Just wondering. You mention you're using RHEL6; are you also getting messages in 'dmesg' about connection tracking tables being full? You may need some 'NOTRACK' rules in your iptables.
STUART BROWNE Senior Unix Administrator, Network Administrator, Database Admin P +61 9866 3710 www.bomboratech.com.au Follow us on https://twitter.com/BomboraTech The Bombora Technologies group of companies includes AusRegistry, ARI Registry Services, AusRegistry International and ZOAK Solutions. The information contained in this communication is intended for the named recipients only. It is subject to copyright and may contain legally privileged and confidential information and if you are not an intended recipient you must not use, copy, distribute or take any action in reliance on it. If you have received this communication in error, please delete all copies from your system and notify us immediately. -----Original Message----- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mike Hoskins (michoski) Sent: Friday, 19 June 2015 2:28 AM To: Matus UHLAR - fantomas; bind-users@lists.isc.org Subject: Re: file descriptor exceeds limit Inline...responding to each of these including Kathy's soon (thanks to the community for the responses). Following with interest as we've seen this for awhile, though we are possibly a special case which I'll describe more in another response. On 6/18/15, 7:00 AM, "Matus UHLAR - fantomas" <uh...@fantomas.sk> wrote: >On 17.06.15 22:39, Shawn Zhou wrote: >>BIND on my resolvers reaches the max open file limit and I am getting >>lots >> of SERVFAILs >>http://pastebin.com/SxRsHLff > >>After I increased the max-socks (-s 8192) to 8192, I no longer saw the >>file >> limit error from the log anymore; however, I am still many SERVFAILs. > >no other errors? When we've dug into it (really, the investigation is ongoing) we don't notice anything "abnormal". That means there are plenty of things being logged, but nothing you don't always see in the modern world of broken DNS servers, firewalls, network path, etc. >>Our resolvers were doing about 15k queries per seconds when this was >> happening and those were legit traffic. I am aware that I am setting >> recursive clients to a very high number. Those resolvers are running on >> 12-cores cpu and 24G RAM hardware. cpu utilization was at about 20% and >> plenty of RAM left. > >>I am wondering if I've reached the limit of BIND for the amount of >> recursive queries it can serve. Any other tunings I should try? > >maybe changing number of recursive-clients, max-clients-per-query. Have tweaked all these repeatedly, first following community best practice and then going for the sky (big iron) just to see what impact it had. None really. >Does EDNS work for you? EDNS problems often result to increased number of >TCP queries which slows down resolution ... Yeah, works fine and passes all tests (manual digs, OARC, etc). > >> By the way, the resolvers are running RHEL 6.x. > >precise BIND version would help a bit more... seems RH6.6 contains 9.8.2 >but >that may be different for older RH6 versions. We're running centos 6.x, but use the latest BIND 9.9.x releases. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
