BIND and UDP tuning

[Alex]

Hi,

> On Thu, Sep 27, 2018 at 10:53:25AM -0400, Alex wrote:
> > Many of these values I've already tweaked and have had no effect on my
> > SERVFAIL issues :-(
>
> If you are getting SERVFAILs from a BIND resolver you administer, then
> it has responded to your query. If you turn up the log level to
> something like -d 99, it'll print the steps that led to that SERVFAIL.
> Usually you'll find something there that directs you to next steps.
>
> On this topic, my home resolver is also a stock packaged BIND version as
> you, and I too see spurious SERVFAILs sometimes. I used to think this
> was due to too much indirection, e.g., when named starts up and you run:
>
>     dig -x 176.9.81.50

It doesn't typically happen when running from the command-line. It
does occasionally happen, though. I usually run something like "dig
+all +trace +nodnssec <hostname>". It sometimes times out in the
middle, with something like "cannot resolve xyz host", which may even
be one of the root servers.

I also typically run it with "rndc trace 11" which shows me quite a
bit of debugging info - too much to look through manually. With trace
99, I can imagine it being overwhelming amount of info. Do you have
any ideas of what to look for? "query-errors"?

Also, I also see other SERVFAIL errors that really are SERVFAIL errors
- when querying the host manually, it still responds immediately with
SERVFAIL.

Thanks,
Alex



>
> on a cold cache. However it seems to be returning SERVFAIL sometimes for
> what should be a cached answer. I'll also turn up the debug logging and
> watch it.
>
>                 Mukund