[Pdns-users] How to set up pdns recursor to repeat the query if it does not get an answer

Wed Sep 23 07:23:01 UTC 2020

In my opinion this needs to be fixed at the authoritative end.

These repeated recursive queries tend to produce retry waves. So
recursors would need to implement a quadratic backoff or similar.

Just from my mind... I took over authoritative DNS for a hoster. They
claimed to have ddos problems. In reality they just restarted their
auths and the whole internet started to retry. Then a 100k or 200k req/s
retry wave hit the auths.

I'm doing this differently so that recursor do not start to retry and
have not to deal with waves.

On 18.09.20 17:42, Winfried Angele via Pdns-users wrote:
> Hi Mira,
>
> I think if a Resolver retries on possibly overloaded or attacked
> authoritative DNS servers, it gets even worse for them. So I'd recommend
> to try to contact the people in charge for that domain and try to
> convince them to solve the problem on their side. And again, the
> Recursor tries on each Nameservers address listed in the NS RRset. So it
> does retries, but not on the same address. That means, in your case, all
> DNS servers of that domain are overloaded or broken or attacked.
>
> Winfried
>
>
> Am 18. September 2020 16:05:04 MESZ schrieb Mira Krejci <krejci at i3.cz>:
>
>
>     Hi Winfried,
>
>     thank you for your reply.
>     If it's a feature and can't be changed, I have a big problem that
>     I'll have to solve by changing the software to another.
>     For example, Bind asks more than once if answer does not come. Users
>     are angry that DNS resolving does not work for them (of course, it
>     is to blame for authoritative servers of a specific domain).
>     But I have to solve it somehow.
>
>     Thanks.
>     Mira
>
>     Dne 18. 09. 20 v 15:34 Winfried Angele napsal(a):
>>     Hi Mira,
>>
>>     Yes the Recursor does no retry on *this* auth. But it tries on the
>>     other nameservers from the NS RR set. IPv4 and IPv6. So if you
>>     have only one auth, Recursor tries two times, IPv4 and IPv6 if
>>     available.
>>
>>     Winfried
>>
>>
>>
>>     Am 18. September 2020 14:47:49 MESZ schrieb Mira Krejci via
>>     Pdns-users <pdns-users at mailman.powerdns.com>:
>>
>>         Hi,
>>
>>         I have a problem that I can't force the pdns recursor to query the
>>         authoritative servers repeatedly if they do not answer. Recursor tries
>>         the query only once and then return an error (SERVFAIL) to the client.
>>         This is very problematic when the authoritative server is overloaded or
>>         there are some problems on the network. I didn't find any way in the
>>         configuration to change it.
>>
>>         Server version: 4.2.2-1 (from EPEL repo on CentOS 8)
>>
>>         Can anyone help?
>>         Thanks.
>>
>>         Mira
>>         ------------------------------------------------------------------------
>>         Pdns-users mailing list
>>         Pdns-users at mailman.powerdns.com
>>         https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>
>
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>