0

I am running a recursive DNS resolver with unbound 1.9.0 on Debian Stretch. It periodically logs statistics about the recursion procession times. The latest is:

[2195:0] info: server stats for thread 0: 157732 queries, 87671 answers from cache, 70061 recursions, 0 prefetch, 0 rejected by ip ratelimiting
[2195:0] info: server stats for thread 0: requestlist max 145 avg 20.751 exceeded 0 jostled 0
[2195:0] info: average recursion processing time 0.014740 sec
[2195:0] info: histogram of recursion processing times
[2195:0] info: [25%]=0.0260698 median[50%]=0.0470106 [75%]=0.106954
[2195:0] info: lower(secs) upper(secs) recursions
[2195:0] info:    0.000000    0.000001 1792
[2195:0] info:    0.000256    0.000512 3
[2195:0] info:    0.000512    0.001024 71
[2195:0] info:    0.001024    0.002048 186
[2195:0] info:    0.002048    0.004096 490
[2195:0] info:    0.004096    0.008192 876
[2195:0] info:    0.008192    0.016384 2321
[2195:0] info:    0.016384    0.032768 19920
[2195:0] info:    0.032768    0.065536 21561
[2195:0] info:    0.065536    0.131072 8427
[2195:0] info:    0.131072    0.262144 8884
[2195:0] info:    0.262144    0.524288 3188
[2195:0] info:    0.524288    1.000000 1468
[2195:0] info:    1.000000    2.000000 493
[2195:0] info:    2.000000    4.000000 278
[2195:0] info:    4.000000    8.000000 70
[2195:0] info:    8.000000   16.000000 4
[2195:0] info:   16.000000   32.000000 18
[2195:0] info:   32.000000   64.000000 5
[2195:0] info:   64.000000  128.000000 4
[2195:0] info:  128.000000  256.000000 1
[2195:0] info:  256.000000  512.000000 1

Most processing times look file, but there are a few requests that took several seconds to process, up to a several minutes.

I’m curious about those requests and would like to investigate them. Is there any known way to do so? For example, I’d like it if I could ask Unbound to log any recursion that needed more than 4 seconds to process.

user2233709
  • 1,364
  • 1
  • 9
  • 15
  • "but there are a few requests that took several seconds to process, up to a several minutes." recursion all depends on the authoritative nameservers: if none are answering properly, and there are multiple IP addresses to test, and taking into account timeout value, and number of retries per attempt, and switch between UDP and TCP (some servers do not handle both properly as they should), and trying various countermeasures like with/without EDNS bufsize option, or cookies, etc. it can add up. Hence your long tail. – Patrick Mevzek Aug 01 '22 at 17:21

1 Answers1

1

You can configure Unbound to enable the dnstap feature:

https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html?highlight=logging#dnstap-logging-options

dnstap is a cross-software de-facto "standard" to communicate DNS packets. Various explanations for it can be found on https://dnstap.info/

You can see an introduction at https://jpmens.net/2017/09/11/dns-query-response-logging-with-dnstap/ ; for example you can store for some time things on disk and then read them back with dnstap-read or kdig and then applying all filtering you want.

You could then have unbound sending "everything" to some other collector that could then dig(!) more into the content and provide you with what you need.

I don't have the full answer on exactly what piece of software would give you exactly and immediately what you are looking for, but the above should be the first most sensible option to look after.

Some receiver options to look after:

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42