forward first and fallback not working
/dev/rob0
rob0 at gmx.co.uk
Wed Aug 24 16:19:22 UTC 2016
On Wed, Aug 24, 2016 at 05:28:55PM +0200, Marco Felettigh wrote:
> The dns resolution with 8.8.8.8 works fine with "forward first" if
> 8.8.8.8 is working but for testing i blocked with an intermediate
> firewall the dns requests to the forwarder and two things happened
> (the second one is bad).
>
> 1) If the firewall reset the connection to 8.8.8.8 bind fallbacks
> on its root servers and this is good
>
> 2) If the firewall drop the connection to 8.8.8.8 bind does NOT
> this fallback on its root servers and this is a bad thing cause
> in this way i was testing a network outage for my forwarder.
>
> below my config
I am not sure this is a BIND issue. Try this with a longer timeout
set in your resolver ...
> Hi attach also che config
>
> /etc/resolv.conf
> search domain.dom
> nameserver 127.0.0.1
options timeout=20
Try similar settings on other clients.
My glibc (GNU/Linux) resolver says the default timeout is 5 seconds.
I'm not sure about named, but I think its timeout is greater than
that. So named is waiting for its own timeout before attempting
recursion. By the time recursion is complete, the client has long
since given up.
> named.conf
snip
If anything needs to change on the BIND side of this, perhaps it
would be the documentation of "forward first", to note that this
feature won't work with most standard resolver clients.
I would further suggest that this fallback isn't a very good idea
anyway; you'll probably be better off just doing the recursion
without forwarders in the picture.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
More information about the bind-users
mailing list