on TTL expiry BIND sends 'ANY' query, gets back 'NOANSWER'

Chuck Anderson cra at WPI.EDU
Sat Apr 11 13:03:27 UTC 2015


On Thu, Apr 09, 2015 at 12:31:14PM +0100, Phil Mayers wrote:
> On 08/04/15 22:00, Chuck Anderson wrote:
> 
> >No, you are right.  My filtered view of the packet capture was missing
> >the fact that another unrelated client did an 'ANY' query.  I found it
> >in the query log.  BIND 9.10 implements prefresh, but I'm on 9.8.2.
> >
> 
> Oops just saw this, disregard my other email.
> 
> >Thanks for your help!  It looks like whenever an 'ANY' query comes
> >into BIND due to the load balancer misbehavior it causes 'NOANSWER' to
> >be cached for the MinTTL.
> 
> Hmm.
> 
> >
> >I will now go back to the load balancer vendor and see if they can
> >make it answer 'ANY' queries correctly.
> 
> Well... TBH ANY queries are a minefield. They're really for
> debugging only. They're not meant to be some "fetch all types" DNS
> query for production use, despite what qmail would have you believe.
> 
> I would look to stop the client doing ANY queries. As Barry says, LB
> vendors take ages to get stuff like this right (why they can't just
> use an embedded copy of bind for their DNS crap I don't know; use
> DLZ if they absolutely must).

I can't stop clients from making certain kinds of queries (unless BIND
has a feature to refuse such queries or not recurse for them?).
Whenever a client makes the 'ANY' query, it effectively causes a DoS
on that name.  Luckily the MinTTL is only 30 seconds, so the problem
goes away after 30 seconds.

I did finally discover the magic incantation in the load balancer to
get it to answer 'ANY' queries, so I think I've solved the problem for
now.


More information about the bind-users mailing list