[Unbound-users] reddit.com issue

W.C.A. Wijngaards wouter at nlnetlabs.nl
Mon Aug 25 07:16:38 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 08/25/2014 06:58 AM, Thomas Guthmann wrote:
> Hi,
> 
> Like this ?
> 
> 15    A IN http???www.reddit.com. 221.211696 iterator wait for
> 173.245.58.24 22 AAAA IN http???www.reddit.com. 0.097014 iterator
> wait for 198.41.222.24

Yes.  The reddit servers (or likely, their load-balancers) are not
following the DNS specifications.  They are dropping the query and
they should be replying.  There was a draft at the IETF even to mark
this as harmful, but it did not progress through the standards track,
I believe.  If they want to refuse the query for unclear reasons (what
is wrong with responding NXDOMAIN?) they could choose from nice error
codes like SERVFAIL and FORMERR and REFUSED.

Unbound notices the domain does not respond to A queries.  And marks
the domain as timeouted, down, for A queries.  Unbound stops sending A
queries there to attempt to trottle down traffic towards that stricken
server.  If A queries get replies (there is an exponential backoff to
the queries sent out) then unbound marks the server as responsive
again (the server is considered back up) and queries are resumed.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJT+uLWAAoJEJ9vHC1+BF+N39wP/jU1xWEwCgfMdmntb1zwfob8
EeU3a6/aAyX3RmNURahsp9btg1aT6E29muEGwScypEHpJ/lfHcVe9pyOiVx2u0di
hn72Ys8htjVPhTrf7TNd5bS0S/ylnJNwBwTkDX8DHtokkMEWhVOciQrF+bTDJQO0
EYrbLMrzIau9MKoRWyBp4e7Nuhqzl6lJDx4y/GXqyW63zpkvlyyiSbGlhaqrZe2A
n0eJbVp44UL3WjgZylI/KRNNiQOV3dvwRmRYT84URh/iMPItQHlsk5S39PUm+NSv
VK+x0iV5Jzd8VO8ywMbIWJepmCaAShBP38dWishVPWpmaK9Vp8ZnymRGYV/I3LkH
JYBsMaJpiZgJEDtrky9bmlLwAelOdNbHONvwTGNIu27/0X3hCKvq+8tgROucdpyl
Na/4kXAltX9aKL6cZSgoTbmWFeN2vobVV5TDAFmPGm04ctfHCi13So0RL43+I4ZC
pBLGC/8IG+wjZVc5/mjzB98xYwQ/3XSf0iquidxolOzxwGfohKfgtp55YLBwXr2/
ZQQEVqPJWdHHPJC7N28J1ilZW7rTJMkgemXpWuzr8TszaIw+UMDCGc0sbVAkrNtN
8zRzBaQ4IoCJbnWzlVfvrgnVW9F2y05PsWqxylZuWmrYdnNixg2trOemftj3Z4x/
YiP1s6Pb+vUM20jW+Ssn
=pS0r
-----END PGP SIGNATURE-----



More information about the Unbound-users mailing list