SERVFAIL and peak utilization

Alex mysqlstudent at gmail.com
Thu Jul 26 21:49:09 UTC 2018


Hi, here is some further debugging on what I believe are queries
involving SERVFAIL:

26-Jul-2018 17:44:40.168 query-errors: debug 1: client @0x7fbee80f39b0
127.0.0.1#61547 (69.248.70.96.bad.psky.me): query failed (SERVFAIL)
for 69.248.70.96.bad.psky.me/IN/A at ../../../bin/named/query.c:8580
26-Jul-2018 17:44:40.168 query-errors: debug 2: fetch completed at
../../../lib/dns/resolver.c:3927 for 69.248.70.96.bad.psky.me/A in
10.000096: timed out/success
[domain:psky.me,referral:1,restart:2,qrysent:4,timeout:3,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
26-Jul-2018 17:44:40.172 query-errors: debug 1: client @0x7fbed81218a0
127.0.0.1#61547 (176.216.85.209.psbl.surriel.com): query failed
(SERVFAIL) for 176.216.85.209.psbl.surriel.com/IN/A at
../../../bin/named/query.c:8580
26-Jul-2018 17:44:40.172 query-errors: debug 2: fetch completed at
../../../lib/dns/resolver.c:3927 for 176.216.85.209.psbl.surriel.com/A
in 10.000128: timed out/success
[domain:psbl.surriel.com,referral:2,restart:1,qrysent:2,timeout:1,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
26-Jul-2018 17:44:40.173 query-errors: debug 1: client @0x7fbedc134ed0
127.0.0.1#61547 (176.216.85.209.dnsbl-3.uceprotect.net): query failed
(SERVFAIL) for 176.216.85.209.dnsbl-3.uceprotect.net/IN/A at
../../../bin/named/query.c:8580
26-Jul-2018 17:44:40.173 query-errors: debug 2: fetch completed at
../../../lib/dns/resolver.c:3927 for
176.216.85.209.dnsbl-3.uceprotect.net/A in 10.000097: timed
out/success [domain:dnsbl-3.uceprotect.net,referral:2,restart:1,qrysent:2,timeout:1,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]

There appears to be a few timeout errors. Is this an indication there
is a performance problem with the cable modem or connection?

Thanks,
Alex


On Thu, Jul 26, 2018 at 1:57 PM, John Miller <johnmill at brandeis.edu> wrote:
> Hi Alex,
>
> What does your query volume look like on this server?  Depending on
> volume, the BIND defaults for:
>
> - clients-per-query
> - max-clients-per-query
> - recursive-clients
> - tcp-clients
>
> and others may not be set high enough.  Check pp. 106-108 in the
> latest 9.11 manual for more details on each of these.
>
> Of course, if you're only seeing SERVFAIL for a handful of domains,
> then they may have some sort of delegation issue, or there might be a
> network issue between your caching servers and them.
>
> John
>
>
> On Thu, Jul 26, 2018 at 1:07 PM, Alex <mysqlstudent at gmail.com> wrote:
>> Hi,
>>
>> I have a bind-9.11.4 server on a fedora28 system and are frequently
>> seeing SERVFAIL errors like this:
>>
>> 26-Jul-2018 12:54:04.255 query-errors: info: client @0x7f764314a5c0
>> 127.0.0.1#50719 (223.178.102.199.cidr.bl.mcafee.com): query failed
>> (SERVFAIL) for 223.178.102.199.cidr.bl.mcafee.com/IN/A at
>> ../../../bin/named/query.c:4140
>>
>> I believe this happens more frequently at times of peak link
>> utilization, but it also appears to happen during normal times.
>>
>> This is a local caching server I've set up but it also appears to
>> exist on other systems that have been set up to be authoritative for
>> our domain.
>>
>> How can I troubleshoot this further?
>>
>> Here is the named.conf for this caching server:
>>
>> acl "trusted" {
>>         { 127/8; };
>>         { 68.195.191.40/29; };
>>         { 192.168.1.0/24; };
>>         { 107.155.67.2/32; };
>> };
>>
>> options {
>> listen-on port 53 { 127.0.0.1; 68.195.191.45; };
>> listen-on-v6 port 53 { none; };
>> directory "/var/named";
>> dump-file "/var/named/data/cache_dump.db";
>>         statistics-file "/var/named/data/named.stats";         // _PATH_STATS
>>         memstatistics-file "/var/named/data/named.memstats";   // _PATH_MEMSTATS
>> allow-query     { trusted; };
>> recursion yes;
>> zone-statistics yes;
>>
>> // dnssec-enable yes;
>> // dnssec-validation yes;
>> // dnssec-lookaside auto;
>>
>> dnssec-enable no;
>> dnssec-validation no;
>> dnssec-lookaside no;
>>
>> /* Path to ISC DLV key */
>> bindkeys-file "/etc/named.iscdlv.key";
>>
>> managed-keys-directory "/var/named/dynamic";
>>
>> };
>>
>> logging {
>>         channel default_debug {
>>                 file "data/named.run";
>>                 severity dynamic;
>>         };
>>
>>         // Record all queries to the box for now
>>         channel query_info {
>>            severity info;
>>            file "/var/log/named.query.log" versions 3 size 10m;
>>            print-time yes;
>>            print-category yes;
>>          };
>>
>>         // added for fail2ban support
>>         channel security_file {
>>            severity dynamic;
>>            file "/var/log/named.security.log" versions 3 size 30m;
>>            print-time yes;
>>            print-category yes;
>>         };
>>
>> channel b_debug {
>> file "/var/log/named.debug.log" versions 2 size 10m;
>> print-time yes;
>> print-category yes;
>> print-severity yes;
>> severity dynamic;
>>         };
>>
>> // Send the security related messages to a separate file.
>> channel audit_log {
>> file "/var/log/named.audit.log" versions 4 size 10m;
>> severity info;
>> print-time yes;
>> print-category yes;
>> };
>>
>>
>>         category queries { query_info; };
>>         category default { b_debug; };
>>         category config { b_debug; };
>>         category security { security_file; };
>> // category lame-servers { audit_log; };
>> category lame-servers { null; };
>>
>> };
>>
>> zone "." IN {
>> type hint;
>> file "/var/named/named.ca";
>> };
>>
>> zone "localhost.localdomain" IN {
>> type master;
>> file "named.localhost";
>> allow-update { none; };
>> };
>>
>> zone "localhost" IN {
>> type master;
>> file "named.localhost";
>> allow-update { none; };
>> };
>>
>> zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
>> IN {
>> type master;
>> file "named.loopback";
>> allow-update { none; };
>> };
>>
>> zone "1.0.0.127.in-addr.arpa" IN {
>> type master;
>> file "named.loopback";
>> allow-update { none; };
>> };
>>
>> zone "0.in-addr.arpa" IN {
>> type master;
>> file "named.empty";
>> allow-update { none; };
>> };
>>
>> include "/etc/named.root.key";
>> include "/etc/rndc.key";
>> _______________________________________________
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


More information about the bind-users mailing list