[DeleGate-En] Re: Delegate 7.8.1 on W2k occasional DNS problems
On Fri, 25 Jan 2002 22:36:33 +0900 (JST), Yutaka Sato wrote:
>Thank you for your so helpful informations (from Hungary?)
>On 01/25/02(21:58) you "Ferenc Toth" <email@example.com> wrote
> |>>One more thing. I've noticed that the RecvFrom errors are logged right
> |>>after some busy time. So if delegate services multiple queries in a
> |>>very short time, a RecvFrom error will follow. Don't ask me why are
>I'm reminded that I did see the infinite loop was caused on such
>contiguous requests from specific clients. But I could not reproduce
>it because I could not what was specific in those clients.
> |>>there multiple queries for the same domain name. (192.168.99.5 is an
> |>>internal linux machine running bind9.2 servicing internal DNS queries
> |>>and forwarding all other requests to delegate).
> |Looks like, I've got it. We had some misconfigured services asking
> |stupid invalid DNS queries from the ISP, also the user activity has
> |risen since we upgraded from 128kbit to 256kbit recently. I've fixed
> |the misconfigured services and added "DNSCONF=para:8" to the dns proxy.
> |Tested it with a few hundred almost simultaneous requests and so far it
> |looks to be ok! :)
>Could you tell me how the query was invalid?
>I'll try to modify DeleGate to be more robust on any invalid queries.
Valid according to the RFCs and invalid in the sense that no-one could
ever resolv them :). We've had two types of such queries:
- misconfigured exim. On Debian woody, exim is compiled with ipv6
support and therefore tries to do name lookups with AAAA records. I've
found the appropriate config option to disable this.
- W2k client machines without W2k domain (WinNT 4.0 domain controller)
sending all sorts of requests _ldap._tcp._blah-blah-blah and
_kerberos._tcp._blah-blah-blah. These will be resolved when we upgrade
our domain controller to W2k.
PS: I've found some interesting issue. Delegate error pages show an URL
of http://-.-/-/ which looks quite strange to me. I've checked the docs
and I've found that this URL should take me to the config panel of that
delegate instance. This works sometimes but sometimes the client simply
does a name lookup query for the -.- domain wich will be forwarded to
our ISP nameserver that will in turn return that the name is not