High recursive client counts
Mark Elkins
mje at posix.co.za
Tue Mar 25 18:31:33 UTC 2014
This might be a dumb answer but as the machine is part of a virtual
server, perhaps you have simply run out of entropy? I know its a
Resolver... but isn't perhaps BIND using Entropy to randomly talk on
different ports to get answers?
What about installing the 'haveged' package,
www.irisa.fr/caps/projects/hipsor
I don't see this doing any harm.
I've personally found that not doing this on Virtual machines just makes
them 'choke up'.
On Tue, 2014-03-25 at 13:20 -0500, Jason Brandt wrote:
> Cathy,
> Thank you for your comments. I will continue to investigate, it
> helps to have avenues to look down though.
>
>
> As far as build version, we are aware that we aren't at current stable
> release. However we've tried to stick to the distro release as much
> as possible, to help streamline patching. But if this continues to be
> an issue, it's something we will definitely consider.
>
>
> The thing that's strange to me, is that we can mostly alleviate the
> symptoms, by using a forwarder. Currently I'm using an internal
> Windows 2003 server in the same subnet, on the same switch, to forward
> through, however I was previously using 8.8.8.8, and it was behaving
> well too. It seems to happen worst when simply using the root hints.
>
>
> Rndc recursing doesn't seem to be much help. The queries are all
> over, including google, adobe, amazon, microsoft, etc, as a
> combination of A/AAAA/PTR/TXT records, from a variety of different
> clients on different subnets and in different firewall zones. At a
> glance, I don't see any correlation.
>
>
> Again, I'll keep investigating, and appreciate all the input!
>
>
> Jason
>
>
> On Tue, Mar 25, 2014 at 12:34 PM, Cathy Almond <cathya at isc.org> wrote:
> Packet tracing and/or looking at rndc recursing is good - then
> you'll
>
> see which client queries are waiting for answers from
> authoritative servers.
>
> Depending on what you've upgraded from, this might be a
> problem with
> whether or not your infrastructure can handle EDNS0 and large
> packet
> sizes. Newer version of BIND set the DO bit by default on the
> iterative
> queries, so perhaps some servers are sending back larger
> response than
> you were receiving before. It's worth checking that your
> network
> infrastructure can handle both EDNS0 and large UDP packet
> sizes (and DNS
> queries via TCP of course too). See
> https://www.dns-oarc.net/oarc/services/replysizetest
>
> I should also comment that the distro BIND 9.8 that you're
> using isn't
> the current ISC version, so you're missing-out on recent fixes
> - you
> might be better off with a self-build of 9.8.7-W1 or 9.8.5-W1:
> http://www.isc.org/downloads/
>
> These also might be helpful:
> https://kb.isc.org/article/AA-00771/46/Which-version-of-BIND-do-I-want-to-download-and-install.html
> https://kb.isc.org/article/AA-00768/46/Getting-started-with-BIND-how-to-build-and-run-named-with-a-basic-recursive-configuration.html
>
> HTH
>
> Cathy
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users
> to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
> --
> Jason K. Brandt
> Systems Administrator
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
More information about the bind-users
mailing list