[Unbound-users] reddit.com issue

Leen Besselink leen at consolejunkie.net
Mon Aug 25 11:39:31 UTC 2014 

On Mon, Aug 25, 2014 at 01:05:05PM +0200, Maciej Soltysiak wrote:
> On Mon, Aug 25, 2014 at 9:16 AM, W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote:
> > Yes.  The reddit servers (or likely, their load-balancers) are not
> > following the DNS specifications.  They are dropping the query and
> > they should be replying.  There was a draft at the IETF even to mark
> > this as harmful, but it did not progress through the standards track,
> > I believe.  If they want to refuse the query for unclear reasons (what
> > is wrong with responding NXDOMAIN?) they could choose from nice error
> > codes like SERVFAIL and FORMERR and REFUSED.
> Yup. I have a domain that goes through cloudflare. I just asked
> cloudflare NSes for a name with a colon and it behaves the same (drop)
> When I asked the parents, they answered.
> 
> Cloudflare seems to do the same thing for their customers.
> 

So I tried Dyn, they respond with NXDOMAIN.

I also tried DNSMadeEasy they respond with NXDOMAIN.

I noticed when the domain has a wildcard they respond with the A-record.

I then checked a PowerDNS server, they respond with SERVFAIL even when the domain has a wildcard.

> If not FORMERR, they could've at least send ICMP administratively
> prohibited to mark that this particular comms is not ok with them.
> That would've made unbound record a failure.
> 
> It's silly because in order to immunize your cache against this you
> would have to start your own filtering... That shouldn't be the point.
> 
> > Unbound notices the domain does not respond to A queries.  And marks
> > the domain as timeouted, down, for A queries.  Unbound stops sending A
> > queries there to attempt to trottle down traffic towards that stricken
> > server.  If A queries get replies (there is an exponential backoff to
> > the queries sent out) then unbound marks the server as responsive
> > again (the server is considered back up) and queries are resumed.
> Is there any unbound-control command to help in this situation? i.e.
> manually override the backoff or reset it? Would flush_type or
> flush_name help?

More information about the Unbound-users mailing list