Maintained by: NLnet Labs

[Unbound-users] Can't resolve m.facebook.com

W.C.A. Wijngaards
Thu Feb 9 09:56:36 CET 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Attila,

On 02/09/2012 08:29 AM, Attila Nagy wrote:
> Hi,
> 
> Running unbound r2580, I can't resolve m.facebook.com. I get
> SERVFAIL back. The server was running for some time, so it's not in
> a fresh state. It seems the problem is that facebook DNS servers
> time out on AAAA records, so unbound gets the false assumption that
> they are unavailable.

Well if you do not respond to queries, you deserve what you get.  DNS
has noanswer-nodata packets and this is what should be used.  They do
not implement RFC1034.  And for that facebook deserves to be offline.

That said, you want your users to be able to connect to sites that
have broken software (or more likely: bad firewall).  The feature you
name would not actually stop unbounds internal lookups for the AAAA
for the nameserver.  You would need to configure a stub-zone in the
config file with the IP4s of the nameservers as a workaround.

The workaround for one name specific is not the right thing.  Not sure
how to fix this in a more general way.  Store timeout information
per-query-type and query-name specific (it is already per-zone) ?
That makes the timeout information useless for new queries.

I am not sure how to fix this, because on the other hand, very similar
situations would result in continuous probes to a server that is down.
 And this also adds load to unbound.

> Here are the verbose (level 4) logs while trying to resolve the
> name:

Thanks, yes, it is doing a lot of AAAA lookups and those timeouts have
added up to make the zone offline.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPM4o/AAoJEJ9vHC1+BF+NFC4P/RwNDT6CcR9deHsNjLATlXfT
hwJc3XqkD+CpuhqwHlpxuT5ULYIo3sKbNcRKQIl+3ZavULol+cX7TC7DcAlVyIhO
lAOifRVaRdKbrLZgQilbxP6l5Ca6/U7sNkoxTAIMOn9qhe62WHmrbRolD4AyIEFo
aJkFk1ZXBwwpkMuEHwmPLKtGVygNQLCmznPeDdfvCiHCws5ZRdpn57WjCCyIWcLm
I6390D9fDVSHPkYx7PEmsz7TjyzYywvBVE8VOR0ZPMgzV6SKcMVBBVCKNPi3FZh9
hfTiy/AtmrsfasDaSjfXzjRCxOr8kf1LOyIU9gtVVdNYk+GyKZ8ZYQK0LxBpFvZ+
UqxOTDqoWvjxLx5/SNC2FkSKu9F9gho5qNRXCn4lOBqYEpwLvMfn/S1HxsEJ6lkp
AXSx3rLyjqiW8yUjWCZcKGvRklXgFOg1kgmKIVrzkCbyh54JF7Hp+Od3GkSvjG58
naM/swzrS6yRjN6SLCNI+oa9Kw8NMLsoQJ1auVXw9R2tXu/NKm+uKFv+Pgn+cKNt
/ZXN39GfahQf9G6kP04M31n6tJsxQ6J9dKvaS+8Edq9KZls9H9CFY+kkjnVnWeWh
tzZFQlZ0wTRyQsgub3gMAhc0YxhZeb0M90M/+e+Chmp7bGLGJ/F67VcIU/E4ygiD
XMfdyvDG3t6Mk9E0X0b6
=c9xt
-----END PGP SIGNATURE-----