[Pdns-users] How to set up pdns recursor to repeat the query if it does not get an answer

Mira Krejci krejci at i3.cz
Thu Sep 24 14:16:58 UTC 2020 

Hi Thomas,

thanks a lot for the idea.
The forwarding solution will definitely work. I have already tried to
solve this problem by forwarding, but I overlooked the need for a
prefixed "+" before the domain name,  and because of that it did not work.

Mira

Dne 24. 09. 20 v 7:34 Thomas Mieslinger via Pdns-users napsal(a):
> Hi Mira,
>
> how about adding the following to you forward zones:
>
> +not.working.domain=9.9.9.9
>
> the other thing that could be your problem is that the auth server
> operator has some sort of ratelimiting to protest the auth server from
> overload.
>
> Have you tried to contact the auth server operator?
>
> Cheers
>
> Thomas
>
> On 9/23/20 4:27 PM, Mira Krejci via Pdns-users wrote:
>> Hi all,
>>
>> would it be possible to solve the problem by querying the authoritative
>> server via the TCP protocol? If so, how to do this in the recursor
>> configuration (whether for a specific domain or globally)?
>> Thanks.
>>
>> Mira
>>
>> Dne 23. 09. 20 v 9:23 Thomas Mieslinger via Pdns-users napsal(a):
>>> In my opinion this needs to be fixed at the authoritative end.
>>>
>>> These repeated recursive queries tend to produce retry waves. So
>>> recursors would need to implement a quadratic backoff or similar.
>>>
>>> Just from my mind... I took over authoritative DNS for a hoster. They
>>> claimed to have ddos problems. In reality they just restarted their
>>> auths and the whole internet started to retry. Then a 100k or 200k
>>> req/s
>>> retry wave hit the auths.
>>>
>>> I'm doing this differently so that recursor do not start to retry and
>>> have not to deal with waves.
>>>
>>> On 18.09.20 17:42, Winfried Angele via Pdns-users wrote:
>>>> Hi Mira,
>>>>
>>>> I think if a Resolver retries on possibly overloaded or attacked
>>>> authoritative DNS servers, it gets even worse for them. So I'd
>>>> recommend
>>>> to try to contact the people in charge for that domain and try to
>>>> convince them to solve the problem on their side. And again, the
>>>> Recursor tries on each Nameservers address listed in the NS RRset.
>>>> So it
>>>> does retries, but not on the same address. That means, in your
>>>> case, all
>>>> DNS servers of that domain are overloaded or broken or attacked.
>>>>
>>>> Winfried
>>>>
>>>>
>>>> Am 18. September 2020 16:05:04 MESZ schrieb Mira Krejci
>>>> <krejci at i3.cz>:
>>>>
>>>>
>>>>      Hi Winfried,
>>>>
>>>>      thank you for your reply.
>>>>      If it's a feature and can't be changed, I have a big problem that
>>>>      I'll have to solve by changing the software to another.
>>>>      For example, Bind asks more than once if answer does not come.
>>>> Users
>>>>      are angry that DNS resolving does not work for them (of
>>>> course, it
>>>>      is to blame for authoritative servers of a specific domain).
>>>>      But I have to solve it somehow.
>>>>
>>>>      Thanks.
>>>>      Mira
>>>>
>>>>      Dne 18. 09. 20 v 15:34 Winfried Angele napsal(a):
>>>>>      Hi Mira,
>>>>>
>>>>>      Yes the Recursor does no retry on *this* auth. But it tries
>>>>> on the
>>>>>      other nameservers from the NS RR set. IPv4 and IPv6. So if you
>>>>>      have only one auth, Recursor tries two times, IPv4 and IPv6 if
>>>>>      available.
>>>>>
>>>>>      Winfried
>>>>>
>>>>>
>>>>>
>>>>>      Am 18. September 2020 14:47:49 MESZ schrieb Mira Krejci via
>>>>>      Pdns-users <pdns-users at mailman.powerdns.com>:
>>>>>
>>>>>          Hi,
>>>>>
>>>>>          I have a problem that I can't force the pdns recursor to
>>>>> query the
>>>>>          authoritative servers repeatedly if they do not answer.
>>>>> Recursor tries
>>>>>          the query only once and then return an error (SERVFAIL) to
>>>>> the client.
>>>>>          This is very problematic when the authoritative server is
>>>>> overloaded or
>>>>>          there are some problems on the network. I didn't find any
>>>>> way in the
>>>>>          configuration to change it.
>>>>>
>>>>>          Server version: 4.2.2-1 (from EPEL repo on CentOS 8)
>>>>>
>>>>>          Can anyone help?
>>>>>          Thanks.
>>>>>
>>>>>          Mira
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>          Pdns-users mailing list
>>>>>          Pdns-users at mailman.powerdns.com
>>>>>          https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Pdns-users mailing list
>>>> Pdns-users at mailman.powerdns.com
>>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>>>
>>> _______________________________________________
>>> Pdns-users mailing list
>>> Pdns-users at mailman.powerdns.com
>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list