[dnsdist] Empty NOERROR being sent when backend times out
Remi Gacogne
remi.gacogne at powerdns.com
Fri Feb 9 10:10:31 UTC 2024
Hi,
On 09/02/2024 11:05, Adam Bishop via dnsdist wrote:
> I'm seeing an issue where caching resolvers outside of our network are
> occasionally storing empty responses to queries.
>
> I think what's happening is that when a query is made and there's a
> backend timeout, dnsdist is responding to the user with an empty answer
> and NOERROR. Messages about a backend beign marked as down are in the
> log coinciding with when this has happened.
dnsdist cannot generate a response from a timeout, it simply does not
respond at all.
It can however generate a SERVFAIL if there is no backend available when
setServFailWhenNoServer [1] is set, which is not the default, but the
backends need to be marked as unavailable when the query comes in,
dnsdist will not generate a response once the query has been forwarded
to a backend.
> I've not caught dnsdist in the act yet with a packet capture as the
> issue is infrequent, but am I on the right track?
>
> Is it possible to make dnsdist respond with a SERVFAIL for a backend
> timeout?
Nope.
[1]: https://dnsdist.org/guides/serverselection.html#setServFailWhenNoServer
Hope that helps,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20240209/5703ee9c/attachment.sig>
More information about the dnsdist
mailing list