From owner-freebsd-questions@freebsd.org Tue Sep 6 10:24:40 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1183FBC75EE for ; Tue, 6 Sep 2016 10:24:40 +0000 (UTC) (envelope-from kpielorz_lst@tdx.co.uk) Received: from smtp.krpservers.com (smtp.krpservers.com [62.13.128.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.krpservers.com", Issuer "RapidSSL SHA256 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B1ADF7B8; Tue, 6 Sep 2016 10:24:39 +0000 (UTC) (envelope-from kpielorz_lst@tdx.co.uk) Received: from [10.12.30.106] (vpn01-01.tdx.co.uk [62.13.130.213] (may be forged)) (authenticated bits=0) by smtp.krpservers.com (8.15.2/8.15.2) with ESMTPSA id u86AOatk039288 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 6 Sep 2016 11:24:37 +0100 (BST) (envelope-from kpielorz_lst@tdx.co.uk) Date: Tue, 06 Sep 2016 11:24:25 +0100 From: Karl Pielorz To: Matthew Seaman , freebsd-questions@freebsd.org Subject: Re: Query re. /etc/resolv.conf... Message-ID: <52ADB1CF9476C838FC3F2080@[10.12.30.106]> In-Reply-To: <9dcae5bb-93c4-1f31-da1b-03bd3609b314@FreeBSD.org> References: <6666070D3E503A5E5747ED16@[10.12.30.106]> <9dcae5bb-93c4-1f31-da1b-03bd3609b314@FreeBSD.org> X-Mailer: Mulberry/4.0.8 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Sep 2016 10:24:40 -0000 --On 06 September 2016 10:33 +0100 Matthew Seaman wrote: > Clearly this doesn't explain your observed behaviour. Hmmm.... No, I > don't see how adding an extra nameserver to resolv.conf could give you > any worse behaviour than before. I think you'ld have to grab DNS > traffic with tcpdump(8) and perform some detailed analyses to debug that. I re-tested this under a 9.3 box - and it works as it should, it's only on our other 10.3 machines it fails (quite spectacularly compared to what it should do). > However, my experience is that local unbound is extremely stable and not > at all likely to fail. Adding extra nameservers to /etc/resolv.conf > really doesn't get you very much, and just isn't worth the effort. Yes, we've been running unbound for years (before it was included with FreeBSD) and it has been very stable. The machine really gets stuffed if DNS fails though - so the thought of a "free" DNS of last resort in resolv.conf was tempting, but it looks like on 10.3 here we can't rely on that now as it makes the situation worse. I'll have a dig around with tcpdump et'al and see if it turns anything up - before we just resort to 127.0.0.1 as the only listed NS. -Karl