jay-ford at uiowa.edu
Tue Aug 16 02:02:05 UTC 2016
On Mon, 15 Aug 2016, blrmaani wrote:
> I inherited a DNS server which is running BIND 9.8.x. There was a DNS
> incident where our customers complained that they saw query timeouts
> intermittently (Our customers run cassandra/hadoop applications and send
> same queries repeatedly). They also run nscd on their hosts but I was told
> all have same TTL value of 3600 indicating all names expire at the same
> time on thousands of client hosts).
> I tried to reproduce the issue by sending hostname.bind queries and I see
> logs similar to the one below:
> <time> <client-hostname> named[<pid>]: limit responses to <subnet> for hostname.bind CH TXT <hex-number>
> <time> <client-hostname> named[<pid>]: *stop limiting responses to <subnet> for hostname.bind CH TXT <hex-number>
> I reviewed /etc/named.conf and do not see 'rate-limit' configuration. I am
> confused because BIND ARM says rate-limit is disabled by default. But logs
> indicate otherwise.
The built-in view for the "CH" class has response rate-limting (RRL) enabled
by default. It's possible to override it, but it might not help you any.
Basically, your test queries are sufficiently different than normal queries
that your test methodology is probably invalid.
Do you see RRL log messages for normal queries? If not, then RRL is probably
not your trouble. Other things like insufficient UDP buffering, lacking CPU
horsepower, or overwhelmed iptables connection tracking can also cause
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford at uiowa.edu, phone: 319-335-5555
More information about the bind-users