Tuning for lots of SERVFAIL responses

Tony Finch dot at dotat.at
Thu Feb 18 20:04:36 UTC 2016


John Miller <johnmill at brandeis.edu> wrote:

> A couple of weeks ago, we experienced an outage on our external
> Internet links.  Ideally, this shouldn't affect queries for internal
> resources - we expect those queries to continue to be answered.

We've had a few connectivity losses over the last year due to floods and
DDoS attacks, so I have more experience with this than I would like.

It's tricky. There are a surprising number of external dependencies on
supposedly internal resources. For instance we have a web single-sign-on
service which deliberately avoids using the Typekit font specified by our
web designers, but it's still "slow" when we lose external connectivity
because (I think) of attempts at TLS OCSP lookups :-(

> It's my understanding that by default, BIND limits the number of
> concurrent recursive queries to 1000, so obviously during these
> situations, we need to raise our client limit (recursive-clients) to
> deal with this.

Our recursive servers are built using BIND 9.10's ./configure
--with-tuning=large option, and I have bumped up the max-clients option to
12345 (a number that I guessed but which turned out to be about right). We
normally deal with about 1500-2000 qps on each server; during outages I
observed this increased by a factor of 3 or 4. However the number of
active clients went up to nearly 10,000 (it's normally negligible). The
other reason 12345 is about right is that the default socket limit is
20,000 and each client seems to need two sockets.

> What I'm curious about is how BIND behaves when it can't finish
> iterative queries: when someone queries for yahoo.com, and the root
> (or .com, yahoo.com) nameservers aren't reachable, does BIND then
> issue a SERVFAIL response (assuming yes)?
> How long will BIND wait before returning SERVFAIL?
> At what point does BIND assume a domain is down altogether?  What's
> the behavior then?

Good questions :-)

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Irish Sea, Shannon: West or southwest 4 or 5 increasing 6 or 7, perhaps gale 8
later in Irish Sea. Moderate or rough in Irish Sea, very rough in Shannon.
Showers then rain. Moderate or good, occasionally poor.


More information about the bind-users mailing list