Sporadic "timed out resolving" error
Summary
Bind (Ubuntu 22.04.2 LTS) is setup as a private network DNS server. The syslog is peppered "timed out resolving" errors.
Jun 2 03:48:38 xxx named[30906]: timed out resolving 'amazon-adsystem.com/DS/IN': 8.8.4.4#53
Jun 2 03:48:38 xxx named[30906]: timed out resolving 'hwcdn.net/DS/IN': 8.8.4.4#53
Jun 2 03:48:39 xxx named[30906]: timed out resolving 'moatpixel.com/DS/IN': 8.8.8.8#53
Jun 2 03:49:26 xxx named[30906]: timed out resolving 'gravatar.com/DS/IN': 8.8.8.8#53
Jun 2 03:49:26 xxx named[30906]: timed out resolving 'securepubads.g.doubleclick.net/HTTPS/IN': 8.8.8.8#53
Jun 2 03:49:26 xxx named[30906]: timed out resolving 'www.googletagmanager.com/A/IN': 8.8.8.8#53
Jun 2 03:49:26 xxx named[30906]: timed out resolving 'www.googletagmanager.com/HTTPS/IN': 8.8.8.8#53
Jun 2 03:49:26 xxx named[30906]: timed out resolving 'www.google-analytics.com/A/IN': 8.8.8.8#53
Jun 2 03:49:26 xxx named[30906]: timed out resolving 'www.google-analytics.com/HTTPS/IN': 8.8.8.8#53
Direct queries to the forwarders return no error and complete within 20-30 ms on average.
(see also https://serverfault.com/questions/1119578/bind9-server-random-query-failed-timed-out-error for a potentially similar report)
BIND version used
BIND 9.18.12-0ubuntu0.22.04.1-Ubuntu (Extended Support Version) <id:>
running on Linux x86_64 5.15.0-73-generic #80-Ubuntu SMP Mon May 15 15:18:26 UTC 2023
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/bind9-RW6AWX/bind9-9.18.12=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 11.3.0
compiled with OpenSSL version: OpenSSL 3.0.2 15 Mar 2022
linked to OpenSSL version: OpenSSL 3.0.2 15 Mar 2022
compiled with libuv version: 1.43.0
linked to libuv version: 1.43.0
compiled with libnghttp2 version: 1.43.0
linked to libnghttp2 version: 1.43.0
compiled with libxml2 version: 2.9.13
linked to libxml2 version: 20913
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
Steps to reproduce
Open a busy webpage an a PC that uses the bind server as its nameserver.
What is the current bug behavior?
The syslog is peppered with "timed out resolving" errors.
What is the expected correct behavior?
"timed out resolving" errors should only be occasionally present.
Relevant configuration files
acl LAN {
192.168.0.0/24;
};
options {
directory "/var/cache/bind";
allow-query { localhost; LAN; };
forward first;
forwarders {
1.1.1.1;
8.8.8.8;
8.8.4.4;
};
recursion yes;
qname-minimization strict;
listen-on-v6 {none;};
};
Relevant logs and/or screenshots
(See above)
Possible fixes
N/A