DNS-cache with custom gTLDs

Kevin Darcy kcd at chrysler.com
Fri Sep 23 14:46:18 UTC 2011 

On 9/22/2011 8:49 PM, Drunkard Zhang wrote:
> 2011/9/23 Kevin Darcy<kcd at chrysler.com>:
>> On 9/21/2011 10:01 PM, Drunkard Zhang wrote:
>>>> Why are you going through all of these gyrations? The forwarding
>>>> algorithm
>>>> in BIND has for a long time been based on RTT, so if one forwarder, or a
>>>> set
>>>> of forwarders, stops working, the other(s) will be used automatically. In
>>>> other words, forwarder failover works without any special configuration.
>>>>
>>>> I don't even understand your "forward first" solution. "Forward first"
>>>> says
>>>> to use iterative (non-recursive) resolution if forwarding fails (i.e. all
>>>> the forwarders are non-responsive). How then can you use it to fail over
>>>> from one set of forwarders to another? I don't get it. If you send a
>>>> non-recursive query to a forwarder, you're at the mercy of whatever
>>>> happens
>>>> to be in its cache at that particular time. You can't get reliable
>>>> resolution that way.
>>>>
>>> Oops, I misunderstood. But I want to resolve this problem: take
>>> news.qq.com for example, I DID saw that it's unresolvable to one group
>>> (they returned NXDomain), at meantime it's no problem to another
>>> group, and "dig news.qq.com +trace" returned correct answer on both
>>> group. It seems like it's just a temporary failure, but I want to
>>> correct. Any other choices?
>> NXDOMAIN is a *permanent* response; at least it's "permanent" in the absence
>> of any change the relevant DNS RRset or zone.
>>
>> You're almost certainly getting the NXDOMAIN because you're spoofing the
>> root servers, and your "fake" root servers don't have the same knowledge as
>> the real ones, so they'll return NXDOMAIN for some queries (whereas dig
>> +trace does not, because it follows the hierarchy down and asks different
>> nameservers). In other words, you're shooting yourself in the foot with your
>> hints-file trickery.
>>
> No, I got 2 layers of DNS, recursive resolution DNS and dns-cache
> which forward all it's queries to recursive DNS. I want the spoofing
> of root servers happened on dns-cache (still not by now), I certainly
> won't spoofing root-servers on recursive DNS.
>
> The NXDOMAIN returned from one group of recursive DNS is temporary
> failure, while it's successed from another group of recursive DNS. But
> I want the dns-cache return successed all the time, so I hope the
> dns-cache ignore NXDomain from one, and forward the same query to
> another recursive DNS again, guess this can't be done with bind :-(
>
No, NXDOMAIN is *not* a temporary failure, as per the DNS standards. 
It's considered "permanent" (again, subject to a change to the DNS 
database itself), and is cached according to the negative-caching TTL. 
See RFC 2308.

Are you forwarding to an ISP that does DNS hijacking (see Wikipedia), by 
any chance? That might explain why you're getting NXDOMAIN on one set of 
resolvers, but not another, for a given name.

But it's still not a "temporary" error condition, and should not be 
failed over. If your ISP is doing DNS hijacking, you should find a 
better ISP.

                                                                         
                                                                         
                         - Kevin

More information about the bind-users mailing list