TCP connections left in CLOSE_WAIT in 9.16.15/16
usenet at umbral.org.uk
usenet at umbral.org.uk
Tue Jun 1 14:40:45 UTC 2021
Folks, further to this issue, we still had the named.conf option
keep-response-order { any; }; // Disable TCP-pipelining
set as a workaround to an old vulnerability. Removing that appears
to have fixed the CLOSE_WAIT connections we were accumulating.
Regards,
Ronan Flood
On Thu, May 27, 2021 at 12:21 PM <usenet at umbral.org.uk> wrote:
>
> Hello
>
> We updated on Monday from bind-9.16.6/8 to bind-9.16.15/16 on some
> public-facing authoritative nameservers. Since then, we are seeing
> a build-up of inbound TCP connections to port 53 being left in
> CLOSE_WAIT state indefinitely until named is restarted, or exhausting
> the tcp-clients limit if not restarted. Anyone else seeing similar?
>
> Platform is 64bit ArchLinux 5.12.6-arch1-1.
>
> This sort of thing (netstat -tn):
>
> tcp 1 0 194.83.56.250:53 40.113.98.76:13214 CLOSE_WAIT
> tcp 1 0 194.83.56.250:53 52.232.251.180:61357 CLOSE_WAIT
> tcp 1 0 194.83.56.250:53 137.116.220.118:11234 CLOSE_WAIT
> tcp 1 0 194.83.56.250:53 23.100.54.67:17825 CLOSE_WAIT
> tcp 1 0 194.83.56.250:53 94.245.94.142:12397 CLOSE_WAIT
> etc etc etc
>
> On cursory examination, all of the querying IPs appear to be registered
> to Microsoft, may imply Windows resolvers, querying for large TXT records
> without EDNS, eg the first above:
>
> May 27 10:06:50 ns12.ja.net named[156930]: client @0x7f7b08033908 40.113.98.76#50868 (gbmc.ac.uk): query: gbmc.ac.uk IN TXT - (194.83.56.250)
>
> May 27 10:06:50 ns12.ja.net named[156930]: client @0x7f7b0895b348 40.113.98.76#13214 (gbmc.ac.uk): query: gbmc.ac.uk IN TXT -T (194.83.56.250)
>
>
> Regards,
> Ronan Flood
> (resurrecting an old bind-users subbed address for this, if it works!)
>
>
More information about the bind-users
mailing list