Problems with negative cache and TCP Connections on Bind

Mark_Andrews at isc.org Mark_Andrews at isc.org
Fri Nov 8 22:03:39 UTC 2002 

> 
> Kevin Darcy <kcd at daimlerchrysler.com> wrote in message news:<aqepd5$1il2$1 at is
> rv4.isc.org>...
> > Ana Paula Anjos wrote:
> > 
> > > Friends,
> > >
> > > I have installed bind (version 8.2.4 e 8.3.3) and it seems not to
> > > working the negative cache.
> > >
> > > I did the following test: I have a dns server (10.1.1.1) that is
> > > authoritative for domain xpto.com.br(10.20.30.40). From another
> > > machine (10.1.54.50), I run a script that sent a lot of queries for
> > > xpto.com.br, using my dns server (10.1.1.10). The result of snoop was:
> > >
> > > 10.1.54.50 -> 10.1.1.10 DNS C xpto.com.br. Internet Addr?
> > > 10.1.1.10  -> 10.1.1.1  DNS C xpto.com.br. Internet Addr?
> > > 10.1.1.1   -> 10.1.1.10 DNS R xpto.com.br. Internet Addr 10.20.30.40
> > > 10.1.1.10  -> 10.1.54.50 DNS R xpto.com.br. Internet Addr 10.20.30.40.
> > >
> > > It's ok....
> > >
> > > But, when I shut down de dns process on machine 10.1.1.1, my dns
> > > server don't keep the negative information about this.. The snoop is:
> > >
> > > 10.1.54.50 -> 10.1.1.10 DNS C xpto.com.br. Internet Addr?
> > > 10.1.1.10  -> 10.1.1.1  DNS C xpto.com.br. Internet Addr?
> > > 10.1.1.10  -> 10.1.1.1  DNS C xpto.com.br. Internet Addr?
> > > 10.1.1.10  -> 10.1.1.1  DNS C xpto.com.br. Internet Addr?
> > > 10.1.54.50 -> 10.1.1.10 DNS C xpto.com.br. Internet Addr?
> > > 10.1.1.10  -> 10.1.1.1  DNS C xpto.com.br. Internet Addr?
> > > 10.1.1.10  -> 10.1.54.50 DNS R Error: 2(Server Fail)
> > > 10.1.54.50 -> 10.1.1.10 DNS C xpto.com.br. Internet Addr?
> > > 10.1.1.10  -> 10.1.1.1  DNS C xpto.com.br. Internet Addr?
> > > 10.1.1.10  -> 10.1.1.1  DNS C xpto.com.br. Internet Addr?
> > > 10.1.1.10  -> 10.1.1.1  DNS C xpto.com.br. Internet Addr?
> > > 10.1.1.10  -> 10.1.54.50 DNS R Error: 2(Server Fail)
> > >
> > > And so on....
> > >
> > > I have in my named.conf the "max-ncache-ttl" set to 10800 (3 hours)
> > > and "cleaning-interval" set to 120 (2 hours). And at the zone
> > > "xpto.com.br" the "minimum" is set to 86400 (1 day).
> > >
> > > I think that the correct would be the server (10.1.1.10) request only
> > > once about xpto.com.br to 10.1.1.1 and, if there is no answers, it
> > > doesn't ask anymore until the expiration of max-ncache-ttl.. Is it
> > > right??? Because it is not happenning and I don't know why. I will
> > > apreciate any help!!
> > 
> > Timing out trying to reach a nameserver is not the same as receiving a
> > negative answer to a query. Behavior in the face of the latter scenario
> > is defined by RFC 2308 and is controllable by the domain owner through
> > the negative caching TTL (last) field of the SOA record for the zone.
> > Timeout behavior, on the other hand, is left up to the implementation,
> > and in BIND at least, is not directly configurable.
> > 
> > What exactly are you trying to accomplish here? Is this just an academic
> > exercise, or are you actually concerned about the bandwidth that is being
> > consumed by unsuccessful resolution attempts? If you're that concerned,
> > make sure you have plenty of slave servers, strategically located on your
> > network so that the bandwidth impact is minimized in the case of a single
> > machine failure.
> > 
> > > One more thing,
> > >
> > > I would like to deny my server to open TCP connections with another
> > > DNS Servers..Is it possible?? If it is not, what situations is it open
> > > TCP connections??
> > 
> > TCP connections are normally only seen in zone transfers and whenever a
> > DNS answer is too large to fit into a UDP packet. You can't really
> > predict when TCP is going to be used or not used, so it is recommended to
> > open both UDP and TCP between nameservers or between nameservers and
> > clients.
> > 
> > 
> > - Kevin
> 
> 
> Kevin,
> 
> Thanks a lot for your explanation about max_ncache_ttl. It was not
> what I was thinking....
> 
> So, is there some configurarion on Bind to avoid that the my server
> does requests to a DNS server that is down for a long time?? For
> example, if the dns server of domain xpto.com.br is down, my server
> would try to ask to it for 10 minutes and, if there is no answers,
> would try to ask again after one hour and, while it doesn't ask again
> to server xpto to see it is alive, my server would answer for the
> clients that "Error: Server Fail". Is it possible?
> 

	Supply multiple servers for the zone.  Named will work out
	which ones are up and prefer them.

	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list