[Pdns-users] Low ttl with combination of forward zones makes queries fail

Otto Moerbeek otto at drijf.net
Tue Feb 8 12:34:13 UTC 2022 

On Tue, Feb 08, 2022 at 01:24:03PM +0100, Thomas Mieslinger via Pdns-users wrote:

> In my experience pdns_recursor (okay, I tested only with older versions)
> will not retry fast enough to have a 100% user experience.

It is worth the trouble to test this again. Modern recursors are more
smart in this area. Though dnsdist is maybe best fitted for this
purpose.

	-Otto

> 
> I moved to bgp with my internal auth addresses. The auths check themself
> and announce their service IP only if they are ready to answer.
> 
> If you don't have the chance to move to bgp, give dnsdist a try. In my
> experience it does a very good job on figuring out whether a server is
> up or not.
> 
> Both options complicate your setup. You could experiment with
> server-down-max-fails and server-down-throttle-time to minimize the
> number of lost queries to not responding Nameservers. But thats
> dangerous too, because this setting is for all servers, not only your
> internal auths.
> 
> But remember, pdns_recursor does not do background checking whether a
> Nameserver is alive. Background checking is only done by dnsdist afaik.
> 
> Cheers Thomas
> 
> Am 08.02.22 um 13:08 schrieb Prochazka via Pdns-users:
> > Hello,
> > 
> > using pdns-recursor 4.5.7-1pdns.bullseye i am getting problem with dns
> > redundancy for records with expired ttl (best seen on low ttl). Forward
> > zones are used for internal domains only. Our clients has configured 3
> > recurcors (resolv.conf) and every recursor connect to any of the four
> > auth servers for our domains. All subdomains are delegated to own zones
> > but resides on the same auth servers, extra step is using forward-zones.
> > I thought, it's depending on configured order, so i set it to use same
> > location first and remote location on the end (evading firewall, if it's
> > possible).
> > 
> > Pdns recursor config:
> > 
> > ...
> > forward-zones=
> > forward-zones+=some.domain.tld=AUTH1_ipv6
> > forward-zones+=some.domain.tld=AUTH1_ipv4
> > forward-zones+=some.domain.tld=AUTH2_ipv6
> > forward-zones+=some.domain.tld=AUTH2_ipv4
> > forward-zones+=some.domain.tld=AUTH3_ipv6
> > forward-zones+=some.domain.tld=AUTH3_ipv4
> > forward-zones+=some.domain.tld=AUTH4_ipv6
> > forward-zones+=some.domain.tld=AUTH4_ipv4
> > ...
> > 
> > AAAA dns query:
> > ;; QUESTION SECTION:
> > ;host.some.domain.tld.    IN    AAAA
> > 
> > ;; ANSWER SECTION:
> > host.some.domain.tld. 60    IN    CNAME    host1.some.domain.tld.
> > host1.some.domain.tld. 3600 IN    AAAA    host1_ipv6
> > 
> > Problem:
> > When there is maintenance on for example AUTH4 (server is offline):
> > 
> > Client <-> Recursor:
> > 233336    2022-02-08 01:57:58,031241    client_ipv6    REC1_ipv6
> > DNS    106    Standard query 0x7f30 AAAA host.some.domain.tld
> > 233337    2022-02-08 01:57:58,031241    client_ipv6    REC1_ipv6
> > DNS    106    Standard query 0xb42e A host.some.domain.tld
> > 233442    2022-02-08 01:57:59,902472    REC1_ipv6    client_ipv6
> > DNS    106    Standard query response 0x7f30 Server failure AAAA
> > host.some.domain.tld
> > 233443    2022-02-08 01:57:59,902577    REC1_ipv6    client_ipv6
> > DNS    106    Standard query response 0xb42e Server failure A
> > host.some.domain.tld
> > 
> > Recursor <-> Auth:
> > 196982    2022-02-08 01:57:58,031733    REC1_ipv4    AUTH4_ipv4
> > DNS    97    Standard query 0xedac AAAA host.some.domain.tld OPT
> > 196983    2022-02-08 01:57:58,031981    REC1_ipv4    AUTH4_ipv4
> > DNS    97    Standard query 0x1246 A host.some.domain.tld OPT
> > ...
> > 197989    2022-02-08 01:58:13,667275    REC1_ipv4    AUTH1_ipv4
> > DNS    107    Standard query 0xf4e9 A host.some.domain.tld.domain.tld OPT
> > 197990    2022-02-08 01:58:13,667542    REC1_ipv4    AUTH1_ipv4
> > DNS    107    Standard query 0xff8c AAAA host.some.domain.tld.domain.tld
> > OPT
> > 197991    2022-02-08 01:58:13,671010    AUTH1_ipv4    REC1_ipv4
> > DNS    154    Standard query response 0xf4e9 No such name A
> > host.some.domain.tld.domain.tld SOA ns.domain.tld OPT
> > 197992    2022-02-08 01:58:13,671222    AUTH1_ipv4    REC1_ipv4
> > DNS    154    Standard query response 0xff8c No such name AAAA
> > host.some.domain.tld.domain.tld SOA ns.domain.tld OPT
> > ...
> > 218012    2022-02-08 02:02:03,229271    REC1_ipv4    AUTH4_ipv4
> > DNS    97    Standard query 0xce1c A host.some.domain.tld OPT
> > 218013    2022-02-08 02:02:03,229359    REC1_ipv4    AUTH4_ipv4
> > DNS    97    Standard query 0xccf5 AAAA host.some.domain.tld OPT
> > 218014    2022-02-08 02:02:03,232700    AUTH4_ipv4    REC1_ipv4
> > DNS    140    Standard query response 0xce1c A host.some.domain.tld
> > CNAME host1.some.domain.tld A host1_ipv4 OPT
> > 218015    2022-02-08 02:02:03,232700    AUTH4_ipv4    REC1_ipv4
> > DNS    152    Standard query response 0xccf5 AAAA host.some.domain.tld
> > CNAME host1.some.domain.tld AAAA host1_ipv6 OPT
> > 
> > It looks as recursor is querying the same Auth server for such record
> > until server is up. How to change such setup so maintenance don't break
> > resolving?
> > 
> > Thanks.
> > 
> > _______________________________________________
> > Pdns-users mailing list
> > Pdns-users at mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list