On Mon, Aug 25, 2014 at 01:05:05PM +0200, Maciej Soltysiak wrote: > On Mon, Aug 25, 2014 at 9:16 AM, W.C.A. Wijngaards <[email protected]> > wrote: > > Yes. The reddit servers (or likely, their load-balancers) are not > > following the DNS specifications. They are dropping the query and > > they should be replying. There was a draft at the IETF even to mark > > this as harmful, but it did not progress through the standards track, > > I believe. If they want to refuse the query for unclear reasons (what > > is wrong with responding NXDOMAIN?) they could choose from nice error > > codes like SERVFAIL and FORMERR and REFUSED. > Yup. I have a domain that goes through cloudflare. I just asked > cloudflare NSes for a name with a colon and it behaves the same (drop) > When I asked the parents, they answered. > > Cloudflare seems to do the same thing for their customers. >
So I tried Dyn, they respond with NXDOMAIN. I also tried DNSMadeEasy they respond with NXDOMAIN. I noticed when the domain has a wildcard they respond with the A-record. I then checked a PowerDNS server, they respond with SERVFAIL even when the domain has a wildcard. > If not FORMERR, they could've at least send ICMP administratively > prohibited to mark that this particular comms is not ok with them. > That would've made unbound record a failure. > > It's silly because in order to immunize your cache against this you > would have to start your own filtering... That shouldn't be the point. > > > Unbound notices the domain does not respond to A queries. And marks > > the domain as timeouted, down, for A queries. Unbound stops sending A > > queries there to attempt to trottle down traffic towards that stricken > > server. If A queries get replies (there is an exponential backoff to > > the queries sent out) then unbound marks the server as responsive > > again (the server is considered back up) and queries are resumed. > Is there any unbound-control command to help in this situation? i.e. > manually override the backoff or reset it? Would flush_type or > flush_name help? _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
