security concern.