Ability to detect when queries are being blocked at the network level

Daisuke HIGASHI daisuke.higashi at gmail.com
Sat May 5 14:37:10 UTC 2018


Hi John,

  If all authoritative servers for particular domain discard
(silently) queries from your Unbound resolver,
you could detect it with `unbound-control dump_infra'.

 $ unbound-control dump_infra | grep nsec3.net
 133.242.130.108 nsec3.net. ttl 571 ping 0 var 94 rtt 376 rto 120000 (snip)
 2401:2500:102:1102:133:242:130:108 nsec3.net. ttl 571 ping 0 var 94
rtt 376 rto 120000 (snip)

  Note that 'rto' of all nameservers serving 'nsec3.net' are 120000
(milliseconds).
As 'Unbound Timeout Information' document describes 'rto 120000' indicates that
Unbound resolver determines the nameserver is unresponsible.
  Of course, we cannot distinguish between nameservers down (network
unreachable) and
discarded queries.

--
 Daisuke HIGASHI



More information about the Unbound-users mailing list