<div dir="ltr">Thanks Joe. <div><br></div><div>I was kind of hoping someone would have had similar experience with this very record, <a href="http://imap.gmail.com">imap.gmail.com</a>.</div><div><br></div><div>Our caching resolver uses yet another caching resolver.... which did return the odd response, according to our query log, The logs from our upper stream resolver show that at the time to the odd response, it was handling too many recursive queries:</div>
<div><br></div><div><div>Aug 24 05:13:40 [daemon.warning] named: client 141.161.200.25#63990: view 3: no more recursive clients (1000/0/1000): quota reached </div></div><div><br></div><div>It did answer <a href="http://imap.gmail.com">imap.gmail.com</a> with zero number of records in the answer section, but always with status of SRVERROR, but once, and only once, it answered with zero records and with NOERROR status. It seems our caching server somehow liked this latter answer so much it hang on to it for the rest of the day!</div>
<div><br></div><div>Not quite sure what to make of all this, searching 30 days worth of query logs, it seems this record has always been answered with a count of 3, for answers.... only during this outage was that 0. </div>
<div><br></div><div>Thanks,</div><div>Mohamed.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Aug 26, 2013 at 11:14 AM, Joe Abley <span dir="ltr"><<a href="mailto:jabley@hopcount.ca" target="_blank">jabley@hopcount.ca</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Mohamed,<br>
<br>
I don't imagine that anybody is going to be able to give you a root cause based on just that information. It could be a bug in your resolver, it could be a transient problem at google, it could be a sign of successful cache poisoning attack, or it could be something else.<br>
<br>
I recommend keeping a rolling tcpdump running on all nameservers, and aging out the resulting compressed pcaps from cron to avoid filling your local disks. It's much better to be able to look for answers with data than to look for answers with no data.<br>
<br>
<br>
Joe<br>
<div><div class="h5"><br>
On 2013-08-26, at 10:27, Mohamed Lrhazi <<a href="mailto:ml623@georgetown.edu">ml623@georgetown.edu</a>> wrote:<br>
<br>
> Hello,<br>
><br>
> We had mail outage which was caused by one of our three recursive caching DNS servers to be answering a query like seen bellow.<br>
><br>
> What could explain the fact that this record had zero answers? and why would the cache server, apparently, cache this answer for over 10 hours (until I manually cleared the cache)? A user reported that the cache server was returning AAAA records, but no IPv4, though we dont have an example of such query/response saved. I guess the fact that the server had AAAA record would explain why the bellow response is a NOERROR?<br>
><br>
> ➜ ~ dig <a href="http://imap.gmail.com" target="_blank">imap.gmail.com</a> @<a href="http://141.161.200.201" target="_blank">141.161.200.201</a><br>
><br>
> ; <<>> DiG 9.9.2-P1 <<>> <a href="http://imap.gmail.com" target="_blank">imap.gmail.com</a> @<a href="http://141.161.200.201" target="_blank">141.161.200.201</a><br>
> ;; global options: +cmd<br>
> ;; Got answer:<br>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34151<br>
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 5<br>
><br>
> ;; OPT PSEUDOSECTION:<br>
> ; EDNS: version: 0, flags:; udp: 4096<br>
> ;; QUESTION SECTION:<br>
> ;<a href="http://imap.gmail.com" target="_blank">imap.gmail.com</a>. IN A<br>
><br>
> ;; AUTHORITY SECTION:<br>
> <a href="http://gmail.com" target="_blank">gmail.com</a>. 94747 IN NS <a href="http://ns3.google.com" target="_blank">ns3.google.com</a>.<br>
> <a href="http://gmail.com" target="_blank">gmail.com</a>. 94747 IN NS <a href="http://ns2.google.com" target="_blank">ns2.google.com</a>.<br>
> <a href="http://gmail.com" target="_blank">gmail.com</a>. 94747 IN NS <a href="http://ns4.google.com" target="_blank">ns4.google.com</a>.<br>
> <a href="http://gmail.com" target="_blank">gmail.com</a>. 94747 IN NS <a href="http://ns1.google.com" target="_blank">ns1.google.com</a>.<br>
><br>
> ;; ADDITIONAL SECTION:<br>
> <a href="http://ns2.google.com" target="_blank">ns2.google.com</a>. 269064 IN A <a href="tel:216.239.34.10" value="+12162393410">216.239.34.10</a><br>
> <a href="http://ns1.google.com" target="_blank">ns1.google.com</a>. 269064 IN A <a href="tel:216.239.32.10" value="+12162393210">216.239.32.10</a><br>
> <a href="http://ns3.google.com" target="_blank">ns3.google.com</a>. 269064 IN A <a href="tel:216.239.36.10" value="+12162393610">216.239.36.10</a><br>
> <a href="http://ns4.google.com" target="_blank">ns4.google.com</a>. 269064 IN A <a href="tel:216.239.38.10" value="+12162393810">216.239.38.10</a><br>
><br>
> ;; Query time: 56 msec<br>
> ;; SERVER: 141.161.200.201#53(141.161.200.201)<br>
> ;; WHEN: Sat Aug 24 16:21:17 2013<br>
> ;; MSG SIZE rcvd: 186<br>
><br>
> Thanks a lot,<br>
> Mohamed.<br>
><br>
</div></div>> _______________________________________________<br>
> dns-operations mailing list<br>
> <a href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a><br>
> <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
> dns-jobs mailing list<br>
> <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a><br>
<br>
</blockquote></div><br></div>