file descriptor exceeds limit
Stuart.Browne at bomboratech.com.au
Thu Jun 18 23:09:20 UTC 2015
Just wondering. You mention you're using RHEL6; are you also getting messages in 'dmesg' about connection tracking tables being full? You may need some 'NOTRACK' rules in your iptables.
Senior Unix Administrator, Network Administrator, Database Admin
P +61 9866 3710
Follow us on https://twitter.com/BomboraTech
The Bombora Technologies group of companies includes AusRegistry, ARI Registry Services, AusRegistry International and ZOAK Solutions.
The information contained in this communication is intended for the named recipients only. It is subject to copyright and may contain legally privileged and confidential information and if you are not an intended recipient you must not use, copy, distribute or take any action in reliance on it. If you have received this communication in error, please delete all copies from your system and notify us immediately.
From: bind-users-bounces at lists.isc.org [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Mike Hoskins (michoski)
Sent: Friday, 19 June 2015 2:28 AM
To: Matus UHLAR - fantomas; bind-users at lists.isc.org
Subject: Re: file descriptor exceeds limit
Inline...responding to each of these including Kathy's soon (thanks to the
community for the responses). Following with interest as we've seen this
for awhile, though we are possibly a special case which I'll describe more
in another response.
On 6/18/15, 7:00 AM, "Matus UHLAR - fantomas" <uhlar at fantomas.sk> wrote:
>On 17.06.15 22:39, Shawn Zhou wrote:
>>BIND on my resolvers reaches the max open file limit and I am getting
>> of SERVFAILs
>>After I increased the max-socks (-s 8192) to 8192, I no longer saw the
>> limit error from the log anymore; however, I am still many SERVFAILs.
>no other errors?
When we've dug into it (really, the investigation is ongoing) we don't
notice anything "abnormal". That means there are plenty of things being
logged, but nothing you don't always see in the modern world of broken DNS
servers, firewalls, network path, etc.
>>Our resolvers were doing about 15k queries per seconds when this was
>> happening and those were legit traffic. I am aware that I am setting
>> recursive clients to a very high number. Those resolvers are running on
>> 12-cores cpu and 24G RAM hardware. cpu utilization was at about 20% and
>> plenty of RAM left.
>>I am wondering if I've reached the limit of BIND for the amount of
>> recursive queries it can serve. Any other tunings I should try?
>maybe changing number of recursive-clients, max-clients-per-query.
Have tweaked all these repeatedly, first following community best practice
and then going for the sky (big iron) just to see what impact it had.
>Does EDNS work for you? EDNS problems often result to increased number of
>TCP queries which slows down resolution ...
Yeah, works fine and passes all tests (manual digs, OARC, etc).
>> By the way, the resolvers are running RHEL 6.x.
>precise BIND version would help a bit more... seems RH6.6 contains 9.8.2
>that may be different for older RH6 versions.
We're running centos 6.x, but use the latest BIND 9.9.x releases.
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
More information about the bind-users