Skip to content
GitLab
Closed
Issue created by Petr Špaček@pspacekMaintainer

ADB quota might not be decremented

Affected version: v9_18_4, v9_18_7

Reproducer: unknown at the moment, but happens in production regularly. Special circumstances: Forwarding to OpenDNS which currently blocks HTTPS queries - supplies fake answers for HTTPS queries.

Based on a coredump provided by an user, I think there is a corner case when ADB quota for forwarders is not decremented.

Affected config has 4 forwarders (2x IPv4 + 2xIPv6) together with forward only and fetch quotas:

         forward only;
         forwarders { 208.67.222.222; 2620:119:35::35; 208.67.220.220; 2620:119:53::53; };

         fetches-per-server 200;
         fetch-quota-params 100 0.1 0.3 0.7;
         fetches-per-zone 200;

All four entries in ADB have quota == active == 200. All queries going outside SERVFAIL immediately.

Log at debug level 99 shows only this:

client @0x7fb13e18b568 10.1.23.4#23785: UDP request
client @0x7fb13e18b568 10.1.23.4#23785: view external: using view 'external'
client @0x7fb13e18b568 10.1.23.4#23785 (example.com): view external: rrl=(nil), HAVECOOKIE=0, result=DNS_R_DELEGATION, fname=0x7fb13e34e000(1), is_zone=0, RECURSIONOK=1, query.rpz_st=0x7fb13e1dd000(0), RRL_CHECKED=0

fetch: example.com/A
log_ns_ttl: fctx 0x7fb11f09c800: fctx_create: example.com (in '.'?): 1 498995
QNAME minimization -  minimized, qmintype 1 qminname _.com
findaddrinfo: found entry 0x7fb13dc49000
findaddrinfo: found entry 0x7fb13dc49140
findaddrinfo: found entry 0x7fb13dc49280
findaddrinfo: found entry 0x7fb13dc493c0
client @0x7fb13e18b568 10.1.23.4#23785 (example.com): view external: rrl=(nil), HAVECOOKIE=0, result=DNS_R_SERVFAIL, fname=0x7fb13e34e000(0), is_zone=0, RECURSIONOK=1, query.rpz_st=0x7fb13e1dd000(0), RRL_CHECKED=0

client @0x7fb13e18b568 10.1.23.4#23785 (example.com): view external: rpz QNAME rewrite example.com stop on unrecognized qresult in rpz_rewrite() failed: SERVFAIL
client @0x7fb13e18b568 10.1.23.4#23785 (example.com): view external: query failed (SERVFAIL) for example.com/IN/A at query.c:7722
fetch completed at resolver.c:4139 for example.com/A in 0.000000: SERVFAIL/success [domain:.,referral:0,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]