BIND srtt algorithm not working as expected
dot at dotat.at
Thu May 17 11:34:44 UTC 2018
Paul Roberts <paul at callevanetworks.com> wrote:
> After doing some more packet captures, it looks like a lot of the
> queries are related to Sophos live protection DNS lookups (lots of
> queries for sophosxl.net), so there are a lot of queries which don't get
There are a few things you might do to mitigate this idiocy:
0. Block sophosxl.net. Your colleagues responsible for AV might not
appreciate this :-)
1. In BIND 9.11+ there are options `fetches-per-zone` and
`fetches-per-server` for helping a resolver to cope with overloaded
authoritative servers. When you are forwarding you'll have to rely on
fetches-per-zone since fetches-per-server will throttle everything.
I don't know how fetches-per-zone discovers zone cuts or how well that
works in the forwarding case when your resolver is relying on an
upstream to do the iteration.
2. Set up sacrificial forwarding IP addresses. These can be additional
addresses on your existing forwarders. Configure your resolvers to
forward queries for sophosxl.net to the sacrificial addresses instead
of the usual ones. Then BIND's address database entries used by most
queries won't get polluted by the non-responding servers.
You might profitably combine 1. and 2. to make the resolver eagerly drop
queries to the sacrificial forwarders.
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
the quest for freedom and justice can never end
More information about the bind-users