forward first and fallback not working

/dev/rob0 rob0 at
Wed Aug 24 16:19:22 UTC 2016

On Wed, Aug 24, 2016 at 05:28:55PM +0200, Marco Felettigh wrote:
> The dns resolution with works fine with "forward first" if 
> is working but for testing i blocked with an intermediate 
> firewall the dns requests to the forwarder and two things happened 
> (the second one is bad).
> 1) If the firewall reset the connection to bind fallbacks
>    on its root servers and this is good
> 2) If the firewall drop the connection to bind does NOT
>   this fallback on its root servers and this is a bad thing cause 
>   in this way i was testing a network outage for my forwarder.
> below my config

I am not sure this is a BIND issue.  Try this with a longer timeout 
set in your resolver ...

> Hi attach also che config
> /etc/resolv.conf
> search domain.dom
> nameserver
options timeout=20

Try similar settings on other clients.

My glibc (GNU/Linux) resolver says the default timeout is 5 seconds.
I'm not sure about named, but I think its timeout is greater than 
that.  So named is waiting for its own timeout before attempting 
recursion.  By the time recursion is complete, the client has long 
since given up.

> named.conf

If anything needs to change on the BIND side of this, perhaps it 
would be the documentation of "forward first", to note that this 
feature won't work with most standard resolver clients.

I would further suggest that this fallback isn't a very good idea 
anyway; you'll probably be better off just doing the recursion 
without forwarders in the picture.
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the bind-users mailing list