Tightening DNS timeouts slightly

As of 2019-06-08, we’ve made a small change to our firewall settings that may impact validation if your DNS servers are very slow. Specifically, we set an idle timeout for UDP “sessions” to 12 seconds; it used to be 300 seconds. We think this is a reasonable setting because (a) Unbound considers servers unresponsive if their backoff interval reaches 12 seconds. Also, Boulder has a DNS timeout of 10 seconds, with 3 tries.

Still, there’s a very small possibility that certain authoritative DNS servers could previously have threaded the needle through the above timeouts, but get stopped by the new firewall timeout. I wanted to let the forum community know in case you see unusual cases of new timeouts due to slow DNS. Right now unboundtest.com does not simulate this behavior. If someone would like to help me figure out an iptables rule to simulate it, that would be helpful.

In case you’re interested in why the firewall cares about “sessions” with regards to UDP, which is a connectionless protocol: It is trying to keep track of whether inbound UDP packets match up with an outbound query. We’re looking into whether there are other fixes that fit better with the UDP model, but for now this fixes a resource limitation we were running during times of peak load, which ensures we maintain a high level of availability.

4 Likes