Maintained by: NLnet Labs

[Unbound-users] Can't resolve m.facebook.com

Leen Besselink
Thu Feb 9 10:11:41 CET 2012


On Thu, Feb 09, 2012 at 09:56:36AM +0100, W.C.A. Wijngaards wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Attila,
> 
> On 02/09/2012 08:29 AM, Attila Nagy wrote:
> > Hi,
> > 
> > Running unbound r2580, I can't resolve m.facebook.com. I get
> > SERVFAIL back. The server was running for some time, so it's not in
> > a fresh state. It seems the problem is that facebook DNS servers
> > time out on AAAA records, so unbound gets the false assumption that
> > they are unavailable.
> 
> Well if you do not respond to queries, you deserve what you get.  DNS
> has noanswer-nodata packets and this is what should be used.  They do
> not implement RFC1034.  And for that facebook deserves to be offline.
> 
> That said, you want your users to be able to connect to sites that
> have broken software (or more likely: bad firewall).  The feature you
> name would not actually stop unbounds internal lookups for the AAAA
> for the nameserver.  You would need to configure a stub-zone in the
> config file with the IP4s of the nameservers as a workaround.
> 
> The workaround for one name specific is not the right thing.  Not sure
> how to fix this in a more general way.  Store timeout information
> per-query-type and query-name specific (it is already per-zone) ?
> That makes the timeout information useless for new queries.
> 
> I am not sure how to fix this, because on the other hand, very similar
> situations would result in continuous probes to a server that is down.
>  And this also adds load to unbound.
> 
> > Here are the verbose (level 4) logs while trying to resolve the
> > name:
> 
> Thanks, yes, it is doing a lot of AAAA lookups and those timeouts have
> added up to make the zone offline.
> 

I think I know of a hack, try a SOA or NS lookup on the apex at the same nameservers ?

Then you know it is still up and running.

I don't know if it is possible to know the apex at all times. And you probably
have to keep more state. :-(

It is an incrediable stupid hack I know.

> Best regards,
>    Wouter
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQIcBAEBAgAGBQJPM4o/AAoJEJ9vHC1+BF+NFC4P/RwNDT6CcR9deHsNjLATlXfT
> hwJc3XqkD+CpuhqwHlpxuT5ULYIo3sKbNcRKQIl+3ZavULol+cX7TC7DcAlVyIhO
> lAOifRVaRdKbrLZgQilbxP6l5Ca6/U7sNkoxTAIMOn9qhe62WHmrbRolD4AyIEFo
> aJkFk1ZXBwwpkMuEHwmPLKtGVygNQLCmznPeDdfvCiHCws5ZRdpn57WjCCyIWcLm
> I6390D9fDVSHPkYx7PEmsz7TjyzYywvBVE8VOR0ZPMgzV6SKcMVBBVCKNPi3FZh9
> hfTiy/AtmrsfasDaSjfXzjRCxOr8kf1LOyIU9gtVVdNYk+GyKZ8ZYQK0LxBpFvZ+
> UqxOTDqoWvjxLx5/SNC2FkSKu9F9gho5qNRXCn4lOBqYEpwLvMfn/S1HxsEJ6lkp
> AXSx3rLyjqiW8yUjWCZcKGvRklXgFOg1kgmKIVrzkCbyh54JF7Hp+Od3GkSvjG58
> naM/swzrS6yRjN6SLCNI+oa9Kw8NMLsoQJ1auVXw9R2tXu/NKm+uKFv+Pgn+cKNt
> /ZXN39GfahQf9G6kP04M31n6tJsxQ6J9dKvaS+8Edq9KZls9H9CFY+kkjnVnWeWh
> tzZFQlZ0wTRyQsgub3gMAhc0YxhZeb0M90M/+e+Chmp7bGLGJ/F67VcIU/E4ygiD
> XMfdyvDG3t6Mk9E0X0b6
> =c9xt
> -----END PGP SIGNATURE-----
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users