Problems with negative cache and TCP Connections on Bind

Kevin Darcy kcd at daimlerchrysler.com
Thu Nov 7 22:22:28 UTC 2002 

Ana Paula Anjos wrote:

> Friends,
>
> I have installed bind (version 8.2.4 e 8.3.3) and it seems not to
> working the negative cache.
>
> I did the following test: I have a dns server (10.1.1.1) that is
> authoritative for domain xpto.com.br(10.20.30.40). From another
> machine (10.1.54.50), I run a script that sent a lot of queries for
> xpto.com.br, using my dns server (10.1.1.10). The result of snoop was:
>
> 10.1.54.50 -> 10.1.1.10 DNS C xpto.com.br. Internet Addr?
> 10.1.1.10  -> 10.1.1.1  DNS C xpto.com.br. Internet Addr?
> 10.1.1.1   -> 10.1.1.10 DNS R xpto.com.br. Internet Addr 10.20.30.40
> 10.1.1.10  -> 10.1.54.50 DNS R xpto.com.br. Internet Addr 10.20.30.40.
>
> It's ok....
>
> But, when I shut down de dns process on machine 10.1.1.1, my dns
> server don't keep the negative information about this.. The snoop is:
>
> 10.1.54.50 -> 10.1.1.10 DNS C xpto.com.br. Internet Addr?
> 10.1.1.10  -> 10.1.1.1  DNS C xpto.com.br. Internet Addr?
> 10.1.1.10  -> 10.1.1.1  DNS C xpto.com.br. Internet Addr?
> 10.1.1.10  -> 10.1.1.1  DNS C xpto.com.br. Internet Addr?
> 10.1.54.50 -> 10.1.1.10 DNS C xpto.com.br. Internet Addr?
> 10.1.1.10  -> 10.1.1.1  DNS C xpto.com.br. Internet Addr?
> 10.1.1.10  -> 10.1.54.50 DNS R Error: 2(Server Fail)
> 10.1.54.50 -> 10.1.1.10 DNS C xpto.com.br. Internet Addr?
> 10.1.1.10  -> 10.1.1.1  DNS C xpto.com.br. Internet Addr?
> 10.1.1.10  -> 10.1.1.1  DNS C xpto.com.br. Internet Addr?
> 10.1.1.10  -> 10.1.1.1  DNS C xpto.com.br. Internet Addr?
> 10.1.1.10  -> 10.1.54.50 DNS R Error: 2(Server Fail)
>
> And so on....
>
> I have in my named.conf the "max-ncache-ttl" set to 10800 (3 hours)
> and "cleaning-interval" set to 120 (2 hours). And at the zone
> "xpto.com.br" the "minimum" is set to 86400 (1 day).
>
> I think that the correct would be the server (10.1.1.10) request only
> once about xpto.com.br to 10.1.1.1 and, if there is no answers, it
> doesn't ask anymore until the expiration of max-ncache-ttl.. Is it
> right??? Because it is not happenning and I don't know why. I will
> apreciate any help!!

Timing out trying to reach a nameserver is not the same as receiving a
negative answer to a query. Behavior in the face of the latter scenario
is defined by RFC 2308 and is controllable by the domain owner through
the negative caching TTL (last) field of the SOA record for the zone.
Timeout behavior, on the other hand, is left up to the implementation,
and in BIND at least, is not directly configurable.

What exactly are you trying to accomplish here? Is this just an academic
exercise, or are you actually concerned about the bandwidth that is being
consumed by unsuccessful resolution attempts? If you're that concerned,
make sure you have plenty of slave servers, strategically located on your
network so that the bandwidth impact is minimized in the case of a single
machine failure.

> One more thing,
>
> I would like to deny my server to open TCP connections with another
> DNS Servers..Is it possible?? If it is not, what situations is it open
> TCP connections??

TCP connections are normally only seen in zone transfers and whenever a
DNS answer is too large to fit into a UDP packet. You can't really
predict when TCP is going to be used or not used, so it is recommended to
open both UDP and TCP between nameservers or between nameservers and
clients.


- Kevin

More information about the bind-users mailing list