From aa03a16c493de040dce031312a3d8e08c85b4f2a Mon Sep 17 00:00:00 2001 From: Aminda Suomalainen Date: Tue, 30 Jul 2024 20:42:10 +0300 Subject: [PATCH] DNS: fail fast when you inevitably fail --- etc/resolv.conf | 6 +++--- etc/resolv.conf-generate.bash | 2 +- etc/systemd-resolv.conf-generate.bash | 2 +- etc/traditional-resolv.conf-generate.bash | 2 +- .../unbound.conf.d/expired-stale-serving-rfc8767.conf | 8 +++++--- rc/bashrc | 2 +- rc/zshrc | 2 +- 7 files changed, 13 insertions(+), 11 deletions(-) diff --git a/etc/resolv.conf b/etc/resolv.conf index 4e7d086e..79155e00 100644 --- a/etc/resolv.conf +++ b/etc/resolv.conf @@ -29,8 +29,8 @@ nameserver 127.0.0.53 # no sending local domain to upstream whenever NXDOMAIN happens search . -# timeout:2 = nameserver timeout 2 s (default 5, max 30), then next -# attempts:2 = if all nameservers fail, attempt again 2 times (def 2, max 5) +# timeout:1 = nameserver timeout 1 s (default 5, max 30), then next +# attempts:5 = if all nameservers fail, attempt again 5 times (def 2, max 5) # rotate = For long running processes that perform more than one query (so not # dig/host), use the first resolver for the first query, second resolver for # the second query, third resolver for the third query and repeat. @@ -43,7 +43,7 @@ search . # systemd-resolved instantly without the timeout of two seconds. # edns0 = extended DNS # trust-ad = trust DNSSEC authenticated data -options timeout:2 attempts:2 rotate edns0 trust-ad +options timeout:1 attempts:5 rotate edns0 trust-ad # AMINDA! Remember, you are specifying these here, a couple of bash scripts # in this directory, see the comment on top, ../rc/{bash,zsh}rc # ($RES_OPTIONS) and systemd/system/service.d/resolv.conf ! diff --git a/etc/resolv.conf-generate.bash b/etc/resolv.conf-generate.bash index 6860dc23..346fd317 100755 --- a/etc/resolv.conf-generate.bash +++ b/etc/resolv.conf-generate.bash @@ -17,7 +17,7 @@ rm -v /etc/resolv.conf # Actual resolv.conf creation. OK, this could read resolv.conf in this # directory, but I like this being self-contained. # tee -p = operate in a more appropriate MODE with pipes. -printf 'nameserver ::1\nnameserver 127.0.0.1\nnameserver 127.0.0.53\nsearch .\noptions timeout:2 attempts:2 rotate edns0 trust-ad\n' | tee -p /etc/resolv.conf +printf 'nameserver ::1\nnameserver 127.0.0.1\nnameserver 127.0.0.53\nsearch .\noptions timeout:1 attempts:5 rotate edns0 trust-ad\n' | tee -p /etc/resolv.conf # Remove all other permissions than everyone reading resolv.conf chmod -v a=r /etc/resolv.conf diff --git a/etc/systemd-resolv.conf-generate.bash b/etc/systemd-resolv.conf-generate.bash index 3d5bf655..4c74d403 100755 --- a/etc/systemd-resolv.conf-generate.bash +++ b/etc/systemd-resolv.conf-generate.bash @@ -29,7 +29,7 @@ chmod -v +w /etc/resolv.conf rm -v /etc/resolv.conf # tee -p = operate in a more appropriate MODE with pipes. -printf 'nameserver 127.0.0.53\nnameserver 127.0.0.53\nnameserver 127.0.0.53\nsearch .\noptions timeout:2 attempts:2 rotate edns0 trust-ad\n' | tee -p /etc/resolv.conf +printf 'nameserver 127.0.0.53\nnameserver 127.0.0.53\nnameserver 127.0.0.53\nsearch .\noptions timeout:1 attempts:5 rotate edns0 trust-ad\n' | tee -p /etc/resolv.conf # Remove all other permissions than everyone reading resolv.conf chmod -v a=r /etc/resolv.conf diff --git a/etc/traditional-resolv.conf-generate.bash b/etc/traditional-resolv.conf-generate.bash index 35cec6d6..202df570 100755 --- a/etc/traditional-resolv.conf-generate.bash +++ b/etc/traditional-resolv.conf-generate.bash @@ -23,7 +23,7 @@ rm -v /etc/resolv.conf # No trust-ad here as chances are these resolvers are unencrypted and the # path to them isn't trusted. # tee -p = operate in a more appropriate MODE with pipes. -printf "nameserver %b\nnameserver %b\nnameserver %b\nsearch .\noptions timeout:2 attempts:2 rotate edns0\n" "$1" "$2" "$3" | tee -p /etc/resolv.conf +printf "nameserver %b\nnameserver %b\nnameserver %b\nsearch .\noptions timeout:1 attempts:5 rotate edns0\n" "$1" "$2" "$3" | tee -p /etc/resolv.conf # Remove all other permissions than everyone reading resolv.conf chmod -v a=r /etc/resolv.conf diff --git a/etc/unbound/unbound.conf.d/expired-stale-serving-rfc8767.conf b/etc/unbound/unbound.conf.d/expired-stale-serving-rfc8767.conf index 4d3dcd03..17bfc513 100644 --- a/etc/unbound/unbound.conf.d/expired-stale-serving-rfc8767.conf +++ b/etc/unbound/unbound.conf.d/expired-stale-serving-rfc8767.conf @@ -11,9 +11,11 @@ server: serve-expired-ttl: 86400 # If serving expired data to client, explicitly give it TTL 30 seconds serve-expired-reply-ttl: 30 - # Serve expired data to client if there is no answer in 1.8 seconds as per - # common timeout 2 seconds according to the RFC 8767 - serve-expired-client-timeout: 1800 + # Serve expired data to client if there is no answer in 0.8 seconds as + # RFC 8767 says common seconds is 2 seconds making 1800 a reasonable + # value, but as I use a second lower timeout, I need to adjust here as + # well. + serve-expired-client-timeout: 800 # Human readable DNSSEC errors for expired records ede-serve-expired: yes diff --git a/rc/bashrc b/rc/bashrc index ff2c429e..0142bd21 100755 --- a/rc/bashrc +++ b/rc/bashrc @@ -265,7 +265,7 @@ export LSCOLORS=gxBxhxDxfxhxhxhxhxcxcx export LOCALDOMAIN=. # Secureish resolv.conf options (except trust-ad, but systemd also sets it # regardless of whether DNSSEC=true or not. -export RES_OPTIONS="timeout:2 attempts:2 rotate edns0 trust-ad" +export RES_OPTIONS="timeout:1 attempts:5 rotate edns0 trust-ad" # https://github.com/go-nv/goenv if [ -f /home/linuxbrew/.linuxbrew/opt/goenv/bin/goenv ]; then diff --git a/rc/zshrc b/rc/zshrc index d25176e7..02e87db3 100755 --- a/rc/zshrc +++ b/rc/zshrc @@ -219,7 +219,7 @@ export LSCOLORS=gxBxhxDxfxhxhxhxhxcxcx export LOCALDOMAIN=. # Secureish resolv.conf options (except trust-ad, but systemd also sets it # regardless of whether DNSSEC=true or not. -export RES_OPTIONS="timeout:2 attempts:2 rotate edns0 trust-ad" +export RES_OPTIONS="timeout:1 attempts:5 rotate edns0 trust-ad" # https://github.com/go-nv/goenv if [ -f /home/linuxbrew/.linuxbrew/opt/goenv/bin/goenv ]; then