kaos.ocs Posted July 29, 2011 Share Posted July 29, 2011 Looking at a customer's DNS traffic (Ubuntu 10.04, bind9 1:9.7.0), I noticed repeated outgoing queries for some names under bl.spamcop.net. The names being queried are not listed in bl.spamcop.net so they get NXDOMAIN. The NXDOMAIN response is not cached, so each mail attempt from these IP addresses results in a new query being sent to spamcop. Bind9 follows RFC2308 and treats the minimum ttl in the SOA as the cache time for NXDOMAIN responses. The NXDOMAIN response is not cached because the SOA for bl.spamcop.net has a 0 value for minimum ttl. Is this field set to 0 on spamcop by design? It significantly increases the number of DNS requests to spamcop. Some DSNRBL sites have a non-zero value for minimum ttl on the order of 10-60 minutes, so they are not hit with repeated queries for the same name. Digging through the bind9 source code, there is an undocumented config option, min-ncache-ttl. I set this to 300 seconds and the query rate to spamcop dropped way off. However I don't like overriding values like this without knowing the reason for the original setting. Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.