Re: RBL timeouts

Fri, 02 Dec 2022 06:45:39 -0800 

On 2022-12-02 at 08:04:40 UTC-0500 (Fri, 2 Dec 2022 08:04:40 -0500)
Alex <mysqlstud...@gmail.com>
is rumored to have said:


Hi,

Is anyone (everyone?) also experiencing DNS timeouts with barracuda?
Chonically, for years, until I gave up on them. Not worthy of production use. 


02-Dec-2022 07:03:02.229 query-errors: client @0x7fd19d26c968
127.0.0.1#37098 (168.22.111.13.bb.barracudacentral.org): query failed
(timed out) for 168.22.111.13.bb.barracudacentral.org/IN/A at
../../../lib/ns/query.c:7729
02-Dec-2022 07:03:21.458 lame-servers: SERVFAIL unexpected RCODE resolving ' 
216.209.245.104.bb.barracudacentral.org/A/IN': 3.13.7.254#53
But that is NOT a timeout. SERVFAIL is an explicit affirmative reply that the answering server cannot give any valid answer to the query. 


I'm also seeing a few timeouts from mcafee:

24-Nov-2022 16:12:37.151 query-errors: client @0x7fd19f7a4f68
127.0.0.1#47466 (17.31.10.37.cidr.bl.mcafee.com): query failed (timed out) for 17.31.10.37.cidr.bl.mcafee.com/IN/A at ../../../lib/ns/query.c:7729
I don't necessarily think there's something wrong with my nameservers - I'm more just surprised that such high-profile companies are having problems 
and wanted to confirm.
Big companies have big problems. High-profile companies have high-profile problems.
Any bind experts know of a way to record which nameserver is timing out so I can perhaps exclude them? Any idea why it wouldn't just rotate to the 
next one, or even how to confirm whether it's doing that?


The SERVFAIL errors are very likely immune to any workaround attempt.
The timeouts should already be handled as best they can be by BIND & the system resolver, given reasonable query timeout and retry values, such as OS defaults. Note that it may not make sense for a resolver to allow slow DNSBL lookups to block a message transaction from proceeding.
It is unlikely that you can tune BIND and/or your system resolver to reduce timeouts in any meaningful ways. The exception to that would be if your system is generally overloaded and BIND is just not getting the resources (cpu and memory) it needs to operate fast. You would likely notice that sort of overload. 



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Reply via email to