[sdnog] DNS servfail vs nxdomain

Samir S. Omer samir.saif at sudren.edu.sd
Thu Jan 12 10:37:14 SAST 2017 

Hi Daniel 

if SRVFAIL is not cached because there is no reply which I assume this will also mean that it will have the caching server wait until it timeout which might cause performance issues. 
so how to properly secure my server if I faced a DDOS attack of this type ? 

Samir 
----- Original Message -----

> From: "Daniel Shaw" <danielshaw at protonmail.com>
> To: "Samir S. Omer" <samir.saif at sudren.edu.sd>
> Cc: "Sudan NOG" <sdnog at sdnog.sd>
> Sent: Thursday, January 12, 2017 11:53:20 AM
> Subject: Re: [sdnog] DNS servfail vs nxdomain

> Hi Samir,

> Certainly. And it's quite an important difference.

> In both cases you don't get any result. Of course.

> But remember that usually, you ask a caching resolver server (your ISP's or
> your organisation's or a public one like 8.8.8.8).

> The resolver asks the authoritative name server for the given domain on your
> behalf.

> In the case of SRVFAIL - It means either the authoritative server could not
> be reached, or didn't answer to DNS queries on port 53.
> That is, the resolver couldn't get any reply and thus any information
> positive or negative about the name you are trying to resolve.
> And most important, as there is no actual data, nothing is cached either. And
> also, the resolver may then try other alternate nameservers for the domain.

> In the case of NXDOMAIN, the authoritative server actually replies, but the
> reply is "this domain or record does not exist".
> That is, the published source of information about the domain *is* answering
> and informing you the data you want doesn't exist.
> So what is important here is that first the resolver won't try any further.
> This is an authoritative and definitive answer to it's query. And second, in
> the case of NXDOMAIN for a specific record, it'll also cache the answer for
> the TTL of the parent zone. And then for that time period the resolver will
> continue to reply NXDOMAIN from it's cache, even if the domain or record is
> subsequently added at the master.

> Hope that helps,
> Daniel

> > -------- Original Message --------
> 
> > Subject: [sdnog] DNS servfail vs nxdomain
> 
> > Local Time: January 12, 2017 11:38 AM
> 
> > UTC Time: January 12, 2017 7:38 AM
> 
> > From: samir.saif at sudren.edu.sd
> 
> > To: Sudan NOG <sdnog at sdnog.sd>
> 

> > Hi
> 

> > good day
> 

> > can someone explain to me what is the difference between SERVFAIL and
> > NXDOMAIN
> 
> > and in which cases I might encounter each of them ?
> 

> > Samir
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sdnog.sd/pipermail/sdnog/attachments/20170112/6eda366c/attachment.html>

More information about the sdnog mailing list