[Pdns-users] pdns-recursor issue with resolving domains which placed on ns*.domaincontrol.com name servers
David
opendak at shaw.ca
Mon Feb 20 23:13:18 UTC 2017
On 2017-02-20 2:00 PM, Максим Подлесный wrote:
>
> In the log we had only:
> Sending SERVFAIL to 127.0.0.1 during resolve of '9p.com
> <http://9p.com>.' because: Too much time waiting for 9p.com.|A,
> timeouts: 1, throttles: 0, queries: 4, 6497msec
>
> dig works fine but slow (about 5-6 sec for this domains)
>
You may want to check a full trace to that example from your site and
see all the timeouts, and/or tcpdump to prove it to yourself.
They may also be rate limiting you if one of your clients is relaying a
random subdomain attack against one of these domains.
You'd need to increase two timeouts if you wanted to avoid this (the
per-NS 1500ms one and the overall 7000ms query timeout). Most clients
will give up after that long though, but hopefully a cache hit on the
next try.
More information about the Pdns-users
mailing list