AW: Too many connections on the same IP

Stefan.Lasche at Stefan.Lasche at
Wed Mar 4 08:47:59 UTC 2015

Are you using iptables Firewall?
Does the problem only occur on UDP connections to the problematic IP? Or also on TCP connections to the same IP?

I had similar problems (not with bind) when the connection table of iptables "state" module were too small.
Iptables started dropping packets, because it couldn't keep track of new connections. 
Since UDP is by definition stateless, the "state" module tries to invent some sort of connection status, based on source- and destination ports. 
This sometimes makes trouble. Especially when there are lots of concurrent connections and the same UDP-ports show up over and over again (e.g. when DNS-Clients do not use Source Port Randomization).
You could try to remove the state module (-m state --state NEW) from your UDP firewall rule for BIND and see if that helps. 

I believe there are separate state tables for each network interface. This could explain, why your second IP is still responding.


-----Ursprüngliche Nachricht-----
Von: bind-users-bounces at [mailto:bind-users-bounces at] Im Auftrag von Job
Gesendet: Mittwoch, 4. März 2015 00:41
An: Job; bind-users at
Betreff: R: Too many connections on the same IP

I tried to tune kernel, with SOMAXCONN but with no solutions!
When DNS queries raise up over 300 queries per second, bind has huge timeouts and often does not respond.
If i work on an ip alias, everything is right!

it seems bind has some limit based on local ip address.

is there any solutions?

Thank you again!

Da: bind-users-bounces at [bind-users-bounces at] per conto di Job [Job at]
Inviato: martedì 3 marzo 2015 11.43
A: bind-users at
Oggetto: Too many connections on the same IP


during a massive DNS utilization our Bind 9.10.1-P1 seems not to resolve anymore, neither local zone.
We shutdown one of the two nodes and all queries arrived only on one node.

CPU and memory load were not too overloaded, machine was quite fine.

After some fast tests, i noticed that if from clients i used an ip alias of Bind server, it worked perfectly!

Only on main ip there were congestion problems, but resolving on ip aliases worked fastly!

Where was i wrong?

Thank you!
Please visit to unsubscribe from this list

bind-users mailing list
bind-users at
Please visit to unsubscribe from this list

bind-users mailing list
bind-users at

More information about the bind-users mailing list