Hi, On 09/02/2024 11:05, Adam Bishop via dnsdist wrote:
I'm seeing an issue where caching resolvers outside of our network are occasionally storing empty responses to queries.I think what's happening is that when a query is made and there's a backend timeout, dnsdist is responding to the user with an empty answer and NOERROR. Messages about a backend beign marked as down are in the log coinciding with when this has happened.
dnsdist cannot generate a response from a timeout, it simply does not respond at all. It can however generate a SERVFAIL if there is no backend available when setServFailWhenNoServer [1] is set, which is not the default, but the backends need to be marked as unavailable when the query comes in, dnsdist will not generate a response once the query has been forwarded to a backend.
I've not caught dnsdist in the act yet with a packet capture as the issue is infrequent, but am I on the right track?Is it possible to make dnsdist respond with a SERVFAIL for a backend timeout?
Nope. [1]: https://dnsdist.org/guides/serverselection.html#setServFailWhenNoServer Hope that helps, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
