thousands of RFails bring namserver down
Ladislav Vobr
lvobr at ies.etisalat.ae
Tue Jul 29 03:19:46 UTC 2003
wolf,
if you look back in the bind-ml archive you will find some posts
from me with a similar problem, it's a general problem of recursive
nameservers they might be over-utilized by retrying to bring a answer
for a recursive requests. You have to live with it, you can blackhole
the client, or you can setup a master zone for that queried domain with
a very high TTL ( not years :-) )and answer the request, which should be
cached in the originated nameserver, I am not sure if this is completely
legal but it saved my "life" :-) several times. You can as well mark it
bogus and avoid the queries to the remote nameserver to be retried. In
my case I am trying to separate the recursive and nonrecursive dns
services so not everything is impacted when the recursive servers has to
do lot of work. You can use as well some load balancers or l4-7
switches, some of them can filter the traffic on dns level and avoid
such a traffic to reach you dns even if it is distributed.You can as
well use some tools to monitor dns traffic and script some tools to do
the blocking/blackholing automatically.
Hope you will still read this since I have missed 2-3 months in the
mailing list and have to catch up now:-)
Ladislav
wolf_qwert wrote:
>Hi,
>
>I am running a bind8 nameserver and have a problem with thousands of
>queries to my nameserver for a nameserver that currently seems to be
>down. During the last hour the RFail count went up 698202! My
>nameserver gets the queries from one client (and my problem is, that I
>don't have access to this client) and starts to send every query out -
>waits for the timeout and tries again. In the end the server sends the
>query back unanswered to the client as it should. The result is that
>the CPU is at 100% and no normal query gets answered in an aceptable
>time. Now I have 3 questions:
>1.Is there no way to tell the named to cache the information that the
>nameserver is currently not answering?
>2.Should not the client store the information that the server is not
>available?
>3.Is there a client that is known for sending thousands of queries if
>it gets no correct answer?
>Any hints are welcome!
>
>
>
More information about the bind-users
mailing list