DNS Resolver not caching correct?

johnpoz

If your local to the cache ok, but your not always going to see 0 ms if your client on the network.. Even a local lan introduces some delay ;) Or some small delay with cache answering

;; ANSWER SECTION:
www.google.com. 3346 IN A 172.217.1.36

;; Query time: 0 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Fri Aug 30 04:32:20 Central Daylight Time 2019

Next query
;; ANSWER SECTION:
www.google.com. 3344 IN A 172.217.1.36

;; Query time: 1 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Fri Aug 30 04:32:22 Central Daylight Time 2019

My point is it is possible to see a delay in the response time, even from when cache.

It could be possible, even if your local to the cache - to see a delay if machine is busy, or unbound is busy, etc. etc. Just because you see some small amount of delay does not mean it wasn't served from cache.

If you get back anything other than the full ttl - it was served from cache.

If your doing query over wireless - that could also introduce delay.. Or if your path to the dns is routed/firewalled locally, etc. A better indication of served from cache or resolved would be the ttl you get back

When your seeing this 12ms response - what was the ttl returned?

mrsunfire

I never saw more than 30% cpu usage and never more than 0ms. How can I check that better?

Where do I see the ttl? I will check that again.

johnpoz

when you do a dig, you will see the ttl

;; ANSWER SECTION:
www.google.com. 1038 IN A 172.217.1.36

See the 1038, that is the TTL returned, clearly that is not the full TTL of that record.. Nobody would set such an ODD ttl ;)

So it was clearly returned from cache. If you see a whole number, 60, 300, 1800, 3600, 86400 for example than that was resolved and you received the full ttl from the authoritative ns. You can always check what the full ttl is by doing a query direct to one of the authoritative NS for that domain.

Mind you, I have a min ttl set of 3600 on my unbound... So if ttl from authoritative ns is less than 3600, unbound will use 3600.. But it will then count down from that, so if I see 3600 returned as the ttl - pretty sure it was resolved, vs from cache.. Unless on the off chance you did the query at exactly when the ttl had counted down to that value ;) So while you might see a whole number - it still could of been from cache - you just got amazing lucky and queried exactly when say the ttl had counted down t 1800 ;)

So if your delay is something other than a couple of ms, and you have a nice whole number ttl - you can be pretty sure it was resolved, and not returned.. Even if you see say 12 ms, but the ttl was like 1432 or something - you would assume that was returned to you from cache - and something else caused the delay.

edit:
Another stat you might be interested in is the cache hit numbers..

[2.4.4-RELEASE][admin@sg4860.local.lan]/root: unbound-control -c /var/unbound/unbound.conf stats_noreset | grep total.num
total.num.queries=14557
total.num.queries_ip_ratelimited=0
total.num.cachehits=12593
total.num.cachemiss=1964
total.num.prefetch=2263
total.num.zero_ttl=2318
total.num.recursivereplies=1964

So you can see the total numbers of queries that unbound has gotten since its last restart.. And the total number of hits for the cache.. And how many misses, how many prefetches done, etc. how many returns from 0 ttl (since I have that set) etc.. If your not seeing a large % of cache hits.. then yeah your doing more resolving than returning from cache.. I am pretty happy with 86% cache hit ratio.

Means 86% of the time when a client asked for something - it got returned from cache vs having to resolve it.

edit: People seem to miss the whole point of the cache.. To the local client if you record is returned from cache its going to be couple of ms to lookup whatever.domain.tld, so what does it matter if resolving takes 100ms and just asking google takes 30ms.. Once its cache, your client will be seeing 1ms..

In the big picture resolving can be faster and better because while you have to ask googledns all the time for something that is not in cache, and that might be 30ms (if they have it cached).. Your resolve might only take 15ms to ask the authoritative ns for the record.. All depends on where the authoritative ns is in relation to you, etc. And since your always going to get back the full TTL, you could need to do actual less queries than always asking googledns..

The only time forwarding gains you anything is if they already have it cached.. If your asking for something that is not.. Then it has to be resolved, and you just added the query time to googledns, and then waiting for them to resolve it on top of the time of your latency to them, etc. So what you save a handful of ms here and there? Nobody is going to notice the difference between getting an answer in 30ms vs 200 ;) and that only every comes into play if not already cached anyway.. So 1 of your clients might have to wait couple extra ms for something to be resolved, everyone else on your network will get the cached copy. And if your doing prefetch - the common domains will be kept active with nobody ever seeing the few ms delay to actually resolve it.

If you have the ability to run your own resolver - its just always a better option if you ask me.

here.. I resolved this locally in 139 ms

; <<>> DiG 9.14.4 <<>> www.whatever.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15212
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.whatever.com.              IN      A

;; ANSWER SECTION:
www.whatever.com.       14400   IN      CNAME   whatever.com.
whatever.com.           14400   IN      A       198.57.151.250

;; Query time: 139 msec
;; SERVER: 192.168.3.10#53(192.168.3.10)
;; WHEN: Fri Aug 30 05:49:31 Central Daylight Time 2019
;; MSG SIZE  rcvd: 75

I asked googledns for it - and took 99ms

; <<>> DiG 9.14.4 <<>> @8.8.8.8 www.whatever.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49654
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.whatever.com.              IN      A

;; ANSWER SECTION:
www.whatever.com.       14399   IN      CNAME   whatever.com.
whatever.com.           14399   IN      A       198.57.151.250

;; Query time: 99 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Aug 30 05:50:07 Central Daylight Time 2019
;; MSG SIZE  rcvd: 75

So you think a client could ever notice 40 whole ms?? .04 of second ;)

And that is only the first client to ask for it, after that its just served from cache.

mrsunfire

Thank you very much for your help! Keep up the good work.

It helped me a lot to understand the ttl. If I get 0ms its not a whole number:

; <<>> DiG 9.12.2-P1 <<>> twitter.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57273
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;twitter.com.			IN	A

;; ANSWER SECTION:
twitter.com.		1415	IN	A	104.244.42.129
twitter.com.		1415	IN	A	104.244.42.65

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 30 16:25:20 CEST 2019
;; MSG SIZE  rcvd: 72

It now works better with my setting yesterday.

These are my hits:

Shell Output - unbound-control -c /var/unbound/unbound.conf stats_noreset | grep total.num
total.num.queries=22053
total.num.queries_ip_ratelimited=0
total.num.cachehits=16235
total.num.cachemiss=5818
total.num.prefetch=8910
total.num.zero_ttl=9416
total.num.recursivereplies=5818

I also tested you example and wow, this domain took long:

; <<>> DiG 9.12.2-P1 <<>> www.whatever.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55651
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.whatever.com.		IN	A

;; ANSWER SECTION:
www.whatever.com.	14400	IN	CNAME	whatever.com.
whatever.com.		14400	IN	A	198.57.151.250

;; Query time: 1192 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 30 16:33:41 CEST 2019
;; MSG SIZE  rcvd: 75

Cloudflare was quiet fast:

; <<>> DiG 9.12.2-P1 <<>> @1.1.1.1 www.whatever.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12365
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;www.whatever.com.		IN	A

;; ANSWER SECTION:
www.whatever.com.	14400	IN	CNAME	whatever.com.
whatever.com.		10732	IN	A	198.57.151.250

;; Query time: 175 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Aug 30 16:34:49 CEST 2019
;; MSG SIZE  rcvd: 75

johnpoz

@mrsunfire said in DNS Resolver not caching correct?:

;; Query time: 1192 msec

Depends where your at in the world to where the authoritative ns and other root servers are, the latency of your connection, etc. etc.

Keep in mind that example so this had to be resolved to even then resolve that.. So yeah those can be longer.. You can see from your 175ms response - looks like 1 had to be resolved, but the other was cached since you got back 10732 so half of the thing you looked for was cached..

you understand that 1000 ms is 1 second - so not sure I would call that LONG ;) in the big picture.. So your website would of take a whole second longer to load then if the dns had been cached. Which still might be 30 seconds - depending on what the site was, etc. and how fast it is, and your connection to it, etc. And now that its looked up for the next 4 hours your cached.. And if you have prefetch on other clients actually ask for that again it could be refreshed in the background and you would never see such a delay again, etc.

mrsunfire

@johnpoz 1000 is very long. Usualle my sites load instant. I have around 7 ms to google.de (Germany).

johnpoz

@mrsunfire said in DNS Resolver not caching correct?:

I have around 7 ms to google.de (Germany).

The amount of time to ping site has ZERO to do with how fast it loads in your browser -- sorry but site pull up in your browser is not freaking loading in .007 seconds..

Keep in mind that once I site is loaded once - much of it could be cached by your browser as well, etc.

1000 ms to RESOLVE something where the authoritative ns for that domain could be on the other side of the planet is not a LONG time ;)

Your in DE? That is a long way from Utah in the US which is where those NS seem to be.. And that is just those.. that is not the others in the chain..

Do you actually understand how something is resolved?

Even if you had .com NS cached, you still had to go ask them... And how far away are they from you for the NS for whatever.com etc. Then you had to go ask the NS for whatever.com for www.whatever.com, which is then a cname for whatever.com so you then had to do another query, etc. Which if your in DE, and the NS are in Utah.. that going to be a tad higher than 7ms away ;)

Do a dig +trace for that whatever.com to see how you get to it, and how fast the authoritative NS can answer you, etc.

mrsunfire

Yes it gets more clear for me now, thanks.

Heres the traceroute:

1  37.49.100.1  6.696 ms  6.047 ms  6.332 ms
 2  172.30.22.97  6.166 ms  6.018 ms  6.383 ms
 3  84.116.191.221  8.367 ms  9.098 ms  8.967 ms
 4  84.116.130.102  7.959 ms  7.905 ms  7.490 ms
 5  129.250.9.29  8.914 ms  8.023 ms  8.070 ms
 6  129.250.4.16  8.048 ms  8.483 ms  8.894 ms
 7  129.250.4.96  94.929 ms  94.882 ms  96.235 ms
 8  129.250.3.189  160.419 ms  160.473 ms  164.702 ms
 9  129.250.3.238  160.700 ms  160.501 ms  160.755 ms
10  129.250.2.16  161.365 ms  160.543 ms  160.335 ms
11  129.250.198.182  158.326 ms  158.105 ms  158.365 ms
12  162.144.240.163  182.527 ms  182.299 ms  182.470 ms
13  162.144.240.127  182.288 ms  182.736 ms  183.292 ms
14  198.57.151.250  158.162 ms  159.572 ms  158.137 ms

Some names are resolved with 0ms now on morning, others I used yesterday not. Why? Does unbound cached more used names longer?

Why stopped unbound this night? Has it something to do with pfblockerNG-devel?

Aug 31 00:00:16	unbound	5433:0	info: start of service (unbound 1.9.1).
Aug 31 00:00:16	unbound	5433:0	notice: init module 1: iterator
Aug 31 00:00:16	unbound	5433:0	notice: init module 0: validator
Aug 31 00:00:15	unbound	5433:0	notice: Restart of unbound 1.9.1.
Aug 31 00:00:15	unbound	5433:0	info: 0.524288 1.000000 4
Aug 31 00:00:15	unbound	5433:0	info: 0.262144 0.524288 7
Aug 31 00:00:15	unbound	5433:0	info: 0.131072 0.262144 54
Aug 31 00:00:15	unbound	5433:0	info: 0.065536 0.131072 98
Aug 31 00:00:15	unbound	5433:0	info: 0.032768 0.065536 68
Aug 31 00:00:15	unbound	5433:0	info: 0.016384 0.032768 43
Aug 31 00:00:15	unbound	5433:0	info: 0.008192 0.016384 28
Aug 31 00:00:15	unbound	5433:0	info: 0.004096 0.008192 2
Aug 31 00:00:15	unbound	5433:0	info: 0.000000 0.000001 42
Aug 31 00:00:15	unbound	5433:0	info: lower(secs) upper(secs) recursions
Aug 31 00:00:15	unbound	5433:0	info: [25%]=0.0219088 median[50%]=0.0607172 [75%]=0.116694
Aug 31 00:00:15	unbound	5433:0	info: histogram of recursion processing times
Aug 31 00:00:15	unbound	5433:0	info: average recursion processing time 0.082558 sec
Aug 31 00:00:15	unbound	5433:0	info: server stats for thread 3: requestlist max 19 avg 0.542125 exceeded 0 jostled 0
Aug 31 00:00:15	unbound	5433:0	info: server stats for thread 3: 1239 queries, 893 answers from cache, 346 recursions, 473 prefetch, 0 rejected by ip ratelimiting
Aug 31 00:00:15	unbound	5433:0	info: 2.000000 4.000000 2
Aug 31 00:00:15	unbound	5433:0	info: 1.000000 2.000000 4
Aug 31 00:00:15	unbound	5433:0	info: 0.524288 1.000000 9
Aug 31 00:00:15	unbound	5433:0	info: 0.262144 0.524288 45
Aug 31 00:00:15	unbound	5433:0	info: 0.131072 0.262144 236
Aug 31 00:00:15	unbound	5433:0	info: 0.065536 0.131072 366
Aug 31 00:00:15	unbound	5433:0	info: 0.032768 0.065536 363
Aug 31 00:00:15	unbound	5433:0	info: 0.016384 0.032768 248
Aug 31 00:00:15	unbound	5433:0	info: 0.008192 0.016384 100
Aug 31 00:00:15	unbound	5433:0	info: 0.004096 0.008192 10
Aug 31 00:00:15	unbound	5433:0	info: 0.002048 0.004096 3
Aug 31 00:00:15	unbound	5433:0	info: 0.001024 0.002048 3
Aug 31 00:00:15	unbound	5433:0	info: 0.000512 0.001024 2
Aug 31 00:00:15	unbound	5433:0	info: 0.000256 0.000512 2
Aug 31 00:00:15	unbound	5433:0	info: 0.000000 0.000001 152
Aug 31 00:00:15	unbound	5433:0	info: lower(secs) upper(secs) recursions
Aug 31 00:00:15	unbound	5433:0	info: [25%]=0.0239319 median[50%]=0.0555612 [75%]=0.114912
Aug 31 00:00:15	unbound	5433:0	info: histogram of recursion processing times
Aug 31 00:00:15	unbound	5433:0	info: average recursion processing time 0.086276 sec
Aug 31 00:00:15	unbound	5433:0	info: server stats for thread 2: requestlist max 28 avg 1.21664 exceeded 0 jostled 0
Aug 31 00:00:15	unbound	5433:0	info: server stats for thread 2: 4486 queries, 2941 answers from cache, 1545 recursions, 1580 prefetch, 0 rejected by ip ratelimiting
Aug 31 00:00:15	unbound	5433:0	info: 1.000000 2.000000 1
Aug 31 00:00:15	unbound	5433:0	info: 0.524288 1.000000 12
Aug 31 00:00:15	unbound	5433:0	info: 0.262144 0.524288 27
Aug 31 00:00:15	unbound	5433:0	info: 0.131072 0.262144 75
Aug 31 00:00:15	unbound	5433:0	info: 0.065536 0.131072 213
Aug 31 00:00:15	unbound	5433:0	info: 0.032768 0.065536 180
Aug 31 00:00:15	unbound	5433:0	info: 0.016384 0.032768 124
Aug 31 00:00:15	unbound	5433:0	info: 0.008192 0.016384 60
Aug 31 00:00:15	unbound	5433:0	info: 0.004096 0.008192 3
Aug 31 00:00:15	unbound	5433:0	info: 0.002048 0.004096 1
Aug 31 00:00:15	unbound	5433:0	info: 0.000512 0.001024 1
Aug 31 00:00:15	unbound	5433:0	info: 0.000000 0.000001 71
Aug 31 00:00:15	unbound	5433:0	info: lower(secs) upper(secs) recursions
Aug 31 00:00:15	unbound	5433:0	info: [25%]=0.0237832 median[50%]=0.0553415 [75%]=0.107381
Aug 31 00:00:15	unbound	5433:0	info: histogram of recursion processing times
Aug 31 00:00:15	unbound	5433:0	info: average recursion processing time 0.082412 sec
Aug 31 00:00:15	unbound	5433:0	info: server stats for thread 1: requestlist max 23 avg 0.68534 exceeded 0 jostled 0
Aug 31 00:00:15	unbound	5433:0	info: server stats for thread 1: 2418 queries, 1650 answers from cache, 768 recursions, 910 prefetch, 0 rejected by ip ratelimiting
Aug 31 00:00:15	unbound	5433:0	info: 2.000000 4.000000 2
Aug 31 00:00:15	unbound	5433:0	info: 1.000000 2.000000 5
Aug 31 00:00:15	unbound	5433:0	info: 0.524288 1.000000 11
Aug 31 00:00:15	unbound	5433:0	info: 0.262144 0.524288 37
Aug 31 00:00:15	unbound	5433:0	info: 0.131072 0.262144 288
Aug 31 00:00:15	unbound	5433:0	info: 0.065536 0.131072 409
Aug 31 00:00:15	unbound	5433:0	info: 0.032768 0.065536 398
Aug 31 00:00:15	unbound	5433:0	info: 0.016384 0.032768 258
Aug 31 00:00:15	unbound	5433:0	info: 0.008192 0.016384 133
Aug 31 00:00:15	unbound	5433:0	info: 0.004096 0.008192 9
Aug 31 00:00:15	unbound	5433:0	info: 0.002048 0.004096 7
Aug 31 00:00:15	unbound	5433:0	info: 0.001024 0.002048 2
Aug 31 00:00:15	unbound	5433:0	info: 0.000512 0.001024 3
Aug 31 00:00:15	unbound	5433:0	info: 0.000256 0.000512 3
Aug 31 00:00:15	unbound	5433:0	info: 0.000128 0.000256 1
Aug 31 00:00:15	unbound	5433:0	info: 0.000000 0.000001 199
Aug 31 00:00:15	unbound	5433:0	info: lower(secs) upper(secs) recursions
Aug 31 00:00:15	unbound	5433:0	info: [25%]=0.0217342 median[50%]=0.0547917 [75%]=0.115329
Aug 31 00:00:15	unbound	5433:0	info: histogram of recursion processing times
Aug 31 00:00:15	unbound	5433:0	info: average recursion processing time 0.084765 sec
Aug 31 00:00:15	unbound	5433:0	info: server stats for thread 0: requestlist max 23 avg 1.41447 exceeded 0 jostled 0
Aug 31 00:00:15	unbound	5433:0	info: server stats for thread 0: 5246 queries, 3481 answers from cache, 1765 recursions, 1842 prefetch, 0 rejected by ip ratelimiting
Aug 31 00:00:15	unbound	5433:0	info: service stopped (unbound 1.9.1).

johnpoz

not a traceroute a dig +trace

$ dig www.whatever.com +trace

; <<>> DiG 9.14.4 <<>> www.whatever.com +trace
;; global options: +cmd
.                       27190   IN      NS      h.root-servers.net.
.                       27190   IN      NS      k.root-servers.net.
.                       27190   IN      NS      d.root-servers.net.
.                       27190   IN      NS      l.root-servers.net.
.                       27190   IN      NS      c.root-servers.net.
.                       27190   IN      NS      a.root-servers.net.
.                       27190   IN      NS      m.root-servers.net.
.                       27190   IN      NS      f.root-servers.net.
.                       27190   IN      NS      e.root-servers.net.
.                       27190   IN      NS      j.root-servers.net.
.                       27190   IN      NS      i.root-servers.net.
.                       27190   IN      NS      g.root-servers.net.
.                       27190   IN      NS      b.root-servers.net.
.                       27190   IN      RRSIG   NS 8 0 518400 20190912170000 20190830160000 59944 . DtQjgY6hTjQoBx95E2qR9YHr/VIiwFqkjYjvBuX21XlBEYjlH3Rq0+sF 0XkyzUwp6xq2SXW3ZPgK0SHf2/hv+3fx0sricuQ5mAhvlw9yVVIwQTq5 dr2B0hfs6tfZNiX+CDNMK6DzjEAlX34gnVZmtSuv5KG87PG9ztBoygPd AxobqaiBksHS8DsCNpVwRunZCZ0Wd59LlWl72etkTft779F8YxvIa9B4 MOf497UcW+Wk38utZ4LRtJL0nTk5BeP0jf6oPi95Sp80SgkOGlOAkwvM c10ZiG5NrH0CtBJYQtOpAG4SamwxhxzK1TElq2SZY7lLOTtrFCQYNK53 0Y5yVA==
;; Received 525 bytes from 192.168.3.10#53(192.168.3.10) in 3 ms

com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20190913050000 20190831040000 59944 . ZmaE6S3yTVnYVXNywBnPO1hD4iHQ/DaBiMDi2+mRC88NXTH1Qrsnflnm fIInk6AnQAtl9uS3LM+qXinwCUMrpVGupSi9FQ3QneZgnilRzhyuloxM xJi/22+WulaBE7UzDZJrpA572P3dWBHl296vw3oCoF8OENW/D2Z16gWw xOBJD57Jocnhghm9ONXoE60WPWSOQD9xytzc5vl1oZIRYpmcYsNe1wsq NYm+WUSuM1+AaG0tyjdbwxR23nkRowRxTJyARkc4wcaIEQaNXyEm7Iad ToAyiKVxpCGs2B7JKHuVL9sXsNYo/+awj5yGXuWz1tLBk3teXKgMI0Yu qjSSig==
;; Received 1204 bytes from 192.33.4.12#53(c.root-servers.net) in 12 ms

whatever.com.           172800  IN      NS      ns6217.hostgator.com.
whatever.com.           172800  IN      NS      ns6218.hostgator.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20190904044529 20190828033529 17708 com. vtK0SnwKj0v250DLs1saXgDLxjCfNIdwgX/HHiCRQtvwxI3gMdZbEkM2 iOCv2Sdzo0dnz4RxN6BqXXbB8ZwWqG632PgCwFZluYzSi+stiZY2RX31 FlFzE2VgSf9xB/cElOJp94o2sYEW/n4Gqp73bPbE/HFcVeklYm0MI0bA JvU=
RNHABBI0G00MKABON3HNN10VBLL72I2F.com. 86400 IN NSEC3 1 1 0 - RNHCNLOM2HJP5G1RNIDHEF5664U20CFO NS DS RRSIG
RNHABBI0G00MKABON3HNN10VBLL72I2F.com. 86400 IN RRSIG NSEC3 8 2 86400 20190905043336 20190829032336 17708 com. pHdhtwlMfX9QPxdOk6xuO4D+naVZOSfIqGqYB1B/QWlCzxRQa97pfUrn sffyo2mChJWntL6XHutDZHB+YGlvBLg4VqvdwUmoeoaZpVqwlSMtAB4x B1cyW+jf0byLvNjJELetC8JFhmH1LpJIRyuvsFhps3f+Nd6RoVUNLWpz FHM=
;; Received 614 bytes from 192.5.6.30#53(a.gtld-servers.net) in 39 ms

www.whatever.com.       14400   IN      CNAME   whatever.com.
whatever.com.           14400   IN      A       198.57.151.250
whatever.com.           86400   IN      NS      ns6218.hostgator.com.
whatever.com.           86400   IN      NS      ns6217.hostgator.com.
;; Received 159 bytes from 50.87.144.144#53(ns6217.hostgator.com) in 44 ms

that is what happens when you have to resolve from roots.

So sure if the authoritative NS or any of those others in the path are on the other side of the planet it might take a second... Doesnt matter in the big picture - its only once and after that its direct to the authoritative ns for the domain vs going all the way down from the root .

mrsunfire

; <<>> DiG 9.12.2-P1 <<>> www.whatever.com +trace
;; global options: +cmd
.			6497	IN	NS	i.root-servers.net.
.			6497	IN	NS	h.root-servers.net.
.			6497	IN	NS	d.root-servers.net.
.			6497	IN	NS	j.root-servers.net.
.			6497	IN	NS	g.root-servers.net.
.			6497	IN	NS	b.root-servers.net.
.			6497	IN	NS	k.root-servers.net.
.			6497	IN	NS	m.root-servers.net.
.			6497	IN	NS	a.root-servers.net.
.			6497	IN	NS	e.root-servers.net.
.			6497	IN	NS	f.root-servers.net.
.			6497	IN	NS	c.root-servers.net.
.			6497	IN	NS	l.root-servers.net.
.			6497	IN	RRSIG	NS 8 0 518400 20190912050000 20190830040000 59944 . a18HBLRxbDklfb/5azG80cAJFAwNd4luRiFgFM6QUhVNkCcYfHEPN86t H2TiEwxxwQE+gfKdMFc6F+2GT5MqMgJocYS4hxyai54iMtzN9/HzUxFQ IVeOWU2g2piycqavfFqMp4pfmbESjGj3zBs3BemvD8nS9JVc7PtDnYEN HJ6iYLCSZlLp3HPTOGqd2Kh9uBmujnsVqbUoVWT7H5vT3yblT2J3MdhV XcUYAwl8CneBJGql1VT1ZS5lvGriOnrRuX9evjgHlGZuRk5tiR8oc4aH ndEc28HdihJH4fmj6P0Zq2DnP3KOMV/voHCsF29hEyT3YhpCDng5U99E 994KgA==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	a.gtld-servers.net.
com.			86400	IN	DS	30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.			86400	IN	RRSIG	DS 8 1 86400 20190913050000 20190831040000 59944 . ZmaE6S3yTVnYVXNywBnPO1hD4iHQ/DaBiMDi2+mRC88NXTH1Qrsnflnm fIInk6AnQAtl9uS3LM+qXinwCUMrpVGupSi9FQ3QneZgnilRzhyuloxM xJi/22+WulaBE7UzDZJrpA572P3dWBHl296vw3oCoF8OENW/D2Z16gWw xOBJD57Jocnhghm9ONXoE60WPWSOQD9xytzc5vl1oZIRYpmcYsNe1wsq NYm+WUSuM1+AaG0tyjdbwxR23nkRowRxTJyARkc4wcaIEQaNXyEm7Iad ToAyiKVxpCGs2B7JKHuVL9sXsNYo/+awj5yGXuWz1tLBk3teXKgMI0Yu qjSSig==
;; Received 1176 bytes from 2001:7fe::53#53(i.root-servers.net) in 18 ms

whatever.com.		172800	IN	NS	ns6217.hostgator.com.
whatever.com.		172800	IN	NS	ns6218.hostgator.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20190904044529 20190828033529 17708 com. vtK0SnwKj0v250DLs1saXgDLxjCfNIdwgX/HHiCRQtvwxI3gMdZbEkM2 iOCv2Sdzo0dnz4RxN6BqXXbB8ZwWqG632PgCwFZluYzSi+stiZY2RX31 FlFzE2VgSf9xB/cElOJp94o2sYEW/n4Gqp73bPbE/HFcVeklYm0MI0bA JvU=
RNHABBI0G00MKABON3HNN10VBLL72I2F.com. 86400 IN NSEC3 1 1 0 - RNHCNLOM2HJP5G1RNIDHEF5664U20CFO NS DS RRSIG
RNHABBI0G00MKABON3HNN10VBLL72I2F.com. 86400 IN RRSIG NSEC3 8 2 86400 20190905043336 20190829032336 17708 com. pHdhtwlMfX9QPxdOk6xuO4D+naVZOSfIqGqYB1B/QWlCzxRQa97pfUrn sffyo2mChJWntL6XHutDZHB+YGlvBLg4VqvdwUmoeoaZpVqwlSMtAB4x B1cyW+jf0byLvNjJELetC8JFhmH1LpJIRyuvsFhps3f+Nd6RoVUNLWpz FHM=
;; Received 614 bytes from 192.41.162.30#53(l.gtld-servers.net) in 15 ms

www.whatever.com.	14400	IN	CNAME	whatever.com.
whatever.com.		14400	IN	A	198.57.151.250
whatever.com.		86400	IN	NS	ns6217.hostgator.com.
whatever.com.		86400	IN	NS	ns6218.hostgator.com.
;; Received 159 bytes from 198.57.151.238#53(ns6218.hostgator.com) in 184 ms

johnpoz

@mrsunfire said in DNS Resolver not caching correct?:

(ns6218.hostgator.com) in 184 ms

So you see the authoritative ns are that far away from you - lot farther than 7ms ;)

At any given time you might of talked to something in the path that took longer than normal, maybe something in path was congested, maybe the ns took longer to answer, etc.

But that is how something is resolved - when none of it is cached.. now the once the ns for .com are cached no reason to ask roots for those, once the ns for whatever.com is cached no reason to talk to the gtld-servers.net ns - so you can just go ask the authoritative NS directly - but since its a lot farther than 7ms away from you - there can be delays... But in the big picture makes no matter. Since its only going to be once, and then its cached for the length of the TTL, and if you have prefetch setup and or zero answer - you will get an answer from unbound instantly and it will go refresh its stuff in the background..

So what does it matter if took 1000ms - that is not even going to be really noticed since I doubt a site couple hundred ms away from you is going to load instantly anyway.. Worse case you added a whole second to the page load time (ONCE)

There is little need of concerning your self if a site resolves in 30ms or 300ms, or even 1000ms.. Since once its cached - none of that matters any more. And in the big picture a fraction of a second in addition to the overall first load time of the page is meaningless.

perlenbacher

Hi johnpoz,

could you post your DNS Resolver, General Settings and Advanced Settings please.

It would be very handy for us all!

Thanks, Perlen

johnpoz

Sure here you go

Notice that I have disabled automatic ACLs so you will have to create your own to allow queries.

I have also changed from transparent to static for my zone.. Make sure you actually understand what settings do before changing them.. Any questions on what anything specifically does, just ask. Don't think this is some sort of guide to how you should set yours up.. These are my settings for my network and use case.. Most of them are just default.. Only a couple of changes really from out of the box settings. Which may or may not be good for your actual needs.

Generally speaking - out of the box should be fine for pretty much everyone.

As to the general settings - there are no dns set other than local... Here

perlenbacher

Very interesting, much appreciated. Thanks!

mrsunfire

For info: this is the result of cacheoutput after two days and I'm happy with it:

total.num.queries=21177
total.num.queries_ip_ratelimited=0
total.num.cachehits=15554
total.num.cachemiss=5623
total.num.prefetch=8627
total.num.zero_ttl=9232
total.num.recursivereplies=5623

Thanks a lot @johnpoz !

johnpoz

@mrsunfire said in DNS Resolver not caching correct?:

total.num.zero_ttl=9232

that seems like a lot of low TTLs - you might want to play with uping the min vs letting them set like 60 seconds and 5 min ttls

mrsunfire

So with what should I start? And what does this change? Isn't this dangerous?

johnpoz

In the advanced tab change the min ttl to say 1800 or 3600 vs letting them set such low ttls.. Could it cause issues - maybe. But I doubt it really..

Lets say you had something that was using a 60 second TTL, do the IPs even change - I had issue with some software where it checked a fqdn all the time, and the ttl was 60 seconds.. But upon check it multiple times the IP wasn't even changing - so what is the F'ing point of having dns query for it every 60 seconds.

Then you have them doing load balancing nonsense via dns

example
;scribe.logs.roku.com. IN A

;; ANSWER SECTION:
scribe.logs.roku.com. 60 IN A 52.21.150.70
scribe.logs.roku.com. 60 IN A 35.172.120.217
scribe.logs.roku.com. 60 IN A 34.233.159.203
scribe.logs.roku.com. 60 IN A 35.170.206.212
scribe.logs.roku.com. 60 IN A 52.200.248.59
scribe.logs.roku.com. 60 IN A 52.1.249.132
scribe.logs.roku.com. 60 IN A 34.226.55.236
scribe.logs.roku.com. 60 IN A 52.21.44.213

So while you might use 52.21.150.70 one time, next time is 25.172.120.217, etc. Only issue you could have is that 52.21.150.170 no longer works.

Have really never seen it be an issue.. But I wouldn't suggest you set the min to like 24 hours or anything.. If you find your having an issue getting somewhere, you can always just flush that specific entry from your cache.

This should lower the amount of both local queries and external queries.. Since now vs your local client asking for something every min with such a low ttl, it would only need to query 1 an hour for example.. Same goes for external queries. If your local device is not using a local cache - doesn't really matter what the ttl is for local queries - but would keep your dns from having to resolve it every freaking 60 seconds because some dumb iot device keeps asking for it every 30 freaking seconds, etc. because it has no local cache.

But hey if you got some local devices asking for whatever.something.tld every minute - you just got a 60x reduction in the number of external queries you have to do ;) if you change the min ttl to 1 hour. Multiply that by a few devices and few different fqdn being queried and in the course of 24 you could be doing 10s of 1000's of less queries.. Again prob not all that big of deal in the big picture.. But why do them if you don't really need to, etc.

mrsunfire

I don't know if I should play around with that because everything runs fast and good for now. But I see if my WAN goes down unbound restarts. Any chance to disable this function and keep it running?

Gertjan

@mrsunfire said in DNS Resolver not caching correct?:

But I see if my WAN goes down unbound restarts

It's possible that the restart of unbound wasn't needed. If the WAN IP stays the same, then maybe yes, it might not be needed.
I guess you should investigate why the WAN NIC goes down ? Missing an UPS ? Then add one.

There are many reasons that a WAN interface change has more effect, and then unbound should restart.
Loadbalancing. VPN usage (the tunnel is rebuild, and unbound should use the tunnel), etc.

However : there is no GUI setting that let you choose what to restart, or not.
Just stop ripping out the cable, or have people play with the power plug, and you'll be fine.