Maintained by: NLnet Labs

[Unbound-users] reddit.com issue

W.C.A. Wijngaards
Mon Aug 25 13:28:41 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Maciej,

On 08/25/2014 01:05 PM, Maciej Soltysiak wrote:
> On Mon, Aug 25, 2014 at 9:16 AM, W.C.A. Wijngaards
> <wouter at nlnetlabs.nl> wrote:
>> Yes.  The reddit servers (or likely, their load-balancers) are
>> not following the DNS specifications.  They are dropping the
>> query and they should be replying.  There was a draft at the IETF
>> even to mark this as harmful, but it did not progress through the
>> standards track, I believe.  If they want to refuse the query for
>> unclear reasons (what is wrong with responding NXDOMAIN?) they
>> could choose from nice error codes like SERVFAIL and FORMERR and
>> REFUSED.
> Yup. I have a domain that goes through cloudflare. I just asked 
> cloudflare NSes for a name with a colon and it behaves the same
> (drop) When I asked the parents, they answered.
> 
> Cloudflare seems to do the same thing for their customers.
> 
> If not FORMERR, they could've at least send ICMP administratively 
> prohibited to mark that this particular comms is not ok with them. 
> That would've made unbound record a failure.
> 
> It's silly because in order to immunize your cache against this
> you would have to start your own filtering... That shouldn't be the
> point.
> 
>> Unbound notices the domain does not respond to A queries.  And
>> marks the domain as timeouted, down, for A queries.  Unbound
>> stops sending A queries there to attempt to trottle down traffic
>> towards that stricken server.  If A queries get replies (there is
>> an exponential backoff to the queries sent out) then unbound
>> marks the server as responsive again (the server is considered
>> back up) and queries are resumed.
> Is there any unbound-control command to help in this situation?
> i.e. manually override the backoff or reset it? Would flush_type
> or flush_name help?

unbound-control flush_infra [all | ip-address of the nameserver]

This deletes the timing information so queries are sent again.

You could also reduce the infra-ttl in the config, so that unbound
forgets this sort of thing faster.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJT+x3pAAoJEJ9vHC1+BF+NvokQAIotQO035cnQfttoejBQOOi8
YbBZow7UFuT7iLVpRqV8uol5SMNxJIhJm4Ym0gjuMkM0Ek+BGtnA8gz+68VR18m9
1GbtHsa5Q9qw+si9CpkSZk9SOH7PZkQaioSa3pDxjQzV/S09OONblFSNcGW8hufS
X8MUF+3fNFwgn+GlFkPvpNJhyW6JRL1lLB7M2Qcbz1Lo/wxy4Bm2HMn88PJ+6DJd
T80Ty8GluXpIetDF++cTL/GP55Haakla0v59YtP55e2FQNAyJA4KCvao3hFT85gs
x1DCjBH449qMxaN22gs/b0wOQwNXdL4CDFQBKpFDuwnBmAUAQGOWQbm+Eyfqf5Uf
Ge22ZsyeY/P7gx9x+0Un0+SvBuXNwEs8qjoFs0B8P3OfqUztf4MbdXp9BjsaN2Y5
BaWp2rQYOTPKzu07oEwpjkTFwMwzIWEsDIRrydTV+IACISJ7ZNQHB1SvRz2WFBAD
aEVamQ7lCKYt+AWaMwZyna+jGUfMqGSzLSMKOHhHNzUxWmwjSYffoImAVwjql6le
8AfW1lJerY4xqvPVgorNhtKYgIUenGaWaj2edOZwNNMyinsB0ZsxGb1wE2uIa0LI
hv6q0Xe5rKRsEr0f+KIuZI5COL7hQEzjAbjzZ9uA/Wo9BRIk6zy9CUjpHKy1RQgF
6UNKxk8vJUFL2Tkj0rGf
=wsTM
-----END PGP SIGNATURE-----