local_unbound times out on some big domains

loveydovey · Nov 29, 2025

So, I had this on Linux when I ran BIND. It would time out on some big domains with default settings. So I had to change max-recursion-depth to higher, and the problem was solved.
In FreeBSD 14.3, I get the same problem. I can't even open time.is website. But there's no recursion depth setting for local_unbound.
Can this be solved? Or do I have to switch to BIND?

dark.initr0 · Tuesday at 6:12 AM

Does your local unbound work?
Try dig +trace [domain]

loveydovey · Tuesday at 8:01 AM

Local unbound works great on 99.99% of domains. Not on some. time.is is one of the not working ones.

Code:

dig +trace time.is

; <<>> DiG 9.20.16 <<>> +trace time.is
;; global options: +cmd
.                       82330   IN      NS      c.root-servers.net.
.                       82330   IN      NS      b.root-servers.net.
.                       82330   IN      NS      d.root-servers.net.
.                       82330   IN      NS      f.root-servers.net.
.                       82330   IN      NS      h.root-servers.net.
.                       82330   IN      NS      k.root-servers.net.
.                       82330   IN      NS      i.root-servers.net.
.                       82330   IN      NS      e.root-servers.net.
.                       82330   IN      NS      a.root-servers.net.
.                       82330   IN      NS      l.root-servers.net.
.                       82330   IN      NS      g.root-servers.net.
.                       82330   IN      NS      j.root-servers.net.
.                       82330   IN      NS      m.root-servers.net.
.                       82330   IN      RRSIG   NS 8 0 518400 20251214170000 20251201160000 61809 . laR83CYkIWz/p69QjoJ54cunBCiMfdw8C0uKqCGdej3pZuJx3Q1XOEiR WRL9h6o094azKw
UobCrgsfbaB2L97VVgeuKFcu2aipAdYH2Kz0iPxDj6 ctmGUbzC+QtgHs0gZtzCQF0L0kkMPDrEij43Zw30d/1bTEIxxFiwH8l2 Jl0SmoDoucBpeGDRTG4TiPXAxnoiqzuZ4Urtdm5H92we3rxTkdn7upEK 9qH3m+V/PG4cQ+
01xYk5Mefd93pCQMxIUVNmuLum5flBt5GwR57Cynxa 6Pe4j9kr3EddjREe5E1VR9fFGnmS1BcE+lCkDOObklrjsskrQ/YfseOO J4z3hg==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

is.                     172800  IN      NS      a.nic.is.
is.                     172800  IN      NS      b.nic.is.
is.                     172800  IN      NS      c.nic.is.
is.                     172800  IN      NS      d.nic.is.
is.                     172800  IN      NS      e.nic.is.
is.                     86400   IN      DS      17072 8 2 42D3DEE2C2F72B98290F94C3AB04172277A6FC52589D5A45BF90AC31 F8268D63
is.                     86400   IN      RRSIG   DS 8 1 86400 20251215050000 20251202040000 61809 . 6h084pqvyG0yHiEAsfH7q0GWtskwt8+LDc9duS752Uy0nheJS2RIr6Cj liak5WaxUlVcFUA
eWae+y8CYi1REtlzN1uasZ8Gnoyck9jae74AJfHQJ zjMS4Sehqg5p7mAeCmV297aVBqPa3RZaXFlWNccpRrT6ctBJqyzq+oqg +ifbZZKbVFa/Zs0QMrHltsyVugbnZqPdSwhw4ILvmEPn4cFLybo+k7CK FZ13wgDNpF82TnL
CuZ/COp+y0zgfmjHdEh5eXF60YvgRFqoPddWRgQdz E3mNIhb3ZYpILzLoF5pDvJqXQ+HkC4wKNVC/sRfIK/GOzU6i4NN99gC4 s4E2xw==
couldn't get address for 'a.nic.is': failure
couldn't get address for 'b.nic.is': not found
couldn't get address for 'c.nic.is': not found
couldn't get address for 'd.nic.is': not found
couldn't get address for 'e.nic.is': not found
dig: couldn't get address for 'a.nic.is': no more

dark.initr0 · Tuesday at 12:29 PM

It's like your IP is blocked because dig works good for me for this site
Can you try with another source IP?

loveydovey · Tuesday at 1:18 PM

Again, increasing recursion depth worked on bind on Linux... DNS blocks my ip?

dark.initr0 · Tuesday at 9:05 PM

I don't see big recursion here.
Please, show results of
dig @8.8.8.8 +trace time.is

Do you have default settings of local-unbound?

loveydovey · Tuesday at 9:32 PM

dark.initr0 said:
Please, show results of
dig @8.8.8.8 +trace time.is

Code:

; <<>> DiG 9.20.16 <<>> @8.8.8.8 +trace time.is
; (1 server found)
;; global options: +cmd
.            87203    IN    NS    e.root-servers.net.
.            87203    IN    NS    i.root-servers.net.
.            87203    IN    NS    c.root-servers.net.
.            87203    IN    NS    g.root-servers.net.
.            87203    IN    NS    h.root-servers.net.
.            87203    IN    NS    j.root-servers.net.
.            87203    IN    NS    d.root-servers.net.
.            87203    IN    NS    k.root-servers.net.
.            87203    IN    NS    l.root-servers.net.
.            87203    IN    NS    b.root-servers.net.
.            87203    IN    NS    a.root-servers.net.
.            87203    IN    NS    f.root-servers.net.
.            87203    IN    NS    m.root-servers.net.
.            87203    IN    RRSIG    NS 8 0 518400 20251215170000 20251202160000 61809 . h9n5tkY8Vo68HgBk3mOV1dLVZXR2mHbarBRrH50vyNjEuwwx5swl9gEp mfPoE1jkY/hDlc9XsKy9dT5RriLi7cOUuc/eV+9P7wbR0aefwwGvEVS6 XYlWjYyMyok3g3XjNhcz5Q5PbdbAnwCZHNmYKyYxxBM7lsremc+QUYll Qe40I9PWWAwxKGe+wc4xCRZc2IKUDrJtfmsyVovxq+h8Fo/2QnUZm75A P4G+Uuk6bbOpkKYVV1bv6ognDeqxypOJcD4xmPgtFLVENlDWiaZC1Vzq swlVhIdWpmmPm1aSi3VZ2gjBP5GGFzX//KFfABnXBJUERTf8wgyM6MRi K6ktbQ==
;; Received 525 bytes from 8.8.8.8#53(8.8.8.8) in 72 ms

is.            172800    IN    NS    a.nic.is.
is.            172800    IN    NS    b.nic.is.
is.            172800    IN    NS    c.nic.is.
is.            172800    IN    NS    d.nic.is.
is.            172800    IN    NS    e.nic.is.
is.            86400    IN    DS    17072 8 2 42D3DEE2C2F72B98290F94C3AB04172277A6FC52589D5A45BF90AC31 F8268D63
is.            86400    IN    RRSIG    DS 8 1 86400 20251215170000 20251202160000 61809 . ucCBdA6XQBmbqNxYSSV5/KyTrHwEZhu5ewY4m63VAOVt8UP0Gr6uVKV6 tyG2TX5QhLqlI/vxNOFwn+wb3+H4VXvLyuhpFGToWPO09Ci1EYVoXLuT pSEkHm95+8TICoinO5//mZZXV+ZNlfGJCwe65N1CYn0ytrLSaLPYqu30 QZTBGwYGwluMIkD8a9JfIs0hWdxqsqPSnrPp2EVhOWZA4mUEBhix77cY qpml8eZdFgO3+uQenptcw0wsCcay4tZD4AVd3RrbNr6XcbyLdYlaRNIH /9TN2YJ8xLElPSeL38kufL3ylsDXE3654rJxj6p31G+Bh8OM+g8ph+Br xLW21A==
couldn't get address for 'a.nic.is': not found
couldn't get address for 'b.nic.is': not found
couldn't get address for 'c.nic.is': not found
couldn't get address for 'd.nic.is': not found
couldn't get address for 'e.nic.is': not found
dig: couldn't get address for 'a.nic.is': no more

Hmmm, this looks like some sort of DNSSEC issue possibly, no?

dark.initr0 said:
Do you have default settings of local-unbound?

Yes, except I changed "remote control" from yes to no.

dark.initr0 · Friday at 9:29 PM

Try another command
dig +short @8.8.8.8 time.is
I have noticed that trace option only get root servers from 8.8.8.8 and recursion is done locally.

If you see results like
8.6.112.6
8.47.69.6
it's like your IP is blocked by NS servers NIC.IS

loveydovey · Friday at 9:42 PM

That worked, I got 172.67.68.157 104.26.1.54 104.26.13.54. But that's from 8.8.8.8

loveydovey · Saturday at 8:16 AM

Ok, I solved it. (Or AI solved it)

Using only UDP 53 for DNS resolution is the problem. Enabling TCP 53 in the firewall enables resolution of all these domains that were not resolved with just UDP 53.

The reason is that modern DNS requires bigger packets than UDP allows, for one because of extra bulk that the cryptographic signatures demand. Some DNS responses with DNSSEC are too large for UDP packets and are truncated, resolver tries to switch to TCP and if TCP 53 is blocked, it immediately fails.