[dns-operations] Root-servers returning TC=1 after 5 NXDOMAINS

Paul Vixie paul at redbarn.org
Tue Feb 10 23:28:10 UTC 2015

> bert hubert <mailto:bert.hubert at netherlabs.nl>
> Tuesday, February 10, 2015 3:02 AM
> Hi everybody,
> Recently at a large deployment, we ran into f.root-servers.net returning
> TC=1 to all our queries. We took this up with ISC who quickly informed us
> that this is a setting they run with if you exceed more than 5 NXDOMAIN
> responses/s.

have you looked at http://www.redbarn.org/dns/ratelimits (DNS RRL)?
> The installation in question services millions of subscribers, and sadly
> gets a lot of silly queries which leak to the root. We're unsure how to
> stay below 5 NXDOMAINs/s permanently.

nxdomains are grouped together in rrl by soa, and 5/sec is probably too
low a threshold for a root name server. (f-root's adoption of DNS RRL
post-dates my time at isc, so, i was not involved in tuning the parameters.)
> You can reproduce this behaviour like this:
> $ for a in {1..10}; do dig www.no-such-tld-$a -4 @f.root-servers.net ;
> done > log
> $ grep -E 'TCP|status:' l
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54154
> (...)
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4798
> ;; Truncated, retrying in TCP mode.
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1549
> We've since tried to curtail our queries to the root severly, but we still
> get TC=1 responses a lot, which slows down our resolution.

i think you'll see that it's not pure TC=1, but rather, some drops with
occasional TC=1's.
> We shared our concerns with ISC, but it might be good to have a broader
> discussion on if it makes sense to set the bar so very low.

because the root is signed, and because dnssec nxdomains are so large,
it is necessary to rate limit them. however, i think 25/sec would be a
better threshold than 5/sec. above that, the value of a root name server
as a reflecting ddos amplifier is just too high.

Paul Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150210/de37600a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: postbox-contact.jpg
Type: image/jpeg
Size: 1220 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150210/de37600a/attachment.jpg>

More information about the dns-operations mailing list