On Tue, Feb 08, 2022 at 01:24:03PM +0100, Thomas Mieslinger via Pdns-users
wrote:
> In my experience pdns_recursor (okay, I tested only with older versions)
> will not retry fast enough to have a 100% user experience.
It is worth the trouble to test this again. Modern recursors are more
smart in this area. Though dnsdist is maybe best fitted for this
purpose.
-Otto
>
> I moved to bgp with my internal auth addresses. The auths check themself
> and announce their service IP only if they are ready to answer.
>
> If you don't have the chance to move to bgp, give dnsdist a try. In my
> experience it does a very good job on figuring out whether a server is
> up or not.
>
> Both options complicate your setup. You could experiment with
> server-down-max-fails and server-down-throttle-time to minimize the
> number of lost queries to not responding Nameservers. But thats
> dangerous too, because this setting is for all servers, not only your
> internal auths.
>
> But remember, pdns_recursor does not do background checking whether a
> Nameserver is alive. Background checking is only done by dnsdist afaik.
>
> Cheers Thomas
>
> Am 08.02.22 um 13:08 schrieb Prochazka via Pdns-users:
> > Hello,
> >
> > using pdns-recursor 4.5.7-1pdns.bullseye i am getting problem with dns
> > redundancy for records with expired ttl (best seen on low ttl). Forward
> > zones are used for internal domains only. Our clients has configured 3
> > recurcors (resolv.conf) and every recursor connect to any of the four
> > auth servers for our domains. All subdomains are delegated to own zones
> > but resides on the same auth servers, extra step is using forward-zones.
> > I thought, it's depending on configured order, so i set it to use same
> > location first and remote location on the end (evading firewall, if it's
> > possible).
> >
> > Pdns recursor config:
> >
> > ...
> > forward-zones=
> > forward-zones+=some.domain.tld=AUTH1_ipv6
> > forward-zones+=some.domain.tld=AUTH1_ipv4
> > forward-zones+=some.domain.tld=AUTH2_ipv6
> > forward-zones+=some.domain.tld=AUTH2_ipv4
> > forward-zones+=some.domain.tld=AUTH3_ipv6
> > forward-zones+=some.domain.tld=AUTH3_ipv4
> > forward-zones+=some.domain.tld=AUTH4_ipv6
> > forward-zones+=some.domain.tld=AUTH4_ipv4
> > ...
> >
> > AAAA dns query:
> > ;; QUESTION SECTION:
> > ;host.some.domain.tld. IN AAAA
> >
> > ;; ANSWER SECTION:
> > host.some.domain.tld. 60 IN CNAME host1.some.domain.tld.
> > host1.some.domain.tld. 3600 IN AAAA host1_ipv6
> >
> > Problem:
> > When there is maintenance on for example AUTH4 (server is offline):
> >
> > Client <-> Recursor:
> > 233336 2022-02-08 01:57:58,031241 client_ipv6 REC1_ipv6
> > DNS 106 Standard query 0x7f30 AAAA host.some.domain.tld
> > 233337 2022-02-08 01:57:58,031241 client_ipv6 REC1_ipv6
> > DNS 106 Standard query 0xb42e A host.some.domain.tld
> > 233442 2022-02-08 01:57:59,902472 REC1_ipv6 client_ipv6
> > DNS 106 Standard query response 0x7f30 Server failure AAAA
> > host.some.domain.tld
> > 233443 2022-02-08 01:57:59,902577 REC1_ipv6 client_ipv6
> > DNS 106 Standard query response 0xb42e Server failure A
> > host.some.domain.tld
> >
> > Recursor <-> Auth:
> > 196982 2022-02-08 01:57:58,031733 REC1_ipv4 AUTH4_ipv4
> > DNS 97 Standard query 0xedac AAAA host.some.domain.tld OPT
> > 196983 2022-02-08 01:57:58,031981 REC1_ipv4 AUTH4_ipv4
> > DNS 97 Standard query 0x1246 A host.some.domain.tld OPT
> > ...
> > 197989 2022-02-08 01:58:13,667275 REC1_ipv4 AUTH1_ipv4
> > DNS 107 Standard query 0xf4e9 A host.some.domain.tld.domain.tld OPT
> > 197990 2022-02-08 01:58:13,667542 REC1_ipv4 AUTH1_ipv4
> > DNS 107 Standard query 0xff8c AAAA host.some.domain.tld.domain.tld
> > OPT
> > 197991 2022-02-08 01:58:13,671010 AUTH1_ipv4 REC1_ipv4
> > DNS 154 Standard query response 0xf4e9 No such name A
> > host.some.domain.tld.domain.tld SOA ns.domain.tld OPT
> > 197992 2022-02-08 01:58:13,671222 AUTH1_ipv4 REC1_ipv4
> > DNS 154 Standard query response 0xff8c No such name AAAA
> > host.some.domain.tld.domain.tld SOA ns.domain.tld OPT
> > ...
> > 218012 2022-02-08 02:02:03,229271 REC1_ipv4 AUTH4_ipv4
> > DNS 97 Standard query 0xce1c A host.some.domain.tld OPT
> > 218013 2022-02-08 02:02:03,229359 REC1_ipv4 AUTH4_ipv4
> > DNS 97 Standard query 0xccf5 AAAA host.some.domain.tld OPT
> > 218014 2022-02-08 02:02:03,232700 AUTH4_ipv4 REC1_ipv4
> > DNS 140 Standard query response 0xce1c A host.some.domain.tld
> > CNAME host1.some.domain.tld A host1_ipv4 OPT
> > 218015 2022-02-08 02:02:03,232700 AUTH4_ipv4 REC1_ipv4
> > DNS 152 Standard query response 0xccf5 AAAA host.some.domain.tld
> > CNAME host1.some.domain.tld AAAA host1_ipv6 OPT
> >
> > It looks as recursor is querying the same Auth server for such record
> > until server is up. How to change such setup so maintenance don't break
> > resolving?
> >
> > Thanks.
> >
> > _______________________________________________
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> _______________________________________________
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
