trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Moseley <moseleym...@gmail.com>
Subject Negative DNS caching in hosts.db?
Date Thu, 26 Feb 2015 01:26:56 GMT
I'm doing a simple Lua-based remap to do a DNS lookup for the backend
server in a reverse proxy setup (Ubuntu Precise, 5.2.0), with nginx sitting
in front of ATS (for various reasons). The remap just prepends a string to
the hostname.

Everything's working great, but I did notice that while ATS is caching
successful DNS lookups, it doesn't cache unsuccessful lookups (at least not
out of the box, with the settings I could find).

In my setup, I'm running a local unbound instance and thus: CONFIG
proxy.config.dns.nameservers STRING 127.0.0.1

I'm testing where the underlying domain exists but the prepended version
obviously doesn't, though hopefully I'd be able to make this work for
outright non-existent domains too.

In my testing, ATS would do an A lookup for a bad hostname (think: DDoS or
misconfigration, etc):  origin.example.com

unbound immediately returns NXDOMAIN. Then ATS tries a AAAA lookup and that
immediately gets returned NXDOMAIN.

Then ATS closes the connection with no response. Though interestingly, it
seems to wait about a half second or so *after* the NXDOMAIN response to
start the close by sending a FIN.

If I repeat the test with a bad hostname, ATS will query DNS every request.
For a hostname that actually works, ATS is just using the cached DNS
lookup, so just the initial lookup hits DNS.

Is there any way to get ATS to cache the negative lookup, that I'm somehow
missing in the docs/google? I'm hoping I'm just missing a setting
somewhere. It would also be cool if there was an option so that one could
have ATS return an error, instead of just closing the connection.

My goal here is that if someone starts sending us DDoS-levels of garbage,
ATS will fail fast, instead of keeping connections open.

Mime
View raw message