Hi Mira,
how about adding the following to you forward zones:
+not.working.domain=9.9.9.9
the other thing that could be your problem is that the auth server
operator has some sort of ratelimiting to protest the auth server from
overload.
Have you tried to contact the auth server operator?
Cheers
Thomas
On 9/23/20 4:27 PM, Mira Krejci via Pdns-users wrote:
Hi all,
would it be possible to solve the problem by querying the authoritative
server via the TCP protocol? If so, how to do this in the recursor
configuration (whether for a specific domain or globally)?
Thanks.
Mira
Dne 23. 09. 20 v 9:23 Thomas Mieslinger via Pdns-users napsal(a):
In my opinion this needs to be fixed at the authoritative end.
These repeated recursive queries tend to produce retry waves. So
recursors would need to implement a quadratic backoff or similar.
Just from my mind... I took over authoritative DNS for a hoster. They
claimed to have ddos problems. In reality they just restarted their
auths and the whole internet started to retry. Then a 100k or 200k req/s
retry wave hit the auths.
I'm doing this differently so that recursor do not start to retry and
have not to deal with waves.
On 18.09.20 17:42, Winfried Angele via Pdns-users wrote:
Hi Mira,
I think if a Resolver retries on possibly overloaded or attacked
authoritative DNS servers, it gets even worse for them. So I'd recommend
to try to contact the people in charge for that domain and try to
convince them to solve the problem on their side. And again, the
Recursor tries on each Nameservers address listed in the NS RRset. So it
does retries, but not on the same address. That means, in your case, all
DNS servers of that domain are overloaded or broken or attacked.
Winfried
Am 18. September 2020 16:05:04 MESZ schrieb Mira Krejci <kre...@i3.cz>:
Hi Winfried,
thank you for your reply.
If it's a feature and can't be changed, I have a big problem that
I'll have to solve by changing the software to another.
For example, Bind asks more than once if answer does not come. Users
are angry that DNS resolving does not work for them (of course, it
is to blame for authoritative servers of a specific domain).
But I have to solve it somehow.
Thanks.
Mira
Dne 18. 09. 20 v 15:34 Winfried Angele napsal(a):
Hi Mira,
Yes the Recursor does no retry on *this* auth. But it tries on the
other nameservers from the NS RR set. IPv4 and IPv6. So if you
have only one auth, Recursor tries two times, IPv4 and IPv6 if
available.
Winfried
Am 18. September 2020 14:47:49 MESZ schrieb Mira Krejci via
Pdns-users <pdns-users@mailman.powerdns.com>:
Hi,
I have a problem that I can't force the pdns recursor to
query the
authoritative servers repeatedly if they do not answer.
Recursor tries
the query only once and then return an error (SERVFAIL) to
the client.
This is very problematic when the authoritative server is
overloaded or
there are some problems on the network. I didn't find any
way in the
configuration to change it.
Server version: 4.2.2-1 (from EPEL repo on CentOS 8)
Can anyone help?
Thanks.
Mira
------------------------------------------------------------------------
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
