>From tcpdump, it appears that customers are receiving delayed response and are >too sensitive for timeouts.
The queries they are sending are authoritative i.e the zone is on our nameserver. How do I trouble-shoot this issue? This is really intermittent and hard to reproduce.. thanks Blr On Monday, August 15, 2016 at 7:27:44 PM UTC-7, John Miller wrote: > Hi Blr, > > First things first: if your customers are sending queries, this is > probably about their own recursive queries timing out, rather than > incoming authoritative queries timing out. > > Something else you should check: are your customers receiving a > delayed (say a few seconds) SERVFAIL response, or are they receiving > no response at all? > > There's a different set of options in BIND for recursive rate limiting > versus authoritative rate limiting. > > Recursive queries: > > * recursive-clients > * clients-per-query > * max-clients-per-query > > Running 'rndc status' is a good way to see how close you are to these > limits; you'll see log messages like > > "no more recursive clients: quota reached" > > There's also a newer set of "recursive client rate-limiting" features > available in newer (9.9 and 9.10) versions of BIND, but I'm pretty > sure this doesn't apply to your case. > > Authoritative queries: > https://kb.isc.org/article/AA-00994/0/Using-the-Response-Rate-Limiting-Feature-in-BIND-9.10.html > IIRC, rate-limiting for authoritative queries (called "Response rate > limiting" or "RRL") wasn't enabled by default until BIND 9.10.x, and > required a specific build in BIND 9.9.x. It's not available in BIND > 9.8.x. > > John > > On Mon, Aug 15, 2016 at 9:22 PM, blrmaani <blrma...@gmail.com> wrote: > > I inherited a DNS server which is running BIND 9.8.x. There was a DNS > > incident where our customers complained that they saw query timeouts > > intermittently (Our customers run cassandra/hadoop applications and send > > same queries repeatedly). They also run nscd on their hosts but I was told > > all have same TTL value of 3600 indicating all names expire at the same > > time on thousands of client hosts). > > > > I tried to reproduce the issue by sending hostname.bind queries and I see > > logs similar to the one below: > > > > <time> <client-hostname> named[<pid>]: limit responses to <subnet> for > > hostname.bind CH TXT <hex-number> > > <time> <client-hostname> named[<pid>]: *stop limiting responses to <subnet> > > for hostname.bind CH TXT <hex-number> > > > > > > I reviewed /etc/named.conf and do not see 'rate-limit' configuration. I am > > confused because BIND ARM says rate-limit is disabled by default. But logs > > indicate otherwise. > > > > ( I did "grep rate /etc/*" and didn't see anything. There are no includes > > in named.conf) > > > > Please advice on how I can disable rate-limit on my DNS server. > > > > > > I did a strings on 'named' binary and see this: > > > > strings /usr/sbin/named | egrep -i rrl > > dns_rrl > > dns_rrl_init > > dns_rrl_view_destroy > > > > What else do I need to check to identify if RRL is enabled? > > > > > > Thanks > > Blr > > _______________________________________________ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > > -- > John Miller > Systems Engineer > Brandeis University > johnm...@brandeis.edu > (781) 736-4619 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
