Recursive bind becomes unresponsive with high load

Michael Brunnbauer brunni at netestate.de
Thu Mar 31 16:29:22 UTC 2016 

Hello Mike,

On Thu, Mar 31, 2016 at 04:05:39PM +0000, Mike Hoskins (michoski) wrote:
> If you are crawling lots of new names, the cache size won't have much
> impact.  Each new query will require recursing vs hitting the cache.  Try
> "rndc recursing" and look at what you have sitting around waiting for
> answers.  Hopefully that provides some clues.  This can be all sorts of
> things like unresponsive auth servers, network issues, firewalls munging
> EDNS, etc causing the recursive client backlog.

Can a "recursive client backlog" be a problem if recursing clients is ca. 1000
while recursive-clients is 6000? If yes, where is the backlog? I can see it
in the syslog when recursive-clients is reached - this does not happen here.

Here are the first 10 lines. The other 995 lines all look like this.

;
; Recursing Queries
;
; client 127.0.0.1#40278: id 13156 'fnnd0u.ciptdd.cn/A/IN' requesttime 1459440503
; client 127.0.0.1#43457: id 30082 '6aj344.iqr8aop.cn/A/IN' requesttime 1459440503
; client 127.0.0.1#55751: id 58170 'g1zdo7.02fucag.cn/A/IN' requesttime 1459440503
; client 127.0.0.1#38696: id 62912 'v6mzb.566095.top/A/IN' requesttime 1459440504
; client 127.0.0.1#38585: id 17254 'l3ay0.688903.top/A/IN' requesttime 1459440504
; client 127.0.0.1#47576: id 24940 '0h8xi.866099.top/A/IN' requesttime 1459440504
; client 127.0.0.1#38195: id 25054 'oipy2.spwgm89.com/A/IN' requesttime 1459440504

There are only 2 requests for .de domains in the queue so the failing requests
for netestate.de cannot be explained by a rate limiting of the .de nameservers.
What are current rate limits for tld nameservers anyway? I wonder how fast
a single bind instance should hammer them.

Our database is cluttered with chinese linkfarms and the DNS queries for them
tend to fail early and often or take a long time. I may be able to address
this in some way so that those queries are reduced but I would also like to
have a DNS server that can handle high load and it seems my current setup is
lacking. 

Regards,

Michael Brunnbauer

-- 
++  Michael Brunnbauer
++  netEstate GmbH
++  Geisenhausener Straße 11a
++  81379 München
++  Tel +49 89 32 19 77 80
++  Fax +49 89 32 19 77 89 
++  E-Mail brunni at netestate.de
++  http://www.netestate.de/
++
++  Sitz: München, HRB Nr.142452 (Handelsregister B München)
++  USt-IdNr. DE221033342
++  Geschäftsführer: Michael Brunnbauer, Franz Brunnbauer
++  Prokurist: Dipl. Kfm. (Univ.) Markus Hendel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160331/b637e17a/attachment-0001.bin>

More information about the bind-users mailing list