TCP connections left in CLOSE_WAIT in 9.16.15/16
usenet at umbral.org.uk
usenet at umbral.org.uk
Thu May 27 11:21:27 UTC 2021
Hello
We updated on Monday from bind-9.16.6/8 to bind-9.16.15/16 on some
public-facing authoritative nameservers. Since then, we are seeing
a build-up of inbound TCP connections to port 53 being left in
CLOSE_WAIT state indefinitely until named is restarted, or exhausting
the tcp-clients limit if not restarted. Anyone else seeing similar?
Platform is 64bit ArchLinux 5.12.6-arch1-1.
This sort of thing (netstat -tn):
tcp 1 0 194.83.56.250:53 40.113.98.76:13214
CLOSE_WAIT
tcp 1 0 194.83.56.250:53 52.232.251.180:61357
CLOSE_WAIT
tcp 1 0 194.83.56.250:53 137.116.220.118:11234
CLOSE_WAIT
tcp 1 0 194.83.56.250:53 23.100.54.67:17825
CLOSE_WAIT
tcp 1 0 194.83.56.250:53 94.245.94.142:12397
CLOSE_WAIT
etc etc etc
On cursory examination, all of the querying IPs appear to be registered
to Microsoft, may imply Windows resolvers, querying for large TXT records
without EDNS, eg the first above:
May 27 10:06:50 ns12.ja.net named[156930]: client @0x7f7b08033908
40.113.98.76#50868 (gbmc.ac.uk): query: gbmc.ac.uk IN TXT - (194.83.56.250)
May 27 10:06:50 ns12.ja.net named[156930]: client @0x7f7b0895b348
40.113.98.76#13214 (gbmc.ac.uk): query: gbmc.ac.uk IN TXT -T (194.83.56.250)
Regards,
Ronan Flood
(resurrecting an old bind-users subbed address for this, if it works!)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210527/984b0567/attachment.htm>
More information about the bind-users
mailing list