DNS: fail fast when you inevitably fail

2024-11-06 01:19:23 +01:00 · 2024-07-30 20:42:10 +03:00 · 2024-07-30 20:42:10 +03:00 · aa03a16c49
commit aa03a16c49
parent 21bd1b2290
7 changed files with 13 additions and 11 deletions
--- a/etc/resolv.conf
+++ b/etc/resolv.conf
@ -29,8 +29,8 @@ nameserver 127.0.0.53
 # no sending local domain to upstream whenever NXDOMAIN happens
 search .
-# timeout:2 = nameserver timeout 2 s (default 5, max 30), then next
+# timeout:1 = nameserver timeout 1 s (default 5, max 30), then next
-# attempts:2 = if all nameservers fail, attempt again 2 times (def 2, max 5)
+# attempts:5 = if all nameservers fail, attempt again 5 times (def 2, max 5)
 # rotate = For long running processes that perform more than one query (so not
 # dig/host), use the first resolver for the first query, second resolver for
 # the second query, third resolver for the third query and repeat.
@ -43,7 +43,7 @@ search .
 # systemd-resolved instantly without the timeout of two seconds.
 # edns0 = extended DNS
 # trust-ad = trust DNSSEC authenticated data
-options timeout:2 attempts:2 rotate edns0 trust-ad
+options timeout:1 attempts:5 rotate edns0 trust-ad
 # AMINDA! Remember, you are specifying these here, a couple of bash scripts
 # in this directory, see the comment on top, ../rc/{bash,zsh}rc
 # ($RES_OPTIONS) and systemd/system/service.d/resolv.conf !
--- a/etc/resolv.conf-generate.bash
+++ b/etc/resolv.conf-generate.bash
@ -17,7 +17,7 @@ rm -v /etc/resolv.conf
 # Actual resolv.conf creation. OK, this could read resolv.conf in this
 # directory, but I like this being self-contained.
 # tee -p = operate in a more appropriate MODE with pipes.
-printf 'nameserver ::1\nnameserver 127.0.0.1\nnameserver 127.0.0.53\nsearch .\noptions timeout:2 attempts:2 rotate edns0 trust-ad\n' | tee -p /etc/resolv.conf
+printf 'nameserver ::1\nnameserver 127.0.0.1\nnameserver 127.0.0.53\nsearch .\noptions timeout:1 attempts:5 rotate edns0 trust-ad\n' | tee -p /etc/resolv.conf
 # Remove all other permissions than everyone reading resolv.conf
 chmod -v a=r /etc/resolv.conf
--- a/etc/systemd-resolv.conf-generate.bash
+++ b/etc/systemd-resolv.conf-generate.bash
@ -29,7 +29,7 @@ chmod -v +w /etc/resolv.conf
 rm -v /etc/resolv.conf
 # tee -p = operate in a more appropriate MODE with pipes.
-printf 'nameserver 127.0.0.53\nnameserver 127.0.0.53\nnameserver 127.0.0.53\nsearch .\noptions timeout:2 attempts:2 rotate edns0 trust-ad\n' | tee -p /etc/resolv.conf
+printf 'nameserver 127.0.0.53\nnameserver 127.0.0.53\nnameserver 127.0.0.53\nsearch .\noptions timeout:1 attempts:5 rotate edns0 trust-ad\n' | tee -p /etc/resolv.conf
 # Remove all other permissions than everyone reading resolv.conf
 chmod -v a=r /etc/resolv.conf
--- a/etc/traditional-resolv.conf-generate.bash
+++ b/etc/traditional-resolv.conf-generate.bash
@ -23,7 +23,7 @@ rm -v /etc/resolv.conf
 # No trust-ad here as chances are these resolvers are unencrypted and the
 # path to them isn't trusted.
 # tee -p = operate in a more appropriate MODE with pipes.
-printf "nameserver %b\nnameserver %b\nnameserver %b\nsearch .\noptions timeout:2 attempts:2 rotate edns0\n" "$1" "$2" "$3" | tee -p /etc/resolv.conf
+printf "nameserver %b\nnameserver %b\nnameserver %b\nsearch .\noptions timeout:1 attempts:5 rotate edns0\n" "$1" "$2" "$3" | tee -p /etc/resolv.conf
 # Remove all other permissions than everyone reading resolv.conf
 chmod -v a=r /etc/resolv.conf
--- a/etc/unbound/unbound.conf.d/expired-stale-serving-rfc8767.conf
+++ b/etc/unbound/unbound.conf.d/expired-stale-serving-rfc8767.conf
@ -11,9 +11,11 @@ server:
 	serve-expired-ttl: 86400
 	# If serving expired data to client, explicitly give it TTL 30 seconds
 	serve-expired-reply-ttl: 30
-	# Serve expired data to client if there is no answer in 1.8 seconds as per
+	# Serve expired data to client if there is no answer in 0.8 seconds as
-	# common timeout 2 seconds according to the RFC 8767
+	# RFC 8767 says common seconds is 2 seconds making 1800 a reasonable
-	serve-expired-client-timeout: 1800
+	# value, but as I use a second lower timeout, I need to adjust here as
 	# well.
 	serve-expired-client-timeout: 800
 	# Human readable DNSSEC errors for expired records
 	ede-serve-expired: yes
--- a/rc/bashrc
+++ b/rc/bashrc
@ -265,7 +265,7 @@ export LSCOLORS=gxBxhxDxfxhxhxhxhxcxcx
 export LOCALDOMAIN=.
 # Secureish resolv.conf options (except trust-ad, but systemd also sets it
 # regardless of whether DNSSEC=true or not.
-export RES_OPTIONS="timeout:2 attempts:2 rotate edns0 trust-ad"
+export RES_OPTIONS="timeout:1 attempts:5 rotate edns0 trust-ad"
 # https://github.com/go-nv/goenv
 if [ -f /home/linuxbrew/.linuxbrew/opt/goenv/bin/goenv ]; then
--- a/rc/zshrc
+++ b/rc/zshrc
@ -219,7 +219,7 @@ export LSCOLORS=gxBxhxDxfxhxhxhxhxcxcx
 export LOCALDOMAIN=.
 # Secureish resolv.conf options (except trust-ad, but systemd also sets it
 # regardless of whether DNSSEC=true or not.
-export RES_OPTIONS="timeout:2 attempts:2 rotate edns0 trust-ad"
+export RES_OPTIONS="timeout:1 attempts:5 rotate edns0 trust-ad"
 # https://github.com/go-nv/goenv
 if [ -f /home/linuxbrew/.linuxbrew/opt/goenv/bin/goenv ]; then