Re: TCP connections left in CLOSE_WAIT in 9.16.15/16

Tue, 01 Jun 2021 07:41:34 -0700 

Folks, further to this issue, we still had the named.conf option

        keep-response-order { any; }; // Disable TCP-pipelining

set as a workaround to an old vulnerability.  Removing that appears
to have fixed the CLOSE_WAIT connections we were accumulating.

Regards,
Ronan Flood

On Thu, May 27, 2021 at 12:21 PM <use...@umbral.org.uk> wrote:
>
> Hello
>
> We updated on Monday from bind-9.16.6/8 to bind-9.16.15/16 on some
> public-facing authoritative nameservers.  Since then, we are seeing
> a build-up of inbound TCP connections to port 53 being left in
> CLOSE_WAIT state indefinitely until named is restarted, or exhausting
> the tcp-clients limit if not restarted.  Anyone else seeing similar?
>
> Platform is 64bit ArchLinux 5.12.6-arch1-1.
>
> This sort of thing (netstat -tn):
>
> tcp        1      0 194.83.56.250:53        40.113.98.76:13214      CLOSE_WAIT
> tcp        1      0 194.83.56.250:53        52.232.251.180:61357    CLOSE_WAIT
> tcp        1      0 194.83.56.250:53        137.116.220.118:11234   CLOSE_WAIT
> tcp        1      0 194.83.56.250:53        23.100.54.67:17825      CLOSE_WAIT
> tcp        1      0 194.83.56.250:53        94.245.94.142:12397     CLOSE_WAIT
> etc etc etc
>
> On cursory examination, all of the querying IPs appear to be registered
> to Microsoft, may imply Windows resolvers, querying for large TXT records
> without EDNS, eg the first above:
>
> May 27 10:06:50 ns12.ja.net named[156930]: client @0x7f7b08033908 
> 40.113.98.76#50868 (gbmc.ac.uk): query: gbmc.ac.uk IN TXT - (194.83.56.250)
>
> May 27 10:06:50 ns12.ja.net named[156930]: client @0x7f7b0895b348 
> 40.113.98.76#13214 (gbmc.ac.uk): query: gbmc.ac.uk IN TXT -T (194.83.56.250)
>
>
> Regards,
> Ronan Flood
> (resurrecting an old bind-users subbed address for this, if it works!)
>
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to