AW: Too many connections on the same IP

Stefan.Lasche at t-systems.com Stefan.Lasche at t-systems.com
Wed Mar 4 08:47:59 UTC 2015 

Are you using iptables Firewall?
Does the problem only occur on UDP connections to the problematic IP? Or also on TCP connections to the same IP?

I had similar problems (not with bind) when the connection table of iptables "state" module were too small.
Iptables started dropping packets, because it couldn't keep track of new connections. 
Since UDP is by definition stateless, the "state" module tries to invent some sort of connection status, based on source- and destination ports. 
This sometimes makes trouble. Especially when there are lots of concurrent connections and the same UDP-ports show up over and over again (e.g. when DNS-Clients do not use Source Port Randomization).
You could try to remove the state module (-m state --state NEW) from your UDP firewall rule for BIND and see if that helps. 

I believe there are separate state tables for each network interface. This could explain, why your second IP is still responding.

Regards,
Stefan


-----Ursprüngliche Nachricht-----
Von: bind-users-bounces at lists.isc.org [mailto:bind-users-bounces at lists.isc.org] Im Auftrag von Job
Gesendet: Mittwoch, 4. März 2015 00:41
An: Job; bind-users at lists.isc.org
Betreff: R: Too many connections on the same IP

I tried to tune kernel, with SOMAXCONN but with no solutions!
When DNS queries raise up over 300 queries per second, bind has huge timeouts and often does not respond.
If i work on an ip alias, everything is right!

it seems bind has some limit based on local ip address.

is there any solutions?

Thank you again!
Francesco

________________________________________
Da: bind-users-bounces at lists.isc.org [bind-users-bounces at lists.isc.org] per conto di Job [Job at colliniconsulting.it]
Inviato: martedì 3 marzo 2015 11.43
A: bind-users at lists.isc.org
Oggetto: Too many connections on the same IP

Hello,

during a massive DNS utilization our Bind 9.10.1-P1 seems not to resolve anymore, neither local zone.
We shutdown one of the two nodes and all queries arrived only on one node.

CPU and memory load were not too overloaded, machine was quite fine.

After some fast tests, i noticed that if from clients i used an ip alias of Bind server, it worked perfectly!

Only on main ip there were congestion problems, but resolving on ip aliases worked fastly!

Where was i wrong?

Thank you!
Francesco
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list