Dear list,
According to RFC the maximum payload size for dns protocol with UDP
transport is 512 bytes. If the response size is higher that number
nameserver sends message with TRUNCATED flag. Most of dns clients after
receiving such packet will retry dns query in tcp-mode. But it looks
like haproxy doesn't do it. From the documentation
https://docs.haproxy.org/2.8/configuration.html#5.3.2-nameserver it
looks like nameserver can be defined only in one mode at a time.
The following chunk of configuration:
|resolvers mydns nameserver dns1 10.0.0.1:53 nameserver dns2
tcp@10.0.0.1:53 |
supposedly should mimic this behavior. But as it was tested haproxy uses
all nameservers at a time not in primary/backup, but rather in a
"shotgun" mode.
For the configuration above for each dns resolution request haproxy will
send at least 1 udp packet and create 1 tcp-session to nameserver which
then will be closed after dns reply. We tested for haproxy 2.8.7
With that given I have two questions:
1) Is there a way to define in haproxy configuration failover to
tcp-mode when TRUNCATED response came from the nameserver?
2) Is there a way to render configuration for haproxy when the second
nameserver is used only if there is a reply with the fail-code like
SERVFAIL, NXDOMAIN etc?
Thanks!
--
Andrii Ustymenko
Platform Reliability Engineer
office +31 20 240 12 40
Adyen Headquarters
Simon Carmiggeltstraat 6-50, 5th floor
1011 DJ Amsterdam, The Netherlands
Adyen <https://www.adyen.com>