forwarding & query-source (was Re: name caching and forwarding)
Lawrence K. Chen, P.Eng.
lkchen at ksu.edu
Fri Mar 1 22:23:58 UTC 2013
This reminds me of a problem that I've been having, that came up again recently.
I thought I had read somewhere the query-source default is to try making queries from all the IPs on my system. And, my DNS servers have two IPs on them....using policy based routing, the first IP routes out on my fast though less reliable internet connection and the second IP routes out on my slower but reliable (though the router is acting up on this link now) internet connection.
Currently all my caching DNS servers are set up this way. Though things might change when I get reorg'd into new IP space (and going from a.b.c.0/24 to x.y.z.0/25)
Problem I found was that when my fast internet connection goes down....queries stop working. Had to explicitly set query-source to use the second IP.
A while back, I discovered that my two DNS servers were both using the slower connection. But, I've been testing a DNS server on my dev system. (the prod servers are Ubuntu 10.04LTS...rndc status says 9.7.0-P1, dev system FreeBSD-9.1R so its BIND is 9.8.3-P4) Will start building new prod servers as FreeBSD-9.1R soon.
So, I thought I could trick my caching servers to handle the dual routing that I wanted, by setting the two prod servers to 'forward first' to my dev server, which sends its queries out on fast connection and assume that they would query out over the slow connection if the 'forward first' doesn't yield an answer.
But, then the other day, my dev server went down hard and it took a long time to re-import all its zpools before booting all the way back up. (I was in the process of destroying a 1TB dataset on a 5TB raidz w/dedup). There were some problems with chrome lookups timing out on my laptop (since the dev server was first in the resolv.conf) but retrying the page would work, but didn't think much further about it...and hoped things would be recovered in the morning....well, it took a bit longer than that to recover.
And, then I was surprised by a flood of email. My mailservers weren't able to resolve addresses because the forwarder wasn't responding.... I suppose its because its udp it isn't quick about deciding that there's no service to answer. Does this timeout problem also impact "forward only" and a list of forwarders? I have a set of servers with 10.x.x.x IPs with local caching DNS servers configured to forward only to a pair of caching DNS servers with public IPs.
So, how would I make forwarding not prevent resolution? Or can I get bind to try both IPs in trying to do queries?
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommunications Services (CTS)
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkchen at ksu.edu
Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library
More information about the bind-users
mailing list