[Unbound-users] Can't resolve m.facebook.com
leen at consolejunkie.net
Thu Feb 9 09:11:41 UTC 2012
On Thu, Feb 09, 2012 at 09:56:36AM +0100, W.C.A. Wijngaards wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hi Attila,
> On 02/09/2012 08:29 AM, Attila Nagy wrote:
> > Hi,
> > Running unbound r2580, I can't resolve m.facebook.com. I get
> > SERVFAIL back. The server was running for some time, so it's not in
> > a fresh state. It seems the problem is that facebook DNS servers
> > time out on AAAA records, so unbound gets the false assumption that
> > they are unavailable.
> Well if you do not respond to queries, you deserve what you get. DNS
> has noanswer-nodata packets and this is what should be used. They do
> not implement RFC1034. And for that facebook deserves to be offline.
> That said, you want your users to be able to connect to sites that
> have broken software (or more likely: bad firewall). The feature you
> name would not actually stop unbounds internal lookups for the AAAA
> for the nameserver. You would need to configure a stub-zone in the
> config file with the IP4s of the nameservers as a workaround.
> The workaround for one name specific is not the right thing. Not sure
> how to fix this in a more general way. Store timeout information
> per-query-type and query-name specific (it is already per-zone) ?
> That makes the timeout information useless for new queries.
> I am not sure how to fix this, because on the other hand, very similar
> situations would result in continuous probes to a server that is down.
> And this also adds load to unbound.
> > Here are the verbose (level 4) logs while trying to resolve the
> > name:
> Thanks, yes, it is doing a lot of AAAA lookups and those timeouts have
> added up to make the zone offline.
I think I know of a hack, try a SOA or NS lookup on the apex at the same nameservers ?
Then you know it is still up and running.
I don't know if it is possible to know the apex at all times. And you probably
have to keep more state. :-(
It is an incrediable stupid hack I know.
> Best regards,
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> -----END PGP SIGNATURE-----
> Unbound-users mailing list
> Unbound-users at unbound.net
More information about the Unbound-users