On Mon, Nov 12, 2012 at 10:48 AM, Đức Vinh Hồ <span dir="ltr"><<a href="mailto:vinh.ho2110@gmail.com" target="_blank">vinh.ho2110@gmail.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi all,<br></blockquote><div><br></div><div>Hi there, </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">My website is using PDNS round robin with too many servers pointed to 1 domain name. I mean:<br>
<br> Name Type Content<br> <a href="http://abc.com" target="_blank">abc.com</a> A X.X.X.1<br>
<a href="http://abc.com" target="_blank">abc.com</a> A X.X.X.2<br>.....<br> <a href="http://abc.com" target="_blank">abc.com</a> A X.X.X.50<br>
.....<br>
<br>Couple of days ago, my boss complain me that sometime, he can't access the website at night.<br>After many research, i found that a DNS message carried in UDP <b>cannot</b> exceed 512 bytes.<br>When a UDP DNS message exceeds 512 octets/bytes, the <b>TRUNCATED</b>
bit is included in the response, indicating to the client/resolver that
not all of the answers were returned, and they should re-query using a
TCP DNS message. I thinks my DNS round robin records is too large. And that is the main cause of my problem<br><br>So, can you show me how to increase the PDNS UDP message size, or some solution to make sure PDNS ok<br></blockquote>
<div><br></div><div>It is correct that regular UDP DNS responses cannot exceed 512 bytes, however nowadays most clients (that is usually recursive dns servers such as google dns for example) make use of a DNS extension header format called EDNS or EDNS0. See <a href="http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS">http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS</a> .</div>
<div>Depending on which version of PowerDNS you use it already does support EDNS0 for a long time as it is needed for DNSSEC operations. And it is also very likely that most recursive DNS servers speak EDNS0 as well. This probably mitigates your issue but due to this being a protocol limitation there is no workaround for it other than limiting the number of IP addresses in your round-robin-record or making sure all recursive DNS servers your clients use are EDNS0 capable. Also some firewalls such as Cisco ASA in earlier default configurations are known drop DNS responses that are larger than the 512 byte limit.</div>
<div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Otherwise, I check in my PDNS log, here many error phrase:<br><br>Nov 12 14:01:44 my-server pdns[23075]: Received a malformed qdomain from 74.125.191.19, '<span style="color:rgb(255,0,0)"><b>%</b><a href="http://20abc.com" target="_blank"><span style="color:rgb(255,0,0)"><b>20</b></span><span style="color:rgb(102,51,255)">abc.com</span></a></span><a href="http://20abc.com" target="_blank"></a>': sending servfail<br>
Nov 12 14:01:54 my-server pdns[23075]: Received a malformed qdomain from 74.125.191.26, '<span style="color:rgb(255,0,0)"><b>%</b><a href="http://20abc.com" target="_blank"><span style="color:rgb(255,0,0)"><b>20</b></span><span style="color:rgb(102,51,255)">abc.com</span></a></span><a href="http://20abc.com" target="_blank"></a>': sending servfail<br>
Nov 12 14:01:54 my-server pdns[23075]: Received a malformed qdomain from 74.125.191.17, '<span style="color:rgb(255,0,0)"><b>%</b><a href="http://20abc.com" target="_blank"><span style="color:rgb(255,0,0)"><b>20</b></span><span style="color:rgb(102,51,255)">abc.com</span></a></span><a href="http://20abc.com" target="_blank"></a>': sending servfail<br>
<br>Nov 12 14:02:14 my-server pdns[23075]: Received a malformed qdomain from 74.125.191.20, '<span style="color:rgb(51,51,255)">xyz<b><span style="color:rgb(255,0,0)">,.</span></b>com</span>': sending servfail<br>
Nov 12 14:02:24 my-server pdns[23075]: Received a malformed qdomain from 74.125.191.26, ''<span style="color:rgb(51,51,255)">xyz<b><span style="color:rgb(255,0,0)">,.</span></b>com</span>': sending servfail<br>
Nov 12 14:02:24 my-server pdns[23075]: Received a malformed qdomain from 74.125.191.16, ''<span style="color:rgb(51,51,255)">xyz<b><span style="color:rgb(255,0,0)">,.</span></b>com</span>': sending servfail<br>
<br>After some check, i found that range IP 74.125.191.x is from google server, but i think there are some mistake here, because my website domain is <span style="color:rgb(255,0,0)"><a href="http://abc.com" target="_blank">abc.com</a></span>, not<span style="color:rgb(255,0,0)"> <b>%20</b><a href="http://abc.com" target="_blank">abc.com</a></span> (%20 = space)<br>
And other of my company website is <span style="color:rgb(255,0,0)"><a href="http://xyz.com" target="_blank">xyz.com</a></span>, not <span style="color:rgb(0,0,153)"><span style>xyz<span style="color:rgb(255,0,0)"><b>,.</b></span>com</span></span><br>
<br>Can someone help me to explain what is the log mean !<br></blockquote><div><br></div><div>By this message PowerDNS just means to say the same thing that you already stated, which is that it is getting queries for '%<a href="http://20abc.com">20abc.com</a>' and 'xyz,.com' which quite simply is a misspelling of your domain names and thus plain wrong per PowerDNS. PowerDNS resorts to sending a Server Failure response here because the query it receives is malformed. Usually this is caused by broken client libraries. When i ran PowerDNS server (auth) in front of PowerDNS recursor for a while witnessed all kinds of weird queries by DSL clients such as queries for '<a href="http://www.something.tld">http://www.something.tld</a>' for example.</div>
<div>You can safely ignore those log entries.</div><div>As far as i know most these messages have been silenced in later PowerDNS releases.</div><div><br></div><div>best regards,</div><div><br></div><div> Stefan </div></div>