[FC3] Sites 'disappearing' from DNS
Nigel Wade
nmw at ion.le.ac.uk
Thu Apr 7 10:50:30 UTC 2005
Andy Green wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Nigel Wade wrote:
>
> | The root of this particular problem is that nscd caches this failed
> | lookup for you, DNS does not.
>
> I respectfully disagree. I do not experience these "fact of life"
> timeouts and fake NXDOMAIN results; I use my ISP DNS cached on a
> separate machine here.
>
> The DNS cache is behaving as designed, the problem seems to me to be the
> timeout is set too low for the behaviour of the original poster's
> upstream DNS, or put another way, the upstream DNS may be overloaded and
> not always responsive. I would do a
>
> tcpdump port 53
>
> (despite the name this gets UDP too) and look for SERVFAIL or slow
> response, and if seen, complain to whoever it is that I pay for the
> upstream DNS in the one case and in the other case add to /etc/resolv.conf
>
> options timeout:xx
>
> where xx is the timeout in seconds; my DNS cache machine has it set to
> 25. If you are hanging around for more than 25 seconds to get DNS that
> is not what I would call normal or a "fact of life".
>
You can complain all you like to your ISP, but that won't help one jot if
the authorititive server for the domain is down/overloaded etc. You will get
timeouts, and nscd will cache that. A repeat request will get a failure even
if the information is now available again, until the nscd
negative-time-to-live is reached.
Like I said, it's nscd that's the problem, not DNS. If you cache DNS using a
proper DNS server I expect you will be ok. If you rely on nscd then you will
see this problem.
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw at ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
More information about the users
mailing list