SERVFAIL and peak utilization

Alex mysqlstudent at gmail.com
Thu Jul 26 18:51:08 UTC 2018 

Hi,

On Thu, Jul 26, 2018 at 1:57 PM, John Miller <johnmill at brandeis.edu> wrote:
> Hi Alex,
>
> What does your query volume look like on this server?  Depending on
> volume, the BIND defaults for:
>
> - clients-per-query
> - max-clients-per-query
> - recursive-clients
> - tcp-clients
>
> and others may not be set high enough.  Check pp. 106-108 in the
> latest 9.11 manual for more details on each of these.
>
> Of course, if you're only seeing SERVFAIL for a handful of domains,
> then they may have some sort of delegation issue, or there might be a
> network issue between your caching servers and them.

I think it's happening more frequently than for just a remote
misconfigured system. Here is my rndc status, but it doesn't appear to
provide all values you've requested.

It's also occurring for queries to trustworthy remote sources:
26-Jul-2018 14:48:22.975 query-errors: debug 1: client @0x7fddb400c570
127.0.0.1#56094 (mail-dm3nam03on0041.outbound.protection.outlook.com):
query failed (SERVFAIL) for
mail-dm3nam03on0041.outbound.protection.outlook.com/IN/A at
../../../bin/named/query.c:8580

# rndc status
version: BIND 9.11.4-RedHat-9.11.4-1.fc28 (Extended Support Version)
<id:2fe4344>
running on bwimail03.guardiandigital.com: Linux x86_64
4.17.7-200.fc28.x86_64 #1 SMP Tue Jul 17 16:28:31 UTC 2018
boot time: Thu, 26 Jul 2018 18:47:52 GMT
last configured: Thu, 26 Jul 2018 18:47:52 GMT
configuration file: /etc/named.conf (/var/named/chroot/etc/named.conf)
CPUs found: 8
worker threads: 8
UDP listeners per interface: 7
number of zones: 103 (97 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 63/900/1000
tcp clients: 0/150
server is up and running

I've also now confirmed it's happening at times of regular network
activity. I'm really stuck. I hope someone can help.

Thanks,
Alex


>
> John
>
>
> On Thu, Jul 26, 2018 at 1:07 PM, Alex <mysqlstudent at gmail.com> wrote:
>> Hi,
>>
>> I have a bind-9.11.4 server on a fedora28 system and are frequently
>> seeing SERVFAIL errors like this:
>>
>> 26-Jul-2018 12:54:04.255 query-errors: info: client @0x7f764314a5c0
>> 127.0.0.1#50719 (223.178.102.199.cidr.bl.mcafee.com): query failed
>> (SERVFAIL) for 223.178.102.199.cidr.bl.mcafee.com/IN/A at
>> ../../../bin/named/query.c:4140
>>
>> I believe this happens more frequently at times of peak link
>> utilization, but it also appears to happen during normal times.
>>
>> This is a local caching server I've set up but it also appears to
>> exist on other systems that have been set up to be authoritative for
>> our domain.
>>
>> How can I troubleshoot this further?
>>
>> Here is the named.conf for this caching server:
>>
>> acl "trusted" {
>>         { 127/8; };
>>         { 68.195.191.40/29; };
>>         { 192.168.1.0/24; };
>>         { 107.155.67.2/32; };
>> };
>>
>> options {
>> listen-on port 53 { 127.0.0.1; 68.195.191.45; };
>> listen-on-v6 port 53 { none; };
>> directory "/var/named";
>> dump-file "/var/named/data/cache_dump.db";
>>         statistics-file "/var/named/data/named.stats";         // _PATH_STATS
>>         memstatistics-file "/var/named/data/named.memstats";   // _PATH_MEMSTATS
>> allow-query     { trusted; };
>> recursion yes;
>> zone-statistics yes;
>>
>> // dnssec-enable yes;
>> // dnssec-validation yes;
>> // dnssec-lookaside auto;
>>
>> dnssec-enable no;
>> dnssec-validation no;
>> dnssec-lookaside no;
>>
>> /* Path to ISC DLV key */
>> bindkeys-file "/etc/named.iscdlv.key";
>>
>> managed-keys-directory "/var/named/dynamic";
>>
>> };
>>
>> logging {
>>         channel default_debug {
>>                 file "data/named.run";
>>                 severity dynamic;
>>         };
>>
>>         // Record all queries to the box for now
>>         channel query_info {
>>            severity info;
>>            file "/var/log/named.query.log" versions 3 size 10m;
>>            print-time yes;
>>            print-category yes;
>>          };
>>
>>         // added for fail2ban support
>>         channel security_file {
>>            severity dynamic;
>>            file "/var/log/named.security.log" versions 3 size 30m;
>>            print-time yes;
>>            print-category yes;
>>         };
>>
>> channel b_debug {
>> file "/var/log/named.debug.log" versions 2 size 10m;
>> print-time yes;
>> print-category yes;
>> print-severity yes;
>> severity dynamic;
>>         };
>>
>> // Send the security related messages to a separate file.
>> channel audit_log {
>> file "/var/log/named.audit.log" versions 4 size 10m;
>> severity info;
>> print-time yes;
>> print-category yes;
>> };
>>
>>
>>         category queries { query_info; };
>>         category default { b_debug; };
>>         category config { b_debug; };
>>         category security { security_file; };
>> // category lame-servers { audit_log; };
>> category lame-servers { null; };
>>
>> };
>>
>> zone "." IN {
>> type hint;
>> file "/var/named/named.ca";
>> };
>>
>> zone "localhost.localdomain" IN {
>> type master;
>> file "named.localhost";
>> allow-update { none; };
>> };
>>
>> zone "localhost" IN {
>> type master;
>> file "named.localhost";
>> allow-update { none; };
>> };
>>
>> zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
>> IN {
>> type master;
>> file "named.loopback";
>> allow-update { none; };
>> };
>>
>> zone "1.0.0.127.in-addr.arpa" IN {
>> type master;
>> file "named.loopback";
>> allow-update { none; };
>> };
>>
>> zone "0.in-addr.arpa" IN {
>> type master;
>> file "named.empty";
>> allow-update { none; };
>> };
>>
>> include "/etc/named.root.key";
>> include "/etc/rndc.key";
>> _______________________________________________
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list