On Thu, Apr 09, 2015 at 12:31:14PM +0100, Phil Mayers wrote: > On 08/04/15 22:00, Chuck Anderson wrote: > > >No, you are right. My filtered view of the packet capture was missing > >the fact that another unrelated client did an 'ANY' query. I found it > >in the query log. BIND 9.10 implements prefresh, but I'm on 9.8.2. > > > > Oops just saw this, disregard my other email. > > >Thanks for your help! It looks like whenever an 'ANY' query comes > >into BIND due to the load balancer misbehavior it causes 'NOANSWER' to > >be cached for the MinTTL. > > Hmm. > > > > >I will now go back to the load balancer vendor and see if they can > >make it answer 'ANY' queries correctly. > > Well... TBH ANY queries are a minefield. They're really for > debugging only. They're not meant to be some "fetch all types" DNS > query for production use, despite what qmail would have you believe. > > I would look to stop the client doing ANY queries. As Barry says, LB > vendors take ages to get stuff like this right (why they can't just > use an embedded copy of bind for their DNS crap I don't know; use > DLZ if they absolutely must).
I can't stop clients from making certain kinds of queries (unless BIND has a feature to refuse such queries or not recurse for them?). Whenever a client makes the 'ANY' query, it effectively causes a DoS on that name. Luckily the MinTTL is only 30 seconds, so the problem goes away after 30 seconds. I did finally discover the magic incantation in the load balancer to get it to answer 'ANY' queries, so I think I've solved the problem for now. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
