Hi all, would it be possible to solve the problem by querying the authoritative server via the TCP protocol? If so, how to do this in the recursor configuration (whether for a specific domain or globally)? Thanks.
Mira Dne 23. 09. 20 v 9:23 Thomas Mieslinger via Pdns-users napsal(a): > In my opinion this needs to be fixed at the authoritative end. > > These repeated recursive queries tend to produce retry waves. So > recursors would need to implement a quadratic backoff or similar. > > Just from my mind... I took over authoritative DNS for a hoster. They > claimed to have ddos problems. In reality they just restarted their > auths and the whole internet started to retry. Then a 100k or 200k req/s > retry wave hit the auths. > > I'm doing this differently so that recursor do not start to retry and > have not to deal with waves. > > On 18.09.20 17:42, Winfried Angele via Pdns-users wrote: >> Hi Mira, >> >> I think if a Resolver retries on possibly overloaded or attacked >> authoritative DNS servers, it gets even worse for them. So I'd recommend >> to try to contact the people in charge for that domain and try to >> convince them to solve the problem on their side. And again, the >> Recursor tries on each Nameservers address listed in the NS RRset. So it >> does retries, but not on the same address. That means, in your case, all >> DNS servers of that domain are overloaded or broken or attacked. >> >> Winfried >> >> >> Am 18. September 2020 16:05:04 MESZ schrieb Mira Krejci <kre...@i3.cz>: >> >> >> Hi Winfried, >> >> thank you for your reply. >> If it's a feature and can't be changed, I have a big problem that >> I'll have to solve by changing the software to another. >> For example, Bind asks more than once if answer does not come. Users >> are angry that DNS resolving does not work for them (of course, it >> is to blame for authoritative servers of a specific domain). >> But I have to solve it somehow. >> >> Thanks. >> Mira >> >> Dne 18. 09. 20 v 15:34 Winfried Angele napsal(a): >>> Hi Mira, >>> >>> Yes the Recursor does no retry on *this* auth. But it tries on the >>> other nameservers from the NS RR set. IPv4 and IPv6. So if you >>> have only one auth, Recursor tries two times, IPv4 and IPv6 if >>> available. >>> >>> Winfried >>> >>> >>> >>> Am 18. September 2020 14:47:49 MESZ schrieb Mira Krejci via >>> Pdns-users <pdns-users@mailman.powerdns.com>: >>> >>> Hi, >>> >>> I have a problem that I can't force the pdns recursor to >>> query the >>> authoritative servers repeatedly if they do not answer. >>> Recursor tries >>> the query only once and then return an error (SERVFAIL) to >>> the client. >>> This is very problematic when the authoritative server is >>> overloaded or >>> there are some problems on the network. I didn't find any >>> way in the >>> configuration to change it. >>> >>> Server version: 4.2.2-1 (from EPEL repo on CentOS 8) >>> >>> Can anyone help? >>> Thanks. >>> >>> Mira >>> >>> ------------------------------------------------------------------------ >>> >>> Pdns-users mailing list >>> Pdns-users@mailman.powerdns.com >>> https://mailman.powerdns.com/mailman/listinfo/pdns-users >>> >> >> >> >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users@mailman.powerdns.com >> https://mailman.powerdns.com/mailman/listinfo/pdns-users >> > _______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
