[Pdns-users] recursor fail to resolve

Otto Moerbeek otto at drijf.net
Mon May 4 12:14:36 UTC 2020 

On Mon, May 04, 2020 at 07:05:48AM -0500, Sergio P Cesar wrote:

> It is not a guessing game, the recursor fail to resolve.

You initial email did not specify which name(s) were queried. Only
later in the thread you list an example. Only with yor latest reply
you tell something about your config.

I'm am trying to help. That works best if all needed information to
reproduce your problem is in a single mail. Having to hunt down
mailing list threads to collect the neccesary information is wasting
time.

	-Otto


> The only change to the default config in an attempt to have the recursor not
> cache the failure and query again is
> packetcache-servfail-ttl=0
> quiet=no
> 
> The servers in question are
>    DNS:            dns.alestra.net.mx       207.248.224.75
>    DNS:            mail1.alestra.net.mx       207.248.224.76
> 
> As I try to explain before, what I found by tracing packets and Aki
> confirmed
> So far what I was able to find is that the nameserver for this company has
> some sort of "firewall" that will reject the very first packet
> it will reply on the second packet. After some time (maybe 5 minutes) it
> will again reject the first packet.
> 
> It smells like a bug on the recursor where it does not followup to the
> second server in case of a temporary or transient dns failure even though 
> this is repeatable given the amout of time for their "firewall" to reset.
> 
> Sergio
> 
> On 5/4/2020 3:22 AM, Otto Moerbeek wrote:
> > On Fri, May 01, 2020 at 11:31:21AM -0500, Sergio P Cesar via Pdns-users wrote:
> > 
> > > I am new with pdns, just installed a resolver 4.3.0-rc2 to learn and all
> > > seems to work but stumbled into an issue I cant resolve.
> > > 
> > > My mailserver failed to deliver email to a few domains, in tracking it I
> > > found that their DNS will drop the first packet on every new query  but will
> > > respond on a second query ok and every one after that. (5 minutes timeout)
> > > it will drop the 1st packet again.
> > > I was expecting the recursor to query the 2nd and 3rd server in their list
> > > but it does not look like it is doing that.
> > > It seems like it is caching the failure and does not query again at all for
> > > a while.
> > > I changed packetcache-servfail-ttl=0 and now it looks like after the 3rd
> > > query attempt it will work as the far end server now respond.
> > > Not sure this is correct setting  or I will have adverse effect setting this
> > > to 0.
> > > 
> > > Perhaps I have not set something else that will tell the recursor to try the
> > > next server if the first one fail to respond or send a second packet or a
> > > retry.
> > > I used bind to test and it gets a response on the first try. I did not try
> > > to trace the packets from a bind query.
> > > 
> > > Thanks
> > Please share your full config and the names involved. It now is a
> > guessing game.
> > 
> > The recursor tries other auth nameservers if one fails. But there are
> > also other factors that could play a role. Unless you share your
> > complete config and the actual names that cause trouble, it is
> > impossible to help you.
> > 
> > Also, the final 4.3.0 is out, so please upgrade the rc2 you are running.
> > 
> >          -Otto

More information about the Pdns-users mailing list