On Wed, 4 May 2005 16:22:53 -0400 Matt Sergeant <[EMAIL PROTECTED]> wrote:
> I'd love to hear of a larger scale rollout of high_perf. We've been > pretty happy with it so far (except for ip_conntrack tables filling up > - if anyone knows why that is - I suspect it's to do with Danga::DNS - > please let me know). On what scale are you using high_perf? Is Danga::DNS::Resolver talking to your nameserver, or is it doing the lookups itself? Is there an ip_conntrack running between ::Resolver and your nameserver? In terms of mitigation: What's your /proc/sys/net/ipv4/ip_conntrack_max set to? Have you analyzed a snapshot of /proc/net/ip_conntrack? You could send DNS to the -t raw -j NOTRACK target. Brian
