<div dir="ltr">The original zone has NS records in two domains:<div><a href="http://t-ipnet.de">t-ipnet.de</a>. 82632 IN NS <a href="http://dns20.dns.t-ipnet.de">dns20.dns.t-ipnet.de</a>.<br><a href="http://t-ipnet.de">t-ipnet.de</a>. 82632 IN NS <a href="http://dns02.dns.t-ipnet.de">dns02.dns.t-ipnet.de</a>.<br><a href="http://t-ipnet.de">t-ipnet.de</a>. 82632 IN NS <a href="http://dns00.dns.t-ipnet.de">dns00.dns.t-ipnet.de</a>.<br><a href="http://t-ipnet.de">t-ipnet.de</a>. 82632 IN NS <a href="http://pns.dtag.de">pns.dtag.de</a>.<br><a href="http://t-ipnet.de">t-ipnet.de</a>. 82632 IN NS <a href="http://dns50.dns.t-ipnet.de">dns50.dns.t-ipnet.de</a>.<br><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div><br></div><div>And <a href="http://dtag.de">dtag.de</a> has:</div><div><a href="http://dtag.de">dtag.de</a>. 61568 IN NS <a href="http://pns.dtag.de">pns.dtag.de</a>.<br><a href="http://dtag.de">dtag.de</a>. 61568 IN NS <a href="http://ns1.telekom.net">ns1.telekom.net</a>.<br><br></div><div>And <a href="http://telekom.net">telekom.net</a>. has:</div><div><a href="http://telekom.net">telekom.net</a>. 3600 IN NS <a href="http://dns2.telekom.de">dns2.telekom.de</a>.<br><a href="http://telekom.net">telekom.net</a>. 3600 IN NS <a href="http://pns.dtag.de">pns.dtag.de</a>.<br><a href="http://telekom.net">telekom.net</a>. 3600 IN NS <a href="http://dns1.telekom.de">dns1.telekom.de</a>.<br><a href="http://telekom.net">telekom.net</a>. 3600 IN NS <a href="http://ns1.telekom.net">ns1.telekom.net</a>.<br></div><div><br></div><div>And <a href="http://telekom.de">telekom.de</a>. has:</div><div><a href="http://telekom.de">telekom.de</a>. 3600 IN NS <a href="http://ns1.telekom.net">ns1.telekom.net</a>.<br><a href="http://telekom.de">telekom.de</a>. 3600 IN NS <a href="http://dns1.telekom.de">dns1.telekom.de</a>.<br><a href="http://telekom.de">telekom.de</a>. 3600 IN NS <a href="http://dns2.telekom.de">dns2.telekom.de</a>.<br><a href="http://telekom.de">telekom.de</a>. 3600 IN NS <a href="http://pns.dtag.de">pns.dtag.de</a>.<br></div><div><br></div><div>This is the type of NS record 'tree' that I also had, that caused me problems.</div><div><br></div><div>-- <br>Bob Harold</div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Sep 6, 2024 at 3:27 PM Ondřej Surý <<a href="mailto:ondrej@isc.org">ondrej@isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div dir="ltr">Ok, so according to zonemaster: <a href="https://zonemaster.net/en/result/7fc39ff8fc1766ac" target="_blank">https://zonemaster.net/en/result/7fc39ff8fc1766ac</a> all the nameservers are in the same zone. I am guessing that any intermittent failure can cause a lot of outgoing queries.</div><div dir="ltr"><br></div><div dir="ltr">Anyway - since you are hitting the 32 limit, perhaps bumping the limit to 100 (the value before) would help in your case? I am guessing the resolver is being used for a limited set of clients and the chance of this specific abuse is quite low.</div><div dir="ltr"><br></div><div dir="ltr"><a href="https://bind9.readthedocs.io/en/v9.18.29/notes.html#notes-for-bind-9-18-29" target="_blank">https://bind9.readthedocs.io/en/v9.18.29/notes.html#notes-for-bind-9-18-29</a></div><div dir="ltr"><br></div><div dir="ltr">Ondrej<br id="m_7039470198172060668lineBreakAtBeginningOfSignature"><div dir="ltr"><div>--</div>Ondřej Surý — ISC (He/Him)<div><br></div><div>My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.</div></div><div dir="ltr"><br><blockquote type="cite">On 6. 9. 2024, at 21:13, Ondřej Surý <<a href="mailto:ondrej@isc.org" target="_blank">ondrej@isc.org</a>> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><span>Now the question remains - why? I don’t really see a reason for this behavior from where I tested it, so what is the traffic between your recursor and the Internet during the time this happens?</span><br><span></span><br><span>Ondřej</span><br><span>--</span><br><span>Ondřej Surý — ISC (He/Him)</span><br><span></span><br><span>My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.</span><br><span></span><br><blockquote type="cite"><span>On 6. 9. 2024, at 20:54, Peter <<a href="mailto:pmc@citylink.dinoex.sub.org" target="_blank">pmc@citylink.dinoex.sub.org</a>> wrote:</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Sep 6 20:31:59 <local1.debug> pole named[71152]: resolver: debug 3: exceeded max queries resolving '<a href="http://ns1.edns.t-ipnet.de/AAAA" target="_blank">ns1.edns.t-ipnet.de/AAAA</a>' (querycount=33, maxqueries=32)</span><br></blockquote><span></span><br><span>-- </span><br><span>Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list</span><br><span></span><br><span>ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" target="_blank">https://www.isc.org/contact/</a> for more information.</span><br><span></span><br><span></span><br><span>bind-users mailing list</span><br><span><a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a></span><br><span><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a></span><br></div></blockquote></div></div>-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>