BIND DNS problem (?)

2018-09-26 Thread Jukka Pakkanen 
We are running a couple of Symantec SMG servers, and their DNS clients are 
configured to use your BIND 9.12.2 DNS servers.

In both SMG servers we get the same DNS "server failure" error from all our DNS 
servers when they do some TXT queries to SMG:

http://www.qnet.fi/jp/dns.png

(sorry for the bad quality/format, hope you can zoom in. That's all I got from 
Symantec when contacting their support, and they claim the problem is in our 
DNS servers because of the "server failure" error).

Anyway, I suppose the problem is related to these, in the response:


Answer authenticated: Answer/authority portion was not authenticated by the 
server
Non-authenticated data: Unacceptable



Sooo, any ideas what does this mean, is the problem in out BIND servers, or in 
the other end?


Jukka
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND DNS problem (?)

2018-09-26 Thread John W. Blue via bind-users 
I could not zoom in to see anything.  Please post a better screenshot or better 
yet post the .pcap itself for download and review.

John

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jukka 
Pakkanen
Sent: Wednesday, September 26, 2018 2:46 AM
To: bind-users@lists.isc.org
Subject: BIND DNS problem (?)

We are running a couple of Symantec SMG servers, and their DNS clients are 
configured to use your BIND 9.12.2 DNS servers.

In both SMG servers we get the same DNS "server failure" error from all our DNS 
servers when they do some TXT queries to SMG:

http://www.qnet.fi/jp/dns.png

(sorry for the bad quality/format, hope you can zoom in. That's all I got from 
Symantec when contacting their support, and they claim the problem is in our 
DNS servers because of the "server failure" error).

Anyway, I suppose the problem is related to these, in the response:


Answer authenticated: Answer/authority portion was not authenticated by the 
server
Non-authenticated data: Unacceptable



Sooo, any ideas what does this mean, is the problem in out BIND servers, or in 
the other end?


Jukka
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND DNS problem (?)

2018-09-26 Thread Mukund Sivaraman 
On Wed, Sep 26, 2018 at 07:45:46AM +, Jukka Pakkanen wrote:
> 
> Answer authenticated: Answer/authority portion was not authenticated by the 
> server
> Non-authenticated data: Unacceptable
> 

This is wireshark's packet parsing output. It is not related to the SERVFAIL.

> Sooo, any ideas what does this mean, is the problem in out BIND servers, or 
> in the other end?

Look at the named logs. Turn up the logging level to get more details of
what's going on, replay the queries sent by the Symantec servers, and
observe the logs.

Mukund
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND DNS problem (?)

2018-09-26 Thread Jukka Pakkanen 
Updated the pic, should be readable now... posting the pcap later.

Jukka

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John W. 
Blue via bind-users
Sent: keskiviikko 26. syyskuuta 2018 9.50
To: bind-users@lists.isc.org
Subject: RE: BIND DNS problem (?)

I could not zoom in to see anything.  Please post a better screenshot or better 
yet post the .pcap itself for download and review.

John

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jukka 
Pakkanen
Sent: Wednesday, September 26, 2018 2:46 AM
To: bind-users@lists.isc.org
Subject: BIND DNS problem (?)

We are running a couple of Symantec SMG servers, and their DNS clients are 
configured to use your BIND 9.12.2 DNS servers.

In both SMG servers we get the same DNS "server failure" error from all our DNS 
servers when they do some TXT queries to SMG:

http://www.qnet.fi/jp/dns.png

(sorry for the bad quality/format, hope you can zoom in. That's all I got from 
Symantec when contacting their support, and they claim the problem is in our 
DNS servers because of the "server failure" error).

Anyway, I suppose the problem is related to these, in the response:


Answer authenticated: Answer/authority portion was not authenticated by the 
server
Non-authenticated data: Unacceptable



Sooo, any ideas what does this mean, is the problem in out BIND servers, or in 
the other end?


Jukka
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND DNS problem (?)

2018-09-26 Thread Jukka Pakkanen 
Started logging named now, but don't see much debug information with these 
logging settings:

logging {
category lame-servers { null; };
category edns-disabled { null; };
category security { security_file; };
category queries { queries_file; };
category resolver { resolver_file; };
category query-errors { query-errors_file; };

channel query-errors_file {
file "d:/logs/named/query-errors.log" versions 3 size 5m;
severity debug;
print-time yes;
};

channel queries_file {
file "d:/logs/named/queries.log" versions 3 size 5m;
severity debug;
print-time yes;
};

channel resolver_file {
file "d:/logs/named/resolver.log" versions 3 size 5m;
severity debug;
print-time yes;
};

channel security_file {
file "d:/logs/named/security.log" versions 3 size 5m;
severity debug;
print-time yes;
};

};


Query-errors:

26-syyskuuta-2018 12.00.59.794 client @01F5160E7150 62.142.220.9#28667 
(73cb7fd0d8c8b44cd6e741d6eed0e612.smg.ultra.brightmail.com): query failed 
(SERVFAIL) for 73cb7fd0d8c8b44cd6e741d6eed0e612.smg.ultra.brightmail.com/IN/TXT 
at ..\query.c:10692
26-syyskuuta-2018 12.00.59.794 client @01F516751E40 62.142.220.9#48236 
(6680545bc0584602c24adc8dd123f0b5.smg.ultra.brightmail.com): query failed 
(SERVFAIL) for 6680545bc0584602c24adc8dd123f0b5.smg.ultra.brightmail.com/IN/TXT 
at ..\query.c:10692
26-syyskuuta-2018 12.00.59.794 client @01F51768CA50 62.142.220.9#47990 
(73cb7fd0d8c8b44cd6e741d6eed0e612.smg.ultra.brightmail.com): query failed 
(SERVFAIL) for 73cb7fd0d8c8b44cd6e741d6eed0e612.smg.ultra.brightmail.com/IN/TXT 
at ..\query.c:10692
26-syyskuuta-2018 12.00.59.794 client @01F5173936D0 62.142.220.9#46275 
(6680545bc0584602c24adc8dd123f0b5.smg.ultra.brightmail.com): query failed 
(SERVFAIL) for 6680545bc0584602c24adc8dd123f0b5.smg.ultra.brightmail.com/IN/TXT 
at ..\query.c:10692
26-syyskuuta-2018 12.00.59.794 client @01F5173951F0 62.142.220.9#13544 
(84cbbbe69327045981177902b6ed7539.smg.ultra.brightmail.com): query failed 
(SERVFAIL) for 84cbbbe69327045981177902b6ed7539.smg.ultra.brightmail.com/IN/TXT 
at ..\query.c:10692
26-syyskuuta-2018 12.00.59.794 client @01F5170931C0 62.142.220.9#26021 
(56909d41023d9bee0e972fa4ca487314.smg.ultra.brightmail.com): query failed 
(SERVFAIL) for 56909d41023d9bee0e972fa4ca487314.smg.ultra.brightmail.com/IN/TXT 
at ..\query.c:10692
26-syyskuuta-2018 12.00.59.794 client @01F517390E20 62.142.220.9#35961 
(fb74971ab843d9ef29b498a817f135a0.smg.ultra.brightmail.com): query failed 
(SERVFAIL) for fb74971ab843d9ef29b498a817f135a0.smg.ultra.brightmail.com/IN/TXT 
at ..\query.c:10692



From: Jukka Pakkanen
Sent: keskiviikko 26. syyskuuta 2018 10.17
To: 'bind-users@lists.isc.org' 
Subject: RE: BIND DNS problem (?)

Updated the pic, should be readable now... posting the pcap later.

Jukka

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John W. 
Blue via bind-users
Sent: keskiviikko 26. syyskuuta 2018 9.50
To: bind-users@lists.isc.org
Subject: RE: BIND DNS problem (?)

I could not zoom in to see anything.  Please post a better screenshot or better 
yet post the .pcap itself for download and review.

John

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jukka 
Pakkanen
Sent: Wednesday, September 26, 2018 2:46 AM
To: bind-users@lists.isc.org
Subject: BIND DNS problem (?)

We are running a couple of Symantec SMG servers, and their DNS clients are 
configured to use your BIND 9.12.2 DNS servers.

In both SMG servers we get the same DNS "server failure" error from all our DNS 
servers when they do some TXT queries to SMG:

http://www.qnet.fi/jp/dns.png

(sorry for the bad quality/format, hope you can zoom in. That's all I got from 
Symantec when contacting their support, and they claim the problem is in our 
DNS servers because of the "server failure" error).

Anyway, I suppose the problem is related to these, in the response:


Answer authenticated: Answer/authority portion was not authenticated by the 
server
Non-authenticated data: Unacceptable



Sooo, any ideas what does this mean, is the problem in out BIND servers, or in 
the other end?


Jukka
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND DNS problem (?)

2018-09-26 Thread Jukka Pakkanen 
Started logging named now, but don't see much debug information with these 
logging settings:

logging {
category lame-servers { null; };
category edns-disabled { null; };
category security { security_file; };
category queries { queries_file; };
category resolver { resolver_file; };
category query-errors { query-errors_file; };

channel query-errors_file {
file "d:/logs/named/query-errors.log" versions 3 size 5m;
severity debug;
print-time yes;
};

channel queries_file {
file "d:/logs/named/queries.log" versions 3 size 5m;
severity debug;
print-time yes;
};

channel resolver_file {
file "d:/logs/named/resolver.log" versions 3 size 5m;
severity debug;
print-time yes;
};

channel security_file {
file "d:/logs/named/security.log" versions 3 size 5m;
severity debug;
print-time yes;
};

};


Query-errors:

26-syyskuuta-2018 12.00.59.794 client @01F5160E7150 62.142.220.9#28667 
(73cb7fd0d8c8b44cd6e741d6eed0e612.smg.ultra.brightmail.com): query failed 
(SERVFAIL) for 73cb7fd0d8c8b44cd6e741d6eed0e612.smg.ultra.brightmail.com/IN/TXT 
at ..\query.c:10692
26-syyskuuta-2018 12.00.59.794 client @01F516751E40 62.142.220.9#48236 
(6680545bc0584602c24adc8dd123f0b5.smg.ultra.brightmail.com): query failed 
(SERVFAIL) for 6680545bc0584602c24adc8dd123f0b5.smg.ultra.brightmail.com/IN/TXT 
at ..\query.c:10692
26-syyskuuta-2018 12.00.59.794 client @01F51768CA50 62.142.220.9#47990 
(73cb7fd0d8c8b44cd6e741d6eed0e612.smg.ultra.brightmail.com): query failed 
(SERVFAIL) for 73cb7fd0d8c8b44cd6e741d6eed0e612.smg.ultra.brightmail.com/IN/TXT 
at ..\query.c:10692
...

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jukka 
Pakkanen
Sent: Wednesday, September 26, 2018 2:46 AM
To: bind-users@lists.isc.org
Subject: BIND DNS problem (?)

We are running a couple of Symantec SMG servers, and their DNS clients are 
configured to use your BIND 9.12.2 DNS servers.

In both SMG servers we get the same DNS "server failure" error from all our DNS 
servers when they do some TXT queries to SMG:

http://www.qnet.fi/jp/dns.png

(sorry for the bad quality/format, hope you can zoom in. That's all I got from 
Symantec when contacting their support, and they claim the problem is in our 
DNS servers because of the "server failure" error).

Anyway, I suppose the problem is related to these, in the response:


Answer authenticated: Answer/authority portion was not authenticated by the 
server
Non-authenticated data: Unacceptable


Sooo, any ideas what does this mean, is the problem in out BIND servers, or in 
the other end?

Jukka
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND DNS problem (?)

2018-09-26 Thread Jukka Pakkanen 
Now got some more debug info, but does it help finding out why we get the 
server failure?

26-syyskuuta-2018 15.46.33.999 client @024562471630 62.142.220.9#8179 
(1d427bf569fa3b25355a5944e82b5e23.smg.ultra.brightmail.com): query failed 
(SERVFAIL) for 1d427bf569fa3b25355a5944e82b5e23.smg.ultra.brightmail.com/IN/TXT 
at ..\query.c:10692

26-syyskuuta-2018 15.46.33.999 client @024561EFABC0 62.142.220.9#37637 
(1d427bf569fa3b25355a5944e82b5e23.smg.ultra.brightmail.com): query failed 
(SERVFAIL) for 1d427bf569fa3b25355a5944e82b5e23.smg.ultra.brightmail.com/IN/TXT 
at ..\query.c:10692

26-syyskuuta-2018 15.46.33.999 fetch completed at ..\resolver.c:4175 for 
1d427bf569fa3b25355a5944e82b5e23.smg.ultra.brightmail.com/TXT in 10.014952: 
timed out/success 
[domain:smg.ultra.brightmail.com,referral:2,restart:2,qrysent:7,timeout:6,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]

26-syyskuuta-2018 15.46.33.999 fetch completed at ..\resolver.c:4175 for 
31b126c2f9ec0fb531fb6f408760df5c.smg.ultra.brightmail.com/TXT in 10.014952: 
timed out/success 
[domain:smg.ultra.brightmail.com,referral:2,restart:2,qrysent:7,timeout:6,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]

26-syyskuuta-2018 15.46.33.999 client @024562641060 62.142.220.9#63769 
(31b126c2f9ec0fb531fb6f408760df5c.smg.ultra.brightmail.com): query failed 
(SERVFAIL) for 31b126c2f9ec0fb531fb6f408760df5c.smg.ultra.brightmail.com/IN/TXT 
at ..\query.c:10692
...

Jukka

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jukka 
Pakkanen
Sent: keskiviikko 26. syyskuuta 2018 11.55
To: bind-users@lists.isc.org
Subject: RE: BIND DNS problem (?)

Started logging named now, but don't see much debug information with these 
logging settings:

logging {
category lame-servers { null; };
category edns-disabled { null; };
category security { security_file; };
category queries { queries_file; };
category resolver { resolver_file; };
category query-errors { query-errors_file; };

channel query-errors_file {
file "d:/logs/named/query-errors.log" versions 3 size 5m;
severity debug;
print-time yes;
};

channel queries_file {
file "d:/logs/named/queries.log" versions 3 size 5m;
severity debug;
print-time yes;
};

channel resolver_file {
file "d:/logs/named/resolver.log" versions 3 size 5m;
severity debug;
print-time yes;
};

channel security_file {
file "d:/logs/named/security.log" versions 3 size 5m;
severity debug;
print-time yes;
};

};


Query-errors:

26-syyskuuta-2018 12.00.59.794 client @01F5160E7150 62.142.220.9#28667 
(73cb7fd0d8c8b44cd6e741d6eed0e612.smg.ultra.brightmail.com): query failed 
(SERVFAIL) for 73cb7fd0d8c8b44cd6e741d6eed0e612.smg.ultra.brightmail.com/IN/TXT 
at ..\query.c:10692
26-syyskuuta-2018 12.00.59.794 client @01F516751E40 62.142.220.9#48236 
(6680545bc0584602c24adc8dd123f0b5.smg.ultra.brightmail.com): query failed 
(SERVFAIL) for 6680545bc0584602c24adc8dd123f0b5.smg.ultra.brightmail.com/IN/TXT 
at ..\query.c:10692
26-syyskuuta-2018 12.00.59.794 client @01F51768CA50 62.142.220.9#47990 
(73cb7fd0d8c8b44cd6e741d6eed0e612.smg.ultra.brightmail.com): query failed 
(SERVFAIL) for 73cb7fd0d8c8b44cd6e741d6eed0e612.smg.ultra.brightmail.com/IN/TXT 
at ..\query.c:10692
...

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jukka 
Pakkanen
Sent: Wednesday, September 26, 2018 2:46 AM
To: bind-users@lists.isc.org
Subject: BIND DNS problem (?)

We are running a couple of Symantec SMG servers, and their DNS clients are 
configured to use your BIND 9.12.2 DNS servers.

In both SMG servers we get the same DNS "server failure" error from all our DNS 
servers when they do some TXT queries to SMG:

http://www.qnet.fi/jp/dns.png

(sorry for the bad quality/format, hope you can zoom in. That's all I got from 
Symantec when contacting their support, and they claim the problem is in our 
DNS servers because of the "server failure" error).

Anyway, I suppose the problem is related to these, in the response:


Answer authenticated: Answer/authority portion was not authenticated by the 
server
Non-authenticated data: Unacceptable


Sooo, any ideas what does this mean, is the problem in out BIND servers, or in 
the other end?

Jukka
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND DNS problem (?)

2018-09-26 Thread Tony Finch 
Jukka Pakkanen  wrote:

> Now got some more debug info, but does it help finding out why we get
> the server failure?

The DNS servers for smg.brightmail.com are broken. They drop most queries
which causes all sorts of problems.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Humber, Thames: Southwest 4 or 5, occasionally 6 at first. Slight or moderate,
but rough at first in Humber. Fair. Good, occasionally moderate.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND DNS problem (?)

2018-09-26 Thread Jukka Pakkanen 
Yes looks like that, also this problem started suddenly, affects all our SMG & 
DNS servers, so very unlikely the problem is on our end.

Still Symantec "enterprise support technician" claims the problem is on our DNS 
servers, and as a "proof" send the chapter 4.1.1 of the RFC1035, where it is 
stated that "code 2 = server failure", and this should prove that our servers 
are not working because they got "server failure" error ;-)

Jukka


-Original Message-
From: Tony Finch [mailto:d...@dotat.at] 
Sent: keskiviikko 26. syyskuuta 2018 15.06
To: Jukka Pakkanen 
Cc: bind-users@lists.isc.org
Subject: RE: BIND DNS problem (?)

Jukka Pakkanen  wrote:

> Now got some more debug info, but does it help finding out why we get 
> the server failure?

The DNS servers for smg.brightmail.com are broken. They drop most queries which 
causes all sorts of problems.

Tony.
--
f.anthony.n.finchhttp://dotat.at/ Humber, Thames: Southwest 
4 or 5, occasionally 6 at first. Slight or moderate, but rough at first in 
Humber. Fair. Good, occasionally moderate.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND and UDP tuning

2018-09-26 Thread Alex 
Hi,

I reported a few weeks ago that I was experiencing a really high
number of "SERVFAIL" messages in my bind-9.11.4-P1 system running on
fedora28, and I haven't yet found a solution. This is all now running
on a 165/35 cable system.

I found a program named dropwatch which is showing a significant
number of dropped UDP packets, particularly when there are bursts of
email traffic:

12 drops at skb_queue_purge+13 (0x9f79a0c3)
1 drops at __udp4_lib_rcv+1e6 (0x9f83bdf6)
4 drops at __udp4_lib_rcv+1e6 (0x9f83bdf6)
5 drops at nf_hook_slow+a7 (0x9f7faff7)
3 drops at sk_stream_kill_queues+48 (0x9f7a1158)
3 drops at __udp4_lib_rcv+1e6 (0x9f83bdf6)
...

# netstat -us
...
Udp:
23449482 packets received
1724269 packets to unknown port received
8248 packet receive errors
31394909 packets sent
8243 receive buffer errors
0 send buffer errors
InCsumErrors: 5
IgnoredMulti: 43247

The SERVFAIL messages don't necessarily correspond to the UDP packet
errors shown by netstat, but the dropwatch output is continuous. The
netstat packet receive errors also don't seem to correspond to
"SERVFAIL" or "Name service" errors:

26-Sep-2018 12:42:49.743 query-errors: info: client @0x7fb3c41634d0
127.0.0.1#44104 (46.36.47.104.wl.mailspike.net): query failed
(SERVFAIL) for 46.36.47.104.wl.mailspike.net/IN/A at
../../../bin/named/query.c:8580

Sep 26 12:47:11 mail03 postfix/dnsblog[22821]: warning: dnsblog_query:
lookup error for DNS query 196.91.107.80.bl.spameatingmonkey.net: Host
or domain name not found. Name service error for
name=196.91.107.80.bl.spameatingmonkey.net type=A: Host not found, try
again

I've been following this thread from some time ago, but nothing I've
done has made a difference. I really don't know what the buffer sizes
should be.
http://bind-users-forum.2342410.n4.nabble.com/Tuning-suggestions-for-high-core-count-Linux-servers-td3899.html

Are there specific bind tunables you might recommend? edns-udp-size, perhaps?

Any ideas on other tunables such as net.core.*mem_default etc?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

2018-09-26 Thread Chris Thompson 

On Sep 24 2018, Danny Mayer wrote:
[...]

This is very simple to do. It does not require SRV records to implement.
Note that I am only answering for the ntp reference implementation.

In your domain file add entries like this:

locationntp CNAME ntp1.yourdomain
CNAME ntp2.yourdomain
CNAME externalntp.otherdomain
CNAME externalntp.someotherdomain


Assuming that you are running name server software that actually allows
you to have several CNAMEs with the same label, of course.

BIND8 with "multiple-cnames yes", perhaps? :-)

--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND and UDP tuning

2018-09-26 Thread Browne, Stuart via bind-users 
> -Original Message-
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of
> Alex
> Sent: Thursday, 27 September 2018 2:52 AM
> To: bind-users@lists.isc.org
> Subject: BIND and UDP tuning
> 
> Hi,
> 
> I reported a few weeks ago that I was experiencing a really high
> number of "SERVFAIL" messages in my bind-9.11.4-P1 system running on
> fedora28, and I haven't yet found a solution. This is all now running
> on a 165/35 cable system.
> 
> I found a program named dropwatch which is showing a significant
> number of dropped UDP packets, particularly when there are bursts of
> email traffic:
> 
> 12 drops at skb_queue_purge+13 (0x9f79a0c3)
> 1 drops at __udp4_lib_rcv+1e6 (0x9f83bdf6)
> 4 drops at __udp4_lib_rcv+1e6 (0x9f83bdf6)
> 5 drops at nf_hook_slow+a7 (0x9f7faff7)
> 3 drops at sk_stream_kill_queues+48 (0x9f7a1158)
> 3 drops at __udp4_lib_rcv+1e6 (0x9f83bdf6)
> ...
> 
> # netstat -us
> ...
> Udp:
> 23449482 packets received
> 1724269 packets to unknown port received
> 8248 packet receive errors
> 31394909 packets sent
> 8243 receive buffer errors
> 0 send buffer errors
> InCsumErrors: 5
> IgnoredMulti: 43247
> 
> The SERVFAIL messages don't necessarily correspond to the UDP packet
> errors shown by netstat, but the dropwatch output is continuous. The
> netstat packet receive errors also don't seem to correspond to
> "SERVFAIL" or "Name service" errors:
> 
> 26-Sep-2018 12:42:49.743 query-errors: info: client @0x7fb3c41634d0
> 127.0.0.1#44104 (46.36.47.104.wl.mailspike.net): query failed
> (SERVFAIL) for 46.36.47.104.wl.mailspike.net/IN/A at
> ../../../bin/named/query.c:8580
> 
> Sep 26 12:47:11 mail03 postfix/dnsblog[22821]: warning: dnsblog_query:
> lookup error for DNS query 196.91.107.80.bl.spameatingmonkey.net: Host
> or domain name not found. Name service error for
> name=196.91.107.80.bl.spameatingmonkey.net type=A: Host not found, try
> again
> 
> I've been following this thread from some time ago, but nothing I've
> done has made a difference. I really don't know what the buffer sizes
> should be.
> https://urldefense.proofpoint.com/v2/url?u=http-3A__bind-2Dusers-
> 2Dforum.2342410.n4.nabble.com_Tuning-2Dsuggestions-2Dfor-2Dhigh-2Dcore-
> 2Dcount-2DLinux-2Dservers-
> 2Dtd3899.html&d=DwICAg&c=MOptNlVtIETeDALC_lULrw&r=udvvbouEjrWNUMab5xo_vLb
> UE6LRGu5fmxLhrDvVJS8&m=5XQNuuRQ4kxK03zqoWaJHIdaJvNdsyTKHuFlDKedbpc&s=5Dqh
> ne-5w5V_1coBTBvTITwK2EFeankOegTaofy8S5w&e=
> 
> Are there specific bind tunables you might recommend? edns-udp-size,
> perhaps?
> 
> Any ideas on other tunables such as net.core.*mem_default etc?

*chuckles to self*

I was just referring back to that thread myself to try remember what I did.

I ended up tuning the following items:

  - name: SYSCTL system tuning, basics
sysctl:
  name: "{{ item.name }}"
  value: "{{ item.value }}"
  sysctl_set: yes
  state: present
with_items:
  - { name: 'vm.swappiness', value: 0 }
  - { name: 'net.core.netdev_max_backlog', value: 32768 }
  - { name: 'net.core.netdev_budget', value: 2700 }
  - { name: 'net.ipv4.tcp_sack', value: 0 }
  - { name: 'net.core.somaxconn', value: 2048 }
  - { name: 'net.core.rmem_default', value: 16777216 }
  - { name: 'net.core.rmem_max', value: 16777216 }
  - { name: 'net.core.wmem_default', value: 16777216 }
  - { name: 'net.core.wmem_max', value: 16777216 }

(Yeah, I was using ansible for that testing!)

The checking of the /proc/net/softnet_stat is what was driving some of those 
settings, so you may want to dig into that. I never did solve the netstat 
showing issues though, so keep that in mind.

If you are running high query throughput and have many CPU cores, the pinning 
of cores was a significant performance improvement.

You've not said here what sort of query throughput you are having here however. 
Be aware that if this is running in a virtualized environment, you may want to 
be looking at the host machine instead of the guest as the network performance 
there can have a significant impact.

Whilst mentioned in passing on that thread, there was also poking around with 
TOE, pause, coalesce adaptive and ring size settings (look at ethtool -K, 
ethtool -A, ethtool -C and ethtool -G), but sadly have lost the specific 
commands. 

Stuart Browne
Neustar, Inc. / Sr Systems Admin
Level 8, 10 Queens Road, Melbourne, Australia VIC 3004
Office: +61.3.9866.3710
stuart.browne@team.neustar / home.neustar

Follow Neustar: LinkedIn / Twitter

Reduce your environmental footprint. Print only if necessary.

The information contained in this email message is intended only for the use of 
the recipient(s) named above and may contain confidential and/or privileged 
information. If you are not the intended recipient you have received this email 
message in error and any review, dissemination, distribution, or copying of 
this message is strictly prohibited. If you ha