On Tue, Nov 04, 2025 at 07:13:58AM -0500, Ondřej Surý wrote: ! Hi, Rehi,
! As you can see, there are more than 100 outgoing DNS queries for a single name queried, and often this leads to a SERVFAIL. where is the 100 coming from? Recap: I perceived a problem with frequent SERVFAIL since Rel. 9.18.29, and found max-recursion-queries had been changed to 32. I evaluated and found that should protect from DDoS, and this not for my own safety, but against my site be abused to DDoS others. So I changed back only my telephony (which wouldn't work with the new 32 default), and decided to otherwise live with the singular SERVFAILs until somebody comes up with a better solution. Looking at this now, it might well be that awaited solution. So I wanted it. ! 2. be willing to communicate about this on the GitLab merge request (https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11205), new updates will be posted there. I might try, as best as I can. (I tried to understand github, gitlab etc. for a long time already, without success. To me, "git" is a shell command.) ! If you read so far and you are still interested in testing this, the latest ! tarball is always available in the latest pipeline in the tarball-create job in ! the "precheck" stage, but I've also copied the latest one into a latest comment ! in the MR itself: ! https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11205#note_611712 I cannot use tarballs. I have a deploy engine that fetches directly from ISC and then compiles. What I need is a patch to drop into the engine. So I created such patch from the git clone (starting from 9.13 which is currently configured in the engine), and it compiles and runs. But it doesn't seem to work. :( While I haven't seen any SERVFAIL anymore during the last 1-2 weeks (but that doesn't mean so much), my gorgeous telephone (you know, the one with the worst DNS implementation ever imaginable) doesn't like it. I had formerly set these special configs to get it working: max-recursion-queries 100; minimal-responses yes; max-cache-ttl 900; And I did now remove the "max-recursion-queries 100". And then I am occasionally getting a SERVFAIL, after some 160 ms - and I thought that shouldn't happen anmore: "identity","view","mtype","timestmp","proto","orig","answ","status","flags","typ","rrtext" "conr.intra.daemon.contact","telefon","CLIENT_QUERY","2025-11-13 13:23:48.936486+01","UDP","192.168.97.23","192.168.98.34",NULL,"rd","QUESTION","tel.t-online.de. IN NAPTR" "conr.intra.daemon.contact","telefon","CLIENT_RESPONSE","2025-11-13 13:23:49.076161+01","UDP","192.168.97.23","192.168.98.34","SERVFAIL","qr rd ra","QUESTION","tel.t-online.de. IN NAPTR" Sure there is no problem, I can always re-enable the higher max-recursion-quwries. Just playing around out of curiousity... cheers, PMc -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
