I am going crazy with this. Out of nowhere, I started getting the error "timed out resolving". Nothing has changed and this configuration has been rock solid for many years. That said, it is Ubuntu 20 LTS and up-to-date.

I have a fairly vanilla configuration of Bind with root hints disabled and forwarding to Google DNS. The purpose of this server is to handle all DNS queries on my network and forward anything that isn't local.

Oddly, tcpdump shows a successful query to the upstream nameserver but bind will randomly say it timed out resolving. I have tried a handful of upstream servers and this makes no difference. If I run dig or nslookup directed at the server and domain that has allegedly failed, I get a speedy response.

I enabled query error logging and that is blank. I have checked my firewall and routing machine. I have power-cycled all of the core equipment to no avail. As I mentioned, nothing has changed recently and this configuration has worked for years.

And if anyone was wondering, it is not an internet issue or physical network issue. Pings, iperf and all that are performing as expected with zero loss.

Thanks!

Make sure you are only serving local queries and not for the general internet. Also check you aren't being attacked. Typically, UDP packets are not lost in transit, but when buffers are full at the client. Do you have a lot of other network traffic?

Thanks for the reply.

Let me clarify, I have a zonefile of blocked hosts and known locahosts. These are checked first and if there is no match it is forwarded to known DNS servers. I do have a lot of requests but not a lot of continuous traffic. I have about 120 devices that need DNS. I did check and I can't find any kernel value that is coming close to maxing out. If I watch tcpdump I can see the query is made and succeeds, but bind says it time out. There is nothing getting dropped on any firewalls.

I'm ready to ditch named since it has already been replaced by Kea and it doesn't look like a good alternative as it is not a drop-in. I had to fire up unbound for the moment but I can already tell it is not a great fit either. Unbound has not failed to resolve anything valid (except LAN member lookups) as far as I can tell.

I need something that can resolve local hosts, block from my list, and reach out to external DNS if the request isn't satisfied.

Take a look at dnsmasq that can block domains/hosts from a list and forward queries to specified forwarders.

Regards

I used dnsmasq briefly long ago. I don't know if it was the build/version or the hardware, that too gave me trouble. It looks like Pi-Hole has matured and has everything I've been doing manually for years. I have installed it on an S922x board and appears to be keeping up. I may have a solution, but not an answer to my original inquiry.