Hi Daisuke, Thank you for the response.
This same behaviour is occurring to all domains that has being attacked. Do you think is the same reason (nameservers tango down)? Regards, -- Eduardo Schoedler Em quinta-feira, 5 de maio de 2016, Daisuke HIGASHI < [email protected]> escreveu: > Hi, Eduardo: > > It seems that all nameservers of "315ye.zj.cn" (ns1.22.cn, ns2.22.cn) > are completely down and no response; In Unbound "infra" database all > NS of "315ye.zj.cn" > should be marked as "rto 120000", which means "not responsible". > > $ unbound-control dump_infra | grep 315ye.zj.cn > 121.12.104.72 315ye.zj.cn. ttl 4 ping 0 var 94 rtt 376 rto 120000 tA 3 > tAAAA 0 tother 0 ednsknown 0 edns 0 delay 0 lame dnssec 0 rec 0 A 0 > other 0 > 121.12.104.73 315ye.zj.cn. ttl 0 ping 0 var 94 rtt 376 rto 120000 tA 3 > tAAAA 0 tother 0 ednsknown 0 edns 0 delay 0 lame dnssec 0 rec 0 A 0 > other 0 > 218.66.171.136 315ye.zj.cn. ttl 6 ping 0 var 94 rtt 376 rto 120000 tA > 3 tAAAA 0 tother 0 ednsknown 0 edns 0 delay 0 lame dnssec 0 rec 0 A 0 > other 0 > 218.66.171.137 315ye.zj.cn. ttl 2 ping 0 var 94 rtt 376 rto 120000 tA > 3 tAAAA 0 tother 0 ednsknown 0 edns 0 delay 0 lame dnssec 0 rec 0 A 0 > other 0 > > In this case Unbound stops resolving names under the zone (returns > SERVFAIL for user queries) for a while. > > Unbound's "ratelimit" feature ratelimits number of queries from > Unbound to nameservers, > not from user to Unbound. So my guess is: Unbound should already had > stopped resolving > "315ye.zj.cn" because all the NSs are down, so its "ratelimit" feature > no longer detect > excessive queries to "315ye.zj.cn" nameservers. > > Regards, > -- > Daisuke Higashi > -- Eduardo Schoedler
