[Unbound-users] Can't resolve m.facebook.com
wouter at nlnetlabs.nl
Thu Feb 9 08:56:36 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 02/09/2012 08:29 AM, Attila Nagy wrote:
> Running unbound r2580, I can't resolve m.facebook.com. I get
> SERVFAIL back. The server was running for some time, so it's not in
> a fresh state. It seems the problem is that facebook DNS servers
> time out on AAAA records, so unbound gets the false assumption that
> they are unavailable.
Well if you do not respond to queries, you deserve what you get. DNS
has noanswer-nodata packets and this is what should be used. They do
not implement RFC1034. And for that facebook deserves to be offline.
That said, you want your users to be able to connect to sites that
have broken software (or more likely: bad firewall). The feature you
name would not actually stop unbounds internal lookups for the AAAA
for the nameserver. You would need to configure a stub-zone in the
config file with the IP4s of the nameservers as a workaround.
The workaround for one name specific is not the right thing. Not sure
how to fix this in a more general way. Store timeout information
per-query-type and query-name specific (it is already per-zone) ?
That makes the timeout information useless for new queries.
I am not sure how to fix this, because on the other hand, very similar
situations would result in continuous probes to a server that is down.
And this also adds load to unbound.
> Here are the verbose (level 4) logs while trying to resolve the
Thanks, yes, it is doing a lot of AAAA lookups and those timeouts have
added up to make the zone offline.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users