Hello We updated on Monday from bind-9.16.6/8 to bind-9.16.15/16 on some public-facing authoritative nameservers. Since then, we are seeing a build-up of inbound TCP connections to port 53 being left in CLOSE_WAIT state indefinitely until named is restarted, or exhausting the tcp-clients limit if not restarted. Anyone else seeing similar?
Platform is 64bit ArchLinux 5.12.6-arch1-1. This sort of thing (netstat -tn): tcp 1 0 194.83.56.250:53 40.113.98.76:13214 CLOSE_WAIT tcp 1 0 194.83.56.250:53 52.232.251.180:61357 CLOSE_WAIT tcp 1 0 194.83.56.250:53 137.116.220.118:11234 CLOSE_WAIT tcp 1 0 194.83.56.250:53 23.100.54.67:17825 CLOSE_WAIT tcp 1 0 194.83.56.250:53 94.245.94.142:12397 CLOSE_WAIT etc etc etc On cursory examination, all of the querying IPs appear to be registered to Microsoft, may imply Windows resolvers, querying for large TXT records without EDNS, eg the first above: May 27 10:06:50 ns12.ja.net named[156930]: client @0x7f7b08033908 40.113.98.76#50868 (gbmc.ac.uk): query: gbmc.ac.uk IN TXT - (194.83.56.250) May 27 10:06:50 ns12.ja.net named[156930]: client @0x7f7b0895b348 40.113.98.76#13214 (gbmc.ac.uk): query: gbmc.ac.uk IN TXT -T (194.83.56.250) Regards, Ronan Flood (resurrecting an old bind-users subbed address for this, if it works!)
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
