Maintained by: NLnet Labs

[Unbound-users] issue

Maciej Soltysiak
Mon Aug 25 13:05:05 CEST 2014

On Mon, Aug 25, 2014 at 9:16 AM, W.C.A. Wijngaards <wouter at> wrote:
> Yes.  The reddit servers (or likely, their load-balancers) are not
> following the DNS specifications.  They are dropping the query and
> they should be replying.  There was a draft at the IETF even to mark
> this as harmful, but it did not progress through the standards track,
> I believe.  If they want to refuse the query for unclear reasons (what
> is wrong with responding NXDOMAIN?) they could choose from nice error
> codes like SERVFAIL and FORMERR and REFUSED.
Yup. I have a domain that goes through cloudflare. I just asked
cloudflare NSes for a name with a colon and it behaves the same (drop)
When I asked the parents, they answered.

Cloudflare seems to do the same thing for their customers.

If not FORMERR, they could've at least send ICMP administratively
prohibited to mark that this particular comms is not ok with them.
That would've made unbound record a failure.

It's silly because in order to immunize your cache against this you
would have to start your own filtering... That shouldn't be the point.

> Unbound notices the domain does not respond to A queries.  And marks
> the domain as timeouted, down, for A queries.  Unbound stops sending A
> queries there to attempt to trottle down traffic towards that stricken
> server.  If A queries get replies (there is an exponential backoff to
> the queries sent out) then unbound marks the server as responsive
> again (the server is considered back up) and queries are resumed.
Is there any unbound-control command to help in this situation? i.e.
manually override the backoff or reset it? Would flush_type or
flush_name help?

Best regards,