[Pdns-users] Low ttl with combination of forward zones makes queries fail
prochazka at cortex.cz
prochazka at cortex.cz
Tue Feb 8 12:08:48 UTC 2022
Hello,
using pdns-recursor 4.5.7-1pdns.bullseye i am getting problem with dns
redundancy for records with expired ttl (best seen on low ttl). Forward
zones are used for internal domains only. Our clients has configured 3
recurcors (resolv.conf) and every recursor connect to any of the four
auth servers for our domains. All subdomains are delegated to own zones
but resides on the same auth servers, extra step is using forward-zones.
I thought, it's depending on configured order, so i set it to use same
location first and remote location on the end (evading firewall, if it's
possible).
Pdns recursor config:
...
forward-zones=
forward-zones+=some.domain.tld=AUTH1_ipv6
forward-zones+=some.domain.tld=AUTH1_ipv4
forward-zones+=some.domain.tld=AUTH2_ipv6
forward-zones+=some.domain.tld=AUTH2_ipv4
forward-zones+=some.domain.tld=AUTH3_ipv6
forward-zones+=some.domain.tld=AUTH3_ipv4
forward-zones+=some.domain.tld=AUTH4_ipv6
forward-zones+=some.domain.tld=AUTH4_ipv4
...
AAAA dns query:
;; QUESTION SECTION:
;host.some.domain.tld. IN AAAA
;; ANSWER SECTION:
host.some.domain.tld. 60 IN CNAME host1.some.domain.tld.
host1.some.domain.tld. 3600 IN AAAA host1_ipv6
Problem:
When there is maintenance on for example AUTH4 (server is offline):
Client <-> Recursor:
233336 2022-02-08 01:57:58,031241 client_ipv6 REC1_ipv6 DNS 106 Standard
query 0x7f30 AAAA host.some.domain.tld
233337 2022-02-08 01:57:58,031241 client_ipv6 REC1_ipv6 DNS 106 Standard
query 0xb42e A host.some.domain.tld
233442 2022-02-08 01:57:59,902472 REC1_ipv6 client_ipv6 DNS 106 Standard
query response 0x7f30 Server failure AAAA host.some.domain.tld
233443 2022-02-08 01:57:59,902577 REC1_ipv6 client_ipv6 DNS 106 Standard
query response 0xb42e Server failure A host.some.domain.tld
Recursor <-> Auth:
196982 2022-02-08 01:57:58,031733 REC1_ipv4 AUTH4_ipv4 DNS 97 Standard
query 0xedac AAAA host.some.domain.tld OPT
196983 2022-02-08 01:57:58,031981 REC1_ipv4 AUTH4_ipv4 DNS 97 Standard
query 0x1246 A host.some.domain.tld OPT
...
197989 2022-02-08 01:58:13,667275 REC1_ipv4 AUTH1_ipv4 DNS 107 Standard
query 0xf4e9 A host.some.domain.tld.domain.tld OPT
197990 2022-02-08 01:58:13,667542 REC1_ipv4 AUTH1_ipv4 DNS 107 Standard
query 0xff8c AAAA host.some.domain.tld.domain.tld OPT
197991 2022-02-08 01:58:13,671010 AUTH1_ipv4 REC1_ipv4 DNS 154 Standard
query response 0xf4e9 No such name A host.some.domain.tld.domain.tld SOA
ns.domain.tld OPT
197992 2022-02-08 01:58:13,671222 AUTH1_ipv4 REC1_ipv4 DNS 154 Standard
query response 0xff8c No such name AAAA
host.some.domain.tld.domain.tld SOA ns.domain.tld OPT
...
218012 2022-02-08 02:02:03,229271 REC1_ipv4 AUTH4_ipv4 DNS 97 Standard
query 0xce1c A host.some.domain.tld OPT
218013 2022-02-08 02:02:03,229359 REC1_ipv4 AUTH4_ipv4 DNS 97 Standard
query 0xccf5 AAAA host.some.domain.tld OPT
218014 2022-02-08 02:02:03,232700 AUTH4_ipv4 REC1_ipv4 DNS 140 Standard
query response 0xce1c A host.some.domain.tld CNAME host1.some.domain.tld
A host1_ipv4 OPT
218015 2022-02-08 02:02:03,232700 AUTH4_ipv4 REC1_ipv4 DNS 152 Standard
query response 0xccf5 AAAA host.some.domain.tld CNAME
host1.some.domain.tld AAAA host1_ipv6 OPT
It looks as recursor is querying the same Auth server for such record
until server is up. How to change such setup so maintenance don't break
resolving?
Thanks.
More information about the Pdns-users
mailing list