Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: Vexz on August 20, 2023, 11:14:15 AM

Title: Unbound option "serve expired" - Any reason (not) to use it?
Post by: Vexz on August 20, 2023, 11:14:15 AM
So I've been thinking a lot about this option and think it's a nice feature. But I always come back to two questions: "Do I really need this?" and "Why isn't this enabled by default?"

You see, I've used this feature for about a year now to speed up DNS resolution. Afaik the (main) reason why this exists is to still resolve some domain names in case the upstream DNS server is offline. But since DNS servers are pretty much always available and I'm using NextDNS with anycast it's highly unlikely that I'd need the serve expired option for its (main) purpose.
DNS resolution is very fast anyway so it begs the question if I as a human even feel the difference between a freshly resolved domain name from an upstream DNS server or an expired serve from Unbound. On the other hand I never experienced a moment where I wanted to access a website and Unbound served an expired DNS entry where the IP for that domain changed so I couldn't load the website. So I don't see any disadvantages in enabling this option. But why isn't the serve expired option enabled by default if you never experience any negative impact?

Maybe I'm overthinking all this or underthinking it but I never come to a conclusion whether to enable or disable this feature. I'd love to hear your thoughts about this.
Title: Re: Unbound option "serve expired" - Any reason (not) to use it?
Post by: franco on August 21, 2023, 02:26:17 PM
Hi Vexz,

The reason is pretty simple:

> serve-expired: [...] Default is "no".

See https://nlnetlabs.nl/documentation/unbound/unbound.conf/

Unless there is a good enough reason to override this standard behaviour we try not to stray from software defaults. In case of serve-expired that only happens when you already got your initial reply in which case it's not mission critical for DNS resolution to work.


Cheers,
Franco
Title: Re: Unbound option "serve expired" - Any reason (not) to use it?
Post by: franco on August 21, 2023, 02:31:15 PM
PS: The other reason would be security benefit. About performance it's always debatable as it comes at the price of security here ;)
Title: Re: Unbound option "serve expired" - Any reason (not) to use it?
Post by: Vexz on August 21, 2023, 03:45:25 PM
Quote from: franco on August 21, 2023, 02:26:17 PM
Unless there is a good enough reason to override this standard behaviour we try not to stray from software defaults. In case of serve-expired that only happens when you already got your initial reply in which case it's not mission critical for DNS resolution to work.
Okay, that makes sense.

Quote from: franco on August 21, 2023, 02:31:15 PM
PS: The other reason would be security benefit. About performance it's always debatable as it comes at the price of security here ;)
Security benefit? How does the "serve expired" option influence the security? The only thing I can think of here would be something like DNS cache poisoning. Depending on the answer I might wanna disable it.
Title: Re: Unbound option "serve expired" - Any reason (not) to use it?
Post by: franco on August 21, 2023, 09:22:53 PM
You're potentially bypassing verification of the previous query at least once. The TTL is there for a reason. It may also bypass a new filter rule implemented upstream. The risk is low.


Cheers,
Franco
Text only | Text with Images