Hi Thomas, thanks a lot for the idea. The forwarding solution will definitely work. I have already tried to solve this problem by forwarding, but I overlooked the need for a prefixed "+" before the domain name, and because of that it did not work.
Mira Dne 24. 09. 20 v 7:34 Thomas Mieslinger via Pdns-users napsal(a): > Hi Mira, > > how about adding the following to you forward zones: > > +not.working.domain=9.9.9.9 > > the other thing that could be your problem is that the auth server > operator has some sort of ratelimiting to protest the auth server from > overload. > > Have you tried to contact the auth server operator? > > Cheers > > Thomas > > On 9/23/20 4:27 PM, Mira Krejci via Pdns-users wrote: >> Hi all, >> >> would it be possible to solve the problem by querying the authoritative >> server via the TCP protocol? If so, how to do this in the recursor >> configuration (whether for a specific domain or globally)? >> Thanks. >> >> Mira >> >> Dne 23. 09. 20 v 9:23 Thomas Mieslinger via Pdns-users napsal(a): >>> In my opinion this needs to be fixed at the authoritative end. >>> >>> These repeated recursive queries tend to produce retry waves. So >>> recursors would need to implement a quadratic backoff or similar. >>> >>> Just from my mind... I took over authoritative DNS for a hoster. They >>> claimed to have ddos problems. In reality they just restarted their >>> auths and the whole internet started to retry. Then a 100k or 200k >>> req/s >>> retry wave hit the auths. >>> >>> I'm doing this differently so that recursor do not start to retry and >>> have not to deal with waves. >>> >>> On 18.09.20 17:42, Winfried Angele via Pdns-users wrote: >>>> Hi Mira, >>>> >>>> I think if a Resolver retries on possibly overloaded or attacked >>>> authoritative DNS servers, it gets even worse for them. So I'd >>>> recommend >>>> to try to contact the people in charge for that domain and try to >>>> convince them to solve the problem on their side. And again, the >>>> Recursor tries on each Nameservers address listed in the NS RRset. >>>> So it >>>> does retries, but not on the same address. That means, in your >>>> case, all >>>> DNS servers of that domain are overloaded or broken or attacked. >>>> >>>> Winfried >>>> >>>> >>>> Am 18. September 2020 16:05:04 MESZ schrieb Mira Krejci >>>> <kre...@i3.cz>: >>>> >>>> >>>> Hi Winfried, >>>> >>>> thank you for your reply. >>>> If it's a feature and can't be changed, I have a big problem that >>>> I'll have to solve by changing the software to another. >>>> For example, Bind asks more than once if answer does not come. >>>> Users >>>> are angry that DNS resolving does not work for them (of >>>> course, it >>>> is to blame for authoritative servers of a specific domain). >>>> But I have to solve it somehow. >>>> >>>> Thanks. >>>> Mira >>>> >>>> Dne 18. 09. 20 v 15:34 Winfried Angele napsal(a): >>>>> Hi Mira, >>>>> >>>>> Yes the Recursor does no retry on *this* auth. But it tries >>>>> on the >>>>> other nameservers from the NS RR set. IPv4 and IPv6. So if you >>>>> have only one auth, Recursor tries two times, IPv4 and IPv6 if >>>>> available. >>>>> >>>>> Winfried >>>>> >>>>> >>>>> >>>>> Am 18. September 2020 14:47:49 MESZ schrieb Mira Krejci via >>>>> Pdns-users <pdns-users@mailman.powerdns.com>: >>>>> >>>>> Hi, >>>>> >>>>> I have a problem that I can't force the pdns recursor to >>>>> query the >>>>> authoritative servers repeatedly if they do not answer. >>>>> Recursor tries >>>>> the query only once and then return an error (SERVFAIL) to >>>>> the client. >>>>> This is very problematic when the authoritative server is >>>>> overloaded or >>>>> there are some problems on the network. I didn't find any >>>>> way in the >>>>> configuration to change it. >>>>> >>>>> Server version: 4.2.2-1 (from EPEL repo on CentOS 8) >>>>> >>>>> Can anyone help? >>>>> Thanks. >>>>> >>>>> Mira >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> Pdns-users mailing list >>>>> Pdns-users@mailman.powerdns.com >>>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users >>>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Pdns-users mailing list >>>> Pdns-users@mailman.powerdns.com >>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users >>>> >>> _______________________________________________ >>> Pdns-users mailing list >>> Pdns-users@mailman.powerdns.com >>> https://mailman.powerdns.com/mailman/listinfo/pdns-users >> >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users@mailman.powerdns.com >> https://mailman.powerdns.com/mailman/listinfo/pdns-users >> > _______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
