Testers sought for patch that reduces the number of outgoing queries
Peter 'PMc' Much
pmc at citylink.dinoex.sub.org
Wed Nov 19 14:55:15 UTC 2025
On Tue, Nov 04, 2025 at 07:13:58AM -0500, Ondřej Surý wrote:
! Hi,
Rehi,
! As you can see, there are more than 100 outgoing DNS queries for a
single name queried, and often this leads to a SERVFAIL.
where is the 100 coming from?
Recap: I perceived a problem with frequent SERVFAIL since Rel.
9.18.29, and found max-recursion-queries had been changed to 32.
I evaluated and found that should protect from DDoS, and this not for
my own safety, but against my site be abused to DDoS others.
So I changed back only my telephony (which wouldn't work with the
new 32 default), and decided to otherwise live with the singular
SERVFAILs until somebody comes up with a better solution.
Looking at this now, it might well be that awaited solution.
So I wanted it.
! 2. be willing to communicate about this on the GitLab merge request
(https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11205),
new updates will be posted there.
I might try, as best as I can. (I tried to understand github, gitlab
etc. for a long time already, without success. To me, "git" is a shell
command.)
! If you read so far and you are still interested in testing this, the latest
! tarball is always available in the latest pipeline in the tarball-create job in
! the "precheck" stage, but I've also copied the latest one into a latest comment
! in the MR itself:
! https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11205#note_611712
I cannot use tarballs. I have a deploy engine that fetches directly
from ISC and then compiles. What I need is a patch to drop into the
engine.
So I created such patch from the git clone (starting from 9.13
which is currently configured in the engine), and it compiles and
runs. But it doesn't seem to work. :(
While I haven't seen any SERVFAIL anymore during the last 1-2 weeks
(but that doesn't mean so much), my gorgeous telephone (you know, the
one with the worst DNS implementation ever imaginable) doesn't like it.
I had formerly set these special configs to get it working:
max-recursion-queries 100;
minimal-responses yes;
max-cache-ttl 900;
And I did now remove the "max-recursion-queries 100". And then I am
occasionally getting a SERVFAIL, after some 160 ms - and I thought that
shouldn't happen anmore:
"identity","view","mtype","timestmp","proto","orig","answ","status","flags","typ","rrtext"
"conr.intra.daemon.contact","telefon","CLIENT_QUERY","2025-11-13 13:23:48.936486+01","UDP","192.168.97.23","192.168.98.34",NULL,"rd","QUESTION","tel.t-online.de. IN NAPTR"
"conr.intra.daemon.contact","telefon","CLIENT_RESPONSE","2025-11-13 13:23:49.076161+01","UDP","192.168.97.23","192.168.98.34","SERVFAIL","qr rd ra","QUESTION","tel.t-online.de. IN NAPTR"
Sure there is no problem, I can always re-enable the higher
max-recursion-quwries. Just playing around out of curiousity...
cheers,
PMc
More information about the bind-users
mailing list