[dns-operations] Root-servers returning TC=1 after 5 NXDOMAINS
bert hubert
bert.hubert at netherlabs.nl
Tue Feb 10 11:02:08 UTC 2015
Hi everybody,
Recently at a large deployment, we ran into f.root-servers.net returning
TC=1 to all our queries. We took this up with ISC who quickly informed us
that this is a setting they run with if you exceed more than 5 NXDOMAIN
responses/s.
The installation in question services millions of subscribers, and sadly
gets a lot of silly queries which leak to the root. We're unsure how to
stay below 5 NXDOMAINs/s permanently.
You can reproduce this behaviour like this:
$ for a in {1..10}; do dig www.no-such-tld-$a -4 @f.root-servers.net ; done > log
$ grep -E 'TCP|status:' l
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54154
(...)
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4798
;; Truncated, retrying in TCP mode.
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1549
We've since tried to curtail our queries to the root severly, but we still
get TC=1 responses a lot, which slows down our resolution.
We shared our concerns with ISC, but it might be good to have a broader
discussion on if it makes sense to set the bar so very low.
Your thoughts would be appreciated!
Bert
More information about the dns-operations
mailing list