[dns-operations] Root-servers returning TC=1 after 5 NXDOMAINS

bert hubert bert.hubert at netherlabs.nl
Tue Feb 10 11:02:08 UTC 2015

Hi everybody,

Recently at a large deployment, we ran into f.root-servers.net returning
TC=1 to all our queries. We took this up with ISC who quickly informed us
that this is a setting they run with if you exceed more than 5 NXDOMAIN

The installation in question services millions of subscribers, and sadly
gets a lot of silly queries which leak to the root. We're unsure how to 
stay below 5 NXDOMAINs/s permanently.

You can reproduce this behaviour like this:

$ for a in {1..10}; do dig www.no-such-tld-$a -4 @f.root-servers.net ; done > log
$ grep -E 'TCP|status:' l
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54154
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4798
;; Truncated, retrying in TCP mode.
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1549

We've since tried to curtail our queries to the root severly, but we still
get TC=1 responses a lot, which slows down our resolution.

We shared our concerns with ISC, but it might be good to have a broader
discussion on if it makes sense to set the bar so very low.

Your thoughts would be appreciated!


More information about the dns-operations mailing list