[f-nsp] ServerIron dropping empty UDP DNS reply

David Hubbard dhubbard at dino.hostasaurus.com
Thu Jun 21 20:37:41 EDT 2012 

Hi all, we're using ServerIron's to load balance internal
DNS queries to a series of systems running a caching dns
server software called dnscache (part of djbdns).  The
way dnscache works is it sends an empty reply if it has no
answer to a given query.  Apparently the ServerIron's drop
these valid replies so the querying system has to wait for a
timeout to the failed lookup instead of knowing it failed
immediately.

This had not really been a problem in the past however RHEL 6
and most of its applications and daemons are now IPv6-aware
and will issue quad-A queries for a given name even if IPv6
is disabled on the host in question.  That's causing usability
issues at the application level because every DNS lookup
causes a five second pause while the app waits for the quad-A
answer that the ServerIron has discarded.

The correct reply looks something like this; just changed
the names and query, hex is original:

20:27:41.791038 IP HOST.60850 > CACHE.domain: 54370+ AAAA?
012345.012345678901.net. (41)
        0x0000:  4500 0045 90d7 4000 4011 9c57 d04d 3027
E..E.. at .@..W.M0'
        0x0010:  cc0a 40fa edb2 0035 0031 0dbc d462 0100
.. at ....5.1...b..
        0x0020:  0001 0000 0000 0000 0677 6562 3030 330c
.........012345.
        0x0030:  6d69 7661 6d65 7263 6861 6e74 036e 6574
012345678901.net
        0x0040:  0000 1c00 01                             .....
20:27:41.810226 IP CACHE.domain > HOST.60850: 54370 0/0/0 (41)
        0x0000:  4500 0045 0000 4000 3e11 2f2f cc0a 40fa
E..E.. at .>.//.. at .
        0x0010:  d04d 3027 0035 edb2 0031 bee4 d462 8180
.M0'.5...1...b..
        0x0020:  0001 0000 0000 0000 0677 6562 3030 330c
.........012345.
        0x0030:  6d69 7661 6d65 7263 6861 6e74 036e 6574
012345678901.net
        0x0040:  0000 1c00 01                             .....

The same request sent to the ServerIron makes it to one of the
servers behind the ServerIron, the same response is sent back
to the serverIron (using source-nat on the 'server real'
definitions), and then it disappears without going back to the
requesting host.

Any idea of parameters I can set to let those make it back through,
known bug, etc.?

Thanks,

David

More information about the foundry-nsp mailing list