BIND 9.14 vs. sophosxl.net
Summary
Since upgrading our internal recursive servers from 9.12.4 to 9.14.* we've seen a huge increase in backend queries to fill queries in the sophosxl.net domain. Sophos related sophosxl.net queries only account for about 5% of queries sent to our internal servers but backend timeouts cause the servers to get behind many queries are dropped causing client problems.
BIND version used
BIND 9.14.5 (Stable Release) id:c2c2b6d
Build options: bind-V.txt
Steps to reproduce
dig egp.onyfnzvd.pbz.w.03.s.sophosxl.net. txt
What is the current bug behavior?
With 9.14.5 it takes about 13 seconds to get a SERVFAIL.
What is the expected correct behavior?
With 9.12 the answer returned is:
;; ANSWER SECTION:
egp.onyfnzvd.pbz.w.03.s.sophosxl.net. 9 IN TXT "w l h 08 878425351"
Relevant configuration files
The output of named-checkconf -px is long so I've attached it as named-checkconf-px.txt
Relevant logs and/or screenshots
I've attached a pcap from 9.12.4 showing a successful lookup: domain-9.12.4.pcap and a pcap from 9.14.5 showing the failure: domain-9.14.5.pcap.
One obvious difference in the traces is that 9.14 does lookups for "_.<...>" names including:
A? _.net.
A? _.sophosxl.net
A? _.s.sophosxl.net.
A? _.03.s.sophosxl.net.
A? _.w.03.s.sophosxl.net.
A? _.pbz.w.03.s.sophosxl.net.
And part of our problem is that ns.sxl31.sophosxl.net (which currently has A records for 52.9.135.137 and 52.9.21.35) do not respond to the query for _.pbz.w.03.s.sophosxl.net. Since 9.12 does not make this query it is able to finish the recursion normally.
Looking around we're unable to find any info about why the "_.<...>" queries occur.