BIND srtt algorithm not working as expected

Tony Finch dot at
Thu May 17 11:34:44 UTC 2018

Paul Roberts <paul at> wrote:

> After doing some more packet captures, it looks like a lot of the
> queries are related to Sophos live protection DNS lookups (lots of
> queries for, so there are a lot of queries which don't get
> resolved.

Good grief.

There are a few things you might do to mitigate this idiocy:

0. Block Your colleagues responsible for AV might not
   appreciate this :-)

1. In BIND 9.11+ there are options `fetches-per-zone` and
   `fetches-per-server` for helping a resolver to cope with overloaded
   authoritative servers. When you are forwarding you'll have to rely on
   fetches-per-zone since fetches-per-server will throttle everything.
   I don't know how fetches-per-zone discovers zone cuts or how well that
   works in the forwarding case when your resolver is relying on an
   upstream to do the iteration.

2. Set up sacrificial forwarding IP addresses. These can be additional
   addresses on your existing forwarders. Configure your resolvers to
   forward queries for to the sacrificial addresses instead
   of the usual ones. Then BIND's address database entries used by most
   queries won't get polluted by the non-responding servers.

You might profitably combine 1. and 2. to make the resolver eagerly drop
queries to the sacrificial forwarders.

f.anthony.n.finch  <dot at>
the quest for freedom and justice can never end

More information about the bind-users mailing list