[Pdns-users] recursor fail to resolve

Sergio P Cesar sergio at winc.net
Mon May 4 12:05:48 UTC 2020

It is not a guessing game, the recursor fail to resolve.
The only change to the default config in an attempt to have the recursor 
not cache the failure and query again is

The servers in question are
    DNS:            dns.alestra.net.mx
    DNS:            mail1.alestra.net.mx

As I try to explain before, what I found by tracing packets and Aki 
So far what I was able to find is that the nameserver for this company 
has some sort of "firewall" that will reject the very first packet
it will reply on the second packet. After some time (maybe 5 minutes) it 
will again reject the first packet.

It smells like a bug on the recursor where it does not followup to the 
second server in case of a temporary or transient dns failure even 
though  this is repeatable given the amout of time for their "firewall" 
to reset.


On 5/4/2020 3:22 AM, Otto Moerbeek wrote:
> On Fri, May 01, 2020 at 11:31:21AM -0500, Sergio P Cesar via Pdns-users wrote:
>> I am new with pdns, just installed a resolver 4.3.0-rc2 to learn and all
>> seems to work but stumbled into an issue I cant resolve.
>> My mailserver failed to deliver email to a few domains, in tracking it I
>> found that their DNS will drop the first packet on every new query  but will
>> respond on a second query ok and every one after that. (5 minutes timeout)
>> it will drop the 1st packet again.
>> I was expecting the recursor to query the 2nd and 3rd server in their list
>> but it does not look like it is doing that.
>> It seems like it is caching the failure and does not query again at all for
>> a while.
>> I changed packetcache-servfail-ttl=0 and now it looks like after the 3rd
>> query attempt it will work as the far end server now respond.
>> Not sure this is correct setting  or I will have adverse effect setting this
>> to 0.
>> Perhaps I have not set something else that will tell the recursor to try the
>> next server if the first one fail to respond or send a second packet or a
>> retry.
>> I used bind to test and it gets a response on the first try. I did not try
>> to trace the packets from a bind query.
>> Thanks
> Please share your full config and the names involved. It now is a
> guessing game.
> The recursor tries other auth nameservers if one fails. But there are
> also other factors that could play a role. Unless you share your
> complete config and the actual names that cause trouble, it is
> impossible to help you.
> Also, the final 4.3.0 is out, so please upgrade the rc2 you are running.
>          -Otto

More information about the Pdns-users mailing list