Quick poll: Cache poison vs site problems vs BIND bug vs Windows neg caching

Peter Dambier peter at peter-dambier.de
Fri May 8 18:43:28 UTC 2009 

Hi Wiley,

I did have trouble with cached negatives. My isp is breaking my aDSL
line at least once per day. When they had problems reconnecting I
lost connectivity for a day when bind could not receive any answers
for about 10 minutes.

Reload with rndc did not help but restarting bind did.

I experienced this long ago with bind 8.

Kind regards
Peter


Wiley Sanders wrote:
> Howdy all, we're running 9.5.0-P2 (fairly recent) on two servers that
> are recursive DNS sources for a medium sized college. This week, we
> had more than a few users complaining about craigslist.org and
> www.chase.com not resolving, and sure enough when I checked with dig
> one of Craigslist's NS servers was not working right (sending SERVFAIL
> replies).
> 
> An "rndc flush" did not seem to get things working again immediately,
> so I stopped and restarted named. I don't know what was up with Chase,
> I didn't hear about that problem with that until after I fixed it.
> 
> I am tempted to chalk this up to negative caching, but the default is
> only a few hours and by the time I was notified, the users were
> complaining they had been having problems with Craigslist for 2 weeks.
> Just out of curiosity, I tuned max-ncache-ttl down to 10 min, but
> max-ncache-ttl only affects caching of NXDOMAIN replies as I
> understand it.
> 
> Is BIND negative caching on SERVFAIL responses as well as NXDOMAIN
> responses? (Unlikely.)
> 
> What's the behavior of a recursive lookup when one NS host is dead and
> the others are working? Does BIND try all of them or give up after the
> first?
> 
> Our setup is pretty generic, except that  we allow the whole world
> access for authoritative responses but allow recursive access only to
> "inside" addresses with an "allow-recursion" statement. I suppose this
> allows the rest of the world to try their hand at messing up our
> cache.  Chase and Craigslist being high-profile targets ...
> 
> I searched around and Craigslist did have some DNS problems last
> month, but mostly it was just people whining about it being their
> carrier's fault somehow.
> 
> Well, I'll stop my rambling on about this and if anyone has any
> thoughts on the matter, thanks in advance,
> 
> -W Sanders
>  http://wsanders.net
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
http://www.peter-dambier.de/
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
ULA= fd80:4ce1:c66a::/48

More information about the bind-users mailing list