Hey everyone, thanks for bringing this up to our attention.
I would ask - if you have specific examples of domain names that fail to resolve with cold cache, please either record them to the issue that Thomas filled: https://gitlab.isc.org/isc-projects/bind9/-/issues/4921 or send them here. It would help us to look how we can change the limits in a way that it doesn’t hurt legitimate traffic, but limit the impact of malicious actors. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 7. 9. 2024, at 9:53, Andreas S. Kerber via bind-users > <bind-users@lists.isc.org> wrote: > > Am Fri, Sep 06, 2024 at 09:27:21PM +0200 schrieb Ondřej Surý: >> Anyway - since you are hitting the 32 limit, perhaps bumping the limit to >> 100 (the value before) would help in your case? I am guessing the resolver >> is being used for a limited set of clients and the chance of this specific >> abuse is quite low. >> >> https://bind9.readthedocs.io/en/v9.18.29/notes.html#notes-for-bind-9-18-29 > > Hi, > > FYI our MTA rejection rate went up since updating from 9.18.28 to 9.18.29. > We're still troubleshooting and consider raising the limit back to 100. > > Here's a list of PTRs which you might be interested in. > If the resolver cache is flushed, some of these names fail to resolve > (SERVFAIL) at first and after wating a bit the names start to resolve. At > least some of these names seem quite legitimate and I can't say if each of > their zone setup is the culprit or the recursion limit is simply to low. > > 81.92.89.120.in-addr.arpa > 254.29.9.128.in-addr.arpa > 155.231.35.129.in-addr.arpa > 193.115.9.154.in-addr.arpa > 187.122.9.154.in-addr.arpa > 251.161.92.159.in-addr.arpa > 226.162.92.159.in-addr.arpa > 74.34.71.161.in-addr.arpa > 243.35.71.161.in-addr.arpa > 161.36.71.161.in-addr.arpa > 152.113.247.162.in-addr.arpa > 55.239.235.168.in-addr.arpa > 116.224.82.172.in-addr.arpa > 196.123.96.176.in-addr.arpa > 5.25.220.185.in-addr.arpa > 155.86.58.185.in-addr.arpa > 222.86.58.185.in-addr.arpa > 116.111.104.194.in-addr.arpa > 105.208.11.194.in-addr.arpa > 113.228.181.194.in-addr.arpa > 64.255.37.194.in-addr.arpa > 180.47.162.205.in-addr.arpa > 21.81.63.212.in-addr.arpa > 80.144.171.213.in-addr.arpa > 200.101.118.23.in-addr.arpa > 208.55.247.37.in-addr.arpa > 158.201.74.41.in-addr.arpa > 158.205.74.41.in-addr.arpa > 133.76.21.64.in-addr.arpa > 181.147.118.82.in-addr.arpa > 182.147.118.82.in-addr.arpa > 149.116.187.90.in-addr.arpa > 140.248.184.91.in-addr.arpa > 64.224.198.91.in-addr.arpa > 145.116.53.92.in-addr.arpa > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
