question about caching of lame servers

Klaus Darilion klaus.mailinglists at pernau.at
Tue Oct 17 07:40:07 UTC 2006


Kevin Darcy wrote:
> Klaus Darilion wrote:
>> Hi Tatuya!
>>
>> Thanks for your answers.
>>
>> JINMEI Tatuya / 神明達哉 wrote:
>>   
>>>> Further, I not only want to cache lame name servers, but also name 
>>>> servers which are down. Is this possible?
>>>>       
>>> Not exactly, but the fact that a server is down is cached as
>>> a penalized RTT, which makes that server less preferred in subsequent
>>> server selection.
>>>     
>> Penalized RTT works fine if at least one authoritative name server is 
>> working, but if all authoritative name servers are down, then this is no 
>> help.
>>
>> Maybe I should describe the cause of my question. I am using openser as 
>> SIP proxy. openser is multi threaded (fixed number of threads) and uses 
>> libresolv for domain resolving. Thus, if openser resolves a domain with 
>> broken name servers (either by network problems or by intention (DoS 
>> attack)), openser's thread is busy until a timeout happens.
>>
>> This can be easily used to make a DoS attack. Probably the best solution 
>> would be to use asynchronous DNS in openser, but this will not be 
>> implemented soon.
>>
>> Do you know a solution to solve this problem in the recursive name server?
>>   
> What's the difference between a "down" nameserver and one that's simply 
> taking a long time to respond, from a resolver's point of view? In 
> practice, not a whole lot.

There is no difference - I want to cache both failures and respond 
immediately with SERVFAIL instead of waiting for timeout over and over 
again.

> Perhaps the interim solution is to tune openser's lookup timeout-retry 
> parameters.

That gives faster timeouts - but I want to get rid of timeouts 
completely - of course the first lookup will time out, but the name 
servers should be marked as down for some time and sequential lookups 
should be avoided.

regards
klaus

> 
>                                                                          
>                             - Kevin
> 
> 



More information about the bind-users mailing list