Re: Re: clients-per-query vs max-clients-per-query
On 07-Jun-14 12:36, Evan Hunt wrote: On Sat, Jun 07, 2014 at 12:02:24PM -0400, Jorge Fábregas wrote: For me, this clients-per-query of 10 is an upper limit (maximum number of clients before it starts dropping). So then, what's the purpose of max-clients-per-query? Over time, as it runs, named tries to self-tune the clients-per-query value. If you set clients-per-query to 10 and max-clients-per-query to 100 (i.e., the default values), that means that the initial limit will be 10, but if we ever actually hit the limit and drop a query, we try adjusting the limit up to 15, then 20, and so on, until we can keep up with the queries *or* until we reach 100. Once we get to a point where we're not spilling queries anymore, we start experimentally adjusting the limit back downward -- reducing it by 1 every 20 minutes, if I recall correctly. If clients-per-query is 0, that means we don't have a clients-per-query limit at all. If max-clients-per-query is 0, that means there's no upper bound on clients-per-query and it can grow as big as it needs to. This doesn't quite make sense, assuming I understand it correctly from your + Mark's descriptions. Consider a continuous stream of queries to a slow server. For the sake of exposition, assume the incremental adjustment is 1 rather than 5. Named drops the 11th query, but increases the limit. So the 12th query will be accepted. Why is the 12th query more valuable than the 11th? Next, the limit is 11, but the 13th arrives - is dropped the limit increased. So the 14th is accepted. And this continues, dropping every other (actually every 5i-th) query until there's a response or the max is reached. Meantime, named expects the clients whose requests were dropped to retry. (Typically 3 sec, up to 5 times.) If there's a delay at the next stage of resolution, a client has the same chance of being unlucky again. This algorithm seems to attempt to deal with two distinct cases: o drop abusive bursts o limit resource consumption by unresponsive servers/servers of varying responsiveness For the former, a global threshold makes some sense - an abusive burst of queries can be for multiple zones - or focused on one. But isn't this what response rate limiting is for? Given RRL, does this still make sense? For the latter, separating the measurement/threshold tuning from the decision to drop would seem to produce more sensible behavior than dropping every 5i-th packet. And for it to make any sense at all, it must be adjusted per server, not globally... Or I'm missing something, in which case the documentation needs some more/different words :-( Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: clients-per-query vs max-clients-per-query
On Sun, Jun 08, 2014 at 09:45:23AM -0400, Timothe Litt wrote: Consider a continuous stream of queries to a slow server. For the sake of exposition, assume the incremental adjustment is 1 rather than 5. Named drops the 11th query, but increases the limit. It only increases the limit if one of the pending queries for that name got an answer back. If the authoritative server's not responding at all, we just carry on dropping queries, but if *is* answering -- just not quickly enough to keep up with demand -- then we adjust our queue lengths. The code was written before my time, so I'm only guessing here, but I suspect the idea was to adapt to the situation where you have a fast local network and a slow upstream connection. If we're getting queries for popular names faster than we can resolve them, it may make sense to buffer more queries. For the former, a global threshold makes some sense - an abusive burst of queries can be for multiple zones - or focused on one. But isn't this what response rate limiting is for? Given RRL, does this still make sense? RRL is response rate limiting -- it applies to output not input. For the latter, separating the measurement/threshold tuning from the decision to drop would seem to produce more sensible behavior than dropping every 5i-th packet. And for it to make any sense at all, it must be adjusted per server, not globally... As it happens I'm in the middle of a research project on this very subject; future releases will probably have some additional per-server throttling and holddown controls and more finely adjustable drop policies. Stay tuned. Or I'm missing something, in which case the documentation needs some more/different words :-( If the above was helpful and you feel inspired to rephrase it into text for the ARM, I'm always happy to take your patches. :) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
clients-per-query vs max-clients-per-query
Hi, I'm trying to understand the difference between clients-per-query max-clients-per-query. I found a nice explanation by Mark Andrews here [1] but then I wondered about max-clients-per-query. Given a clients-per-query of 10, I assume that named will only queue up 10 clients before it starts dropping queries. As far as I understand, there would be one outstanding recursive-client (doing the actual recursion for a given name/type) and when it finally receives the answer it will give it to the other 9 clients that were waiting. For me, this clients-per-query of 10 is an upper limit (maximum number of clients before it starts dropping). So then, what's the purpose of max-clients-per-query? Thanks. -- Jorge [1]: https://lists.isc.org/pipermail/bind-users/2011-March/083330.html ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clients-per-query vs max-clients-per-query
On Sat, Jun 07, 2014 at 12:02:24PM -0400, Jorge Fábregas wrote: For me, this clients-per-query of 10 is an upper limit (maximum number of clients before it starts dropping). So then, what's the purpose of max-clients-per-query? Over time, as it runs, named tries to self-tune the clients-per-query value. If you set clients-per-query to 10 and max-clients-per-query to 100 (i.e., the default values), that means that the initial limit will be 10, but if we ever actually hit the limit and drop a query, we try adjusting the limit up to 15, then 20, and so on, until we can keep up with the queries *or* until we reach 100. Once we get to a point where we're not spilling queries anymore, we start experimentally adjusting the limit back downward -- reducing it by 1 every 20 minutes, if I recall correctly. If clients-per-query is 0, that means we don't have a clients-per-query limit at all. If max-clients-per-query is 0, that means there's no upper bound on clients-per-query and it can grow as big as it needs to. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clients-per-query vs max-clients-per-query
On 06/07/2014 12:36 PM, Evan Hunt wrote: Over time, as it runs, named tries to self-tune the clients-per-query value. If you set clients-per-query to 10 and max-clients-per-query to 100 (i.e., the default values), that means that the initial limit will be 10, but if we ever actually hit the limit and drop a query, we try adjusting the limit up to 15, then 20, and so on, until we can keep up with the queries *or* until we reach 100. Once we get to a point where we're not spilling queries anymore, we start experimentally adjusting the limit back downward -- reducing it by 1 every 20 minutes, if I recall correctly. If clients-per-query is 0, that means we don't have a clients-per-query limit at all. If max-clients-per-query is 0, that means there's no upper bound on clients-per-query and it can grow as big as it needs to. Ah. Eureka! Thank you very much Evan. That was wonderful ! I finally got it :) Thanks, very much appreciated! All the best, Jorge ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clients-per-query increased to 15
On 09.04.13 13:56, Dwayne Hottinger wrote: Ive started having some issues with one of my subnets. Im seeing messages like the following in my log files: clients-per-query increased to 15 This apply to recursive queries. Don't you have a malware on the network? If not, this is just an informational message meaning that too many clients are trying to resolve the same record. I did a little googling and found where this is adjustable per the named.conf. I currently dont have anything in my named.conf that outlines this. Im currently running BIND 9.9.1-P2 with 31 zone files (all on a seperate subnet). The server has 8 virtual interfaces that answer for each subnet. Does it make a sense to have 8 interfaces? I believe you could go with one interface without problems. This worked fine in the past, but I think I may have reached my limit. DNS and DHCP run on the same server. Can I increase this limit to help my dns issue, or is this going to be counterproductive. Should I seperate and run a physical dns server at each site, instead of using one for all 8 sites? There is gig links between each site and my dns server. I don't think you need separate BIND servers, although you may want to have at least two of them, to have backup if one fails. imho you should first answer my first question and then you see if you need to increase clients-per-query or not. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
clients-per-query
I keep seeing messages in my named.log file that say things like clients-per-query increased to 30, then later it says clients-per-query decreased to a lower number. When this happens, lookups seem to not be working.What is an acceptable value for a large network? ddh -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clients-per-query
From: Dwayne Hottinger dhottin...@harrisonburg.k12.va.us I keep seeing messages in my named.log file that say things like clients-per-query increased to 30, then later it says clients- per-query decreased to a lower number. When this happens, lookups seem to not be working.What is an acceptable value for a large network? For the same reason it was increased to 15 in this thread: https://lists.isc.org/pipermail/bind-users/2013-April/090402.html Do you have a bottleneck on your queries to authoritative servers? If your recursive server can't resolve it for the first few clients that ask the question, it queues the query for subsequent clients that ask the same question. And it can't respond to any of them until it receives the answer from the authoritative server. What do your client queries look like? Have you turned on query logging to see what the clients are trying to resolve? Which are your top clients? Did you do something to the cache settings? How many clients are you trying to support? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clients-per-query
Sorry, My spambox grabbed your earlier reply, my apologies.My clients are a mixed enviroment of macs,windows 7/xp, androids, etc. At any one time I'll have over 3000 devices connected to the network. I actually have one internal dns server for internal network and 2 external dns servers. I turned on logging for queries on all the dns servers and will monitor that. Im currently searching the logs to see if some clients query more than others to try and figure out if one is infected with somekind of malware. -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clients-per-query
Dwayne Hottinger dhottin...@harrisonburg.k12.va.us wrote on 04/10/2013 10:27:24 AM: Sorry, My spambox grabbed your earlier reply, my apologies.My clients are a mixed enviroment of macs,windows 7/xp, androids, etc. At any one time I'll have over 3000 devices connected to the network. I actually have one internal dns server for internal network and 2 external dns servers. I turned on logging for queries on all the dns servers and will monitor that. Im currently searching the logs to see if some clients query more than others to try and figure out if one is infected with somekind of malware. 3000 devices isn't much, even for a modest BIND server. Did this configuration work in the past? What changed? Is there a network rate limiting device in place that could be affecting the queries to the authoritative servers? Have you talked to your networking team? They would never make changes without informing, I'm sure. :) Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clients-per-query
3000 devices isn't much, even for a modest BIND server. Did this configuration work in the past? What changed? Is there a network rate limiting device in place that could be affecting the queries to the authoritative servers? Have you talked to your networking team? They would never make changes without informing, I'm sure. :) Actually I am the network team and Ive made no changes. Which is why this has be very puzzled. ddh -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
clients-per-query increased to 15
Ive started having some issues with one of my subnets. Im seeing messages like the following in my log files: clients-per-query increased to 15 I did a little googling and found where this is adjustable per the named.conf. I currently dont have anything in my named.conf that outlines this. Im currently running BIND 9.9.1-P2 with 31 zone files (all on a seperate subnet). The server has 8 virtual interfaces that answer for each subnet. This worked fine in the past, but I think I may have reached my limit. DNS and DHCP run on the same server. Can I increase this limit to help my dns issue, or is this going to be counterproductive. Should I seperate and run a physical dns server at each site, instead of using one for all 8 sites? There is gig links between each site and my dns server. ddh -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Question About max-clients-per-query
I had a situation a couple of days ago where a compromised machine in the DMZ portion of my network began sending an incredible number of queries to a couple of the primary internal DNS servers. The traffic was so intense that legitimate queries were unable to get through, or the customer timed out before the response came back. It took me a while to diagnose, because tailing the logs with querylog on was not possible. The data were coming too fast for my terminal to display them. Only after several Cntl-C commands was I able to escape from the tail, and a portion of the logs was displayed. Only queries from the compromised machine were visible. Nothing else got through during that time period. My customers and bosses are naturally furious. So is it possible to limit the number of queries for one name from one client, or even better, limit the number in a certain time, or the number of queries in a row from one client. If not we are going to have to be creative with some iptables or firewall rules. Thanks for any help you can lend. Alan V. Shackelford Sr. Systems Software Engineer The Johns Hopkins University and Johns Hopkins Medical Institutions Baltimore, Maryland USA 410-735-4773ashac...@jhmi.edu PGP.sig Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Question About max-clients-per-query
Not an answer to your basic question but I did want to mention that on most UNIX/Linux terminal sessions you can hit Ctrl-s to stop scrolling and Ctrl-q to resume it. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Alan Shackelford Sent: Friday, November 18, 2011 10:32 AM To: bind-users@lists.isc.org Subject: Question About max-clients-per-query I had a situation a couple of days ago where a compromised machine in the DMZ portion of my network began sending an incredible number of queries to a couple of the primary internal DNS servers. The traffic was so intense that legitimate queries were unable to get through, or the customer timed out before the response came back. It took me a while to diagnose, because tailing the logs with querylog on was not possible. The data were coming too fast for my terminal to display them. Only after several Cntl-C commands was I able to escape from the tail, and a portion of the logs was displayed. Only queries from the compromised machine were visible. Nothing else got through during that time period. My customers and bosses are naturally furious. So is it possible to limit the number of queries for one name from one client, or even better, limit the number in a certain time, or the number of queries in a row from one client. If not we are going to have to be creative with some iptables or firewall rules. Thanks for any help you can lend. Alan V. Shackelford Sr. Systems Software Engineer The Johns Hopkins University and Johns Hopkins Medical Institutions Baltimore, Maryland USA 410-735-4773ashac...@jhmi.edu Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question About max-clients-per-query
Hello, Read the BIND ARM (Admin Ref. Manual) about these settings, but here is an example of what I use: clients-per-query 10 ; max-clients-per-query 20 ; http://www.isc.org/software/bind/documentation Previously, this resource was posted on this list which is good info to have when investigating BIND behavior: https://deepthought.isc.org/article/AA-00341/0 HTH From: Alan Shackelford ashac...@jhmi.edu To: bind-users@lists.isc.org bind-users@lists.isc.org Sent: Friday, November 18, 2011 10:32 AM Subject: Question About max-clients-per-query I had a situation a couple of days ago where a compromised machine in the DMZ portion of my network began sending an incredible number of queries to a couple of the primary internal DNS servers. The traffic was so intense that legitimate queries were unable to get through, or the customer timed out before the response came back. It took me a while to diagnose, because tailing the logs with querylog on was not possible. The data were coming too fast for my terminal to display them. Only after several Cntl-C commands was I able to escape from the tail, and a portion of the logs was displayed. Only queries from the compromised machine were visible. Nothing else got through during that time period. My customers and bosses are naturally furious. So is it possible to limit the number of queries for one name from one client, or even better, limit the number in a certain time, or the number of queries in a row from one client. If not we are going to have to be creative with some iptables or firewall rules. Thanks for any help you can lend. Alan V. Shackelford Sr. Systems Software Engineer The Johns Hopkins University and Johns Hopkins Medical Institutions Baltimore, Maryland USA 410-735-4773 ashac...@jhmi.edu ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Q on clients-per-query, max-clients-per-query
- Original Message From: Mark Andrews To: Fr34k Cc: Bindlist Sent: Wed, March 23, 2011 9:04:00 PM Subject: Re: Q on clients-per-query, max-clients-per-query In message , Fr34k writes: Hello, # The ARM says: # clients-per-query, max-clients-per-query These set the initial value (minimum) and maximum number of recursive simultaneous clients for any given query (qname,qtype,qclass) that the serv er will accept before dropping additional clients. named will attempt to self tu ne this value and changes will be logged. The default values are 10 and 100. If clients-per-query is set to zero, then there is no limit on the number of clients per query and no queries will be dropped. If max-clients-per-query i s set to zero, then there is no upper bound other than imposed by recursive-clients. # Consider that I have: # clients-per-query 10 ; max-clients-per-query 20 ; # What I think this means in hypothetical situations: # 1. If I have 100 customer Windows machines requesting A record(s) for non-responsive-domain.com, then my caching server will only recurs the first 20 of such requests and drop the other 80. Is this correct, or what is the like ly process? 2. If I have 100 customer Windows machines requesting A record(s) for very-slow-to-respond.com, then my caching server will only recurs the first 20 of such requests and drop the other 80. Is this correct, or what is the like ly process? Let's say the name servers authoritative for this domain finally respond, the n my bind server will respond to the 20 queries. Is this correct, or what is the likely process? Now that I have the A record for www.very-slow-to-respond.com in cache (say T TL is 24h) and it is likely that the 80 unsatisfied customer Windows machines wi ll make another query attempt and, because I have this cached, finally get a response. Is this correct, or what is the likely process? It won't hurt my feeling if someone rather provide a better example that may demonstrate how these settings work. You have a empty cache. You get a query for google.com. You send a query to the root servers for google.com. Another query for google.com comes in. You add it to the existing query for google.com. You get the answer back from the root servers. You ask the com servers for google.com. You get another 3 query for google.com, you add these to the original query. You get a response from the com servers. You ask the google.com servers for google.com. You get more queries for google.com. You get a answer back from the google.com servers and you send the answers back to all the clients that asked you for google.com. Future queries for google.com will be answered from the cache until the record expires. Now if more than 10 clients ask you for google.com while this is happening you will just drop the new clients (they should retry). Named will remember that it dropped clients and as it got a answer it will increase the number of clients that it serve for the next query. It's a little more complicted than this but this will do for this explaination. This lets named adjust to the normal query rate and how far it is from the usual nameservers it talks to round trip wise. This normally take less than a second. Now lets say the servers for a zone are unreachable. Named will only queue up 10 clients before it starts dropping them. This stops the recursive client slots all being taken on queries talking to these servers. Similar a flash crowd of queries for the same name will be mostly dropped until the answer is received. So, does BIND behave the same whether it is a single PC making 100 queries for the same record compared to 555 PCs making queries for the same record? That is, how does BIND treat clients-per-query, max-clients-per-query differently based upon the query requesters' IP address(es)? (I want to assume I know the answer, but I have an interesting network event and I want to be able to understand/communicate the snoop logs we captured) I'm using 9.7.2-P2, if version is significant. Thank you. Mark Thank you. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Q on clients-per-query, max-clients-per-query
So, does BIND behave the same whether it is a single PC making 100 queries for the same record compared to 555 PCs making queries for the same record? That is, how does BIND treat clients-per-query, max-clients-per-query differently based upon the query requesters' IP address(es)? (I want to assume I know the answer, but I have an interesting network event and I want to be able to understand/communicate the snoop logs we captured) Differently. There is also code that drops duplicate queries, although 'duplicate' is based on more than just the client IP address and the query name/type. I'm using 9.7.2-P2, if version is significant. It is. If you're having problems related to your tuning questions, then we'd recommend upgrading to the current 9.7 version 9.7.3 which contains the following bug fix for a specific corner case: 3009. [bug] clients-per-query code didn't work as expected with particular query patterns. [RT #22972] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Q on clients-per-query, max-clients-per-query
In message 688460.82562...@web121414.mail.ne1.yahoo.com, Fr34k writes: - Original Message From: Mark Andrews To: Fr34k Cc: Bindlist Sent: Wed, March 23, 2011 9:04:00 PM Subject: Re: Q on clients-per-query, max-clients-per-query In message , Fr34k writes: Hello, # The ARM says: # clients-per-query, max-clients-per-query These set the initial value (minimum) and maximum number of recursive simultaneous clients for any given query (qname,qtype,qclass) that the serv er will accept before dropping additional clients. named will attempt to se lf tu ne this value and changes will be logged. The default values are 10 and 10 0. If clients-per-query is set to zero, then there is no limit on the numbe r of clients per query and no queries will be dropped. If max-clients-per-qu ery i s set to zero, then there is no upper bound other than imposed by recursive-clients. # Consider that I have: # clients-per-query 10 ; max-clients-per-query 20 ; # What I think this means in hypothetical situations: # 1. If I have 100 customer Windows machines requesting A record(s) for non-responsive-domain.com, then my caching server will only recurs the f irst 20 of such requests and drop the other 80. Is this correct, or what is the like ly process? 2. If I have 100 customer Windows machines requesting A record(s) for very-slow-to-respond.com, then my caching server will only recurs the f irst 20 of such requests and drop the other 80. Is this correct, or what is the like ly process? Let's say the name servers authoritative for this domain finally respond , the n my bind server will respond to the 20 queries. Is this correct, or what is the likely process? Now that I have the A record for www.very-slow-to-respond.com in cache ( say T TL is 24h) and it is likely that the 80 unsatisfied customer Windows machin es wi ll make another query attempt and, because I have this cached, finally get a response. Is this correct, or what is the likely process? It won't hurt my feeling if someone rather provide a better example that may demonstrate how these settings work. You have a empty cache. You get a query for google.com. You send a query to the root servers for google.com. Another query for google.com comes in. You add it to the existing query for google.com. You get the answer back from the root servers. You ask the com servers for google.com. You get another 3 query for google.com, you add these to the original query. You get a response from the com servers. You ask the google.com servers for google.com. You get more queries for google.com. You get a answer back from the google.com servers and you send the answers back to all the clients that asked you for google.com. Future queries for google.com will be answered from the cache until the record expires. Now if more than 10 clients ask you for google.com while this is happening you will just drop the new clients (they should retry). Named will remember that it dropped clients and as it got a answer it will increase the number of clients that it serve for the next query. It's a little more complicted than this but this will do for this explaination. This lets named adjust to the normal query rate and how far it is from the usual nameservers it talks to round trip wise. This normally take less than a second. Now lets say the servers for a zone are unreachable. Named will only queue up 10 clients before it starts dropping them. This stops the recursive client slots all being taken on queries talking to these servers. Similar a flash crowd of queries for the same name will be mostly dropped until the answer is received. So, does BIND behave the same whether it is a single PC making 100 queries fo r the same record compared to 555 PCs making queries for the same record? That is, how does BIND treat clients-per-query, max-clients-per-query differently based upon the query requesters' IP address(es)? (I want to assume I know the answer, but I have an interesting network event and I want to be able to understand/communicate the snoop logs we captured) I'm using 9.7.2-P2, if version is significant. Thank you. Named uses the source address, source port and query id to find duplicate queries. Duplicate queries are dropped before the clients-per-query code. A client is not a machine. It is a process/task on a machine. The code to find the existing query can fail to find it in the version of named you are running. This is fixed in 9.6.3, 9.7.3 and 9.8.0. 3009. [bug] clients-per-query code didn't work as expected with particular query patterns. [RT #22972
Q on clients-per-query, max-clients-per-query
Hello, # The ARM says: # clients-per-query, max-clients-per-query These set the initial value (minimum) and maximum number of recursive simultaneous clients for any given query (qname,qtype,qclass) that the server will accept before dropping additional clients. named will attempt to self tune this value and changes will be logged. The default values are 10 and 100. If clients-per-query is set to zero, then there is no limit on the number of clients per query and no queries will be dropped. If max-clients-per-query is set to zero, then there is no upper bound other than imposed by recursive-clients. # Consider that I have: # clients-per-query 10 ; max-clients-per-query 20 ; # What I think this means in hypothetical situations: # 1. If I have 100 customer Windows machines requesting A record(s) for non-responsive-domain.com, then my caching server will only recurs the first 20 of such requests and drop the other 80. Is this correct, or what is the likely process? 2. If I have 100 customer Windows machines requesting A record(s) for very-slow-to-respond.com, then my caching server will only recurs the first 20 of such requests and drop the other 80. Is this correct, or what is the likely process? Let's say the name servers authoritative for this domain finally respond, then my bind server will respond to the 20 queries. Is this correct, or what is the likely process? Now that I have the A record for www.very-slow-to-respond.com in cache (say TTL is 24h) and it is likely that the 80 unsatisfied customer Windows machines will make another query attempt and, because I have this cached, finally get a response. Is this correct, or what is the likely process? It won't hurt my feeling if someone rather provide a better example that may demonstrate how these settings work. Thank you. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Q on clients-per-query, max-clients-per-query
In message 60834.75625...@web121403.mail.ne1.yahoo.com, Fr34k writes: Hello, # The ARM says: # clients-per-query, max-clients-per-query These set the initial value (minimum) and maximum number of recursive simultaneous clients for any given query (qname,qtype,qclass) that the serv er will accept before dropping additional clients. named will attempt to self tu ne this value and changes will be logged. The default values are 10 and 100. If clients-per-query is set to zero, then there is no limit on the number of clients per query and no queries will be dropped. If max-clients-per-query i s set to zero, then there is no upper bound other than imposed by recursive-clients. # Consider that I have: # clients-per-query 10 ; max-clients-per-query 20 ; # What I think this means in hypothetical situations: # 1. If I have 100 customer Windows machines requesting A record(s) for non-responsive-domain.com, then my caching server will only recurs the first 20 of such requests and drop the other 80. Is this correct, or what is the like ly process? 2. If I have 100 customer Windows machines requesting A record(s) for very-slow-to-respond.com, then my caching server will only recurs the first 20 of such requests and drop the other 80. Is this correct, or what is the like ly process? Let's say the name servers authoritative for this domain finally respond, the n my bind server will respond to the 20 queries. Is this correct, or what is the likely process? Now that I have the A record for www.very-slow-to-respond.com in cache (say T TL is 24h) and it is likely that the 80 unsatisfied customer Windows machines wi ll make another query attempt and, because I have this cached, finally get a response. Is this correct, or what is the likely process? It won't hurt my feeling if someone rather provide a better example that may demonstrate how these settings work. You have a empty cache. You get a query for google.com. You send a query to the root servers for google.com. Another query for google.com comes in. You add it to the existing query for google.com. You get the answer back from the root servers. You ask the com servers for google.com. You get another 3 query for google.com, you add these to the original query. You get a response from the com servers. You ask the google.com servers for google.com. You get more queries for google.com. You get a answer back from the google.com servers and you send the answers back to all the clients that asked you for google.com. Future queries for google.com will be answered from the cache until the record expires. Now if more than 10 clients ask you for google.com while this is happening you will just drop the new clients (they should retry). Named will remember that it dropped clients and as it got a answer it will increase the number of clients that it serve for the next query. It's a little more complicted than this but this will do for this explaination. This lets named adjust to the normal query rate and how far it is from the usual nameservers it talks to round trip wise. This normally take less than a second. Now lets say the servers for a zone are unreachable. Named will only queue up 10 clients before it starts dropping them. This stops the recursive client slots all being taken on queries talking to these servers. Similar a flash crowd of queries for the same name will be mostly dropped until the answer is received. Mark Thank you. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
clients-per-query message is harmful or not?
Hello, all. my system is centos 4.x, bind 9.5.1-P3 and only recursion is allowed from some ranges. I can see lots of messages like below. so if I didn't set any clients-per-query value,some clients' queries may be droppped or not? If some queries can be dropped,I want to set like clients-per-query 0. 05-Oct-2009 16:04:46.228 resolver: notice: clients-per-query decreased to 14 05-Oct-2009 16:14:47.337 resolver: notice: clients-per-query increased to 19 05-Oct-2009 16:34:47.338 resolver: notice: clients-per-query decreased to 18 05-Oct-2009 16:54:47.339 resolver: notice: clients-per-query decreased to 17 05-Oct-2009 17:01:55.424 resolver: notice: clients-per-query increased to 22 05-Oct-2009 20:20:26.252 resolver: notice: clients-per-query increased to 15 05-Oct-2009 20:40:26.253 resolver: notice: clients-per-query decreased to 14 05-Oct-2009 21:00:26.253 resolver: notice: clients-per-query decreased to 13 05-Oct-2009 21:11:26.298 resolver: notice: clients-per-query increased to 15 Thanks in advance. _ 새로운 Windows 7: 여러분에게 맞는 최상의 PC를 찾으세요. 자세히 보기. http://windows.microsoft.com/shop ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clients-per-query message is harmful or not?
In message blu149-w57a261f59f90728f956cea85...@phx.gbl, MontyRee writes: Hello, all. my system is centos 4.x, bind 9.5.1-P3 and only recursion is allowed from some ranges. I can see lots of messages like below. so if I didn't set any clients-per-query value,some clients' queries may be droppped or not? clients-per-query is designed to prevent the nameserver being overwhelmed by a given query that doesn't resolve. It sets the number of simultanious clients that are acutally recursing on a given name. It value is increased if there is a successful resolution of that query after dropping some clients then slowly decays over time. Note UDP clients are expected to retry. clients-per-query reflects how many clients ask for a busy name/type in the time it takes to resolve that name/type. If it takes 200 ms resolve the query and you need 20 clients-per-query then the name/type is being asked for around 100 times a second. If some queries can be dropped,I want to set like clients-per-query 0. You actually want to set clients-per-query to around 20 based on these logs, the default is 10. 05-Oct-2009 16:04:46.228 resolver: notice: clients-per-query decreased to 14 05-Oct-2009 16:14:47.337 resolver: notice: clients-per-query increased to 19 05-Oct-2009 16:34:47.338 resolver: notice: clients-per-query decreased to 18 05-Oct-2009 16:54:47.339 resolver: notice: clients-per-query decreased to 17 05-Oct-2009 17:01:55.424 resolver: notice: clients-per-query increased to 22 05-Oct-2009 20:20:26.252 resolver: notice: clients-per-query increased to 15 05-Oct-2009 20:40:26.253 resolver: notice: clients-per-query decreased to 14 05-Oct-2009 21:00:26.253 resolver: notice: clients-per-query decreased to 13 05-Oct-2009 21:11:26.298 resolver: notice: clients-per-query increased to 15 Thanks in advance. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: file descriptors and max-clients-per-query
Thanks for the feedback How many sockets are open when you see this message? Normally the socket() call shouldn't fail even if named uses many sockets (it will fail anyway, but the failure mode is normally different), so it's very odd to see the above message. As Jeremy suggested we updatet our 9.4.2 Server this week to 9.4.3-P2 Luckily we hadn't a DNS outage so the message didn't reappear. So I can't say how many sockets where open when we had the message last time Are you perhaps limiting the system resource for the number of allowable open sockets? Do you set the 'files' option in your named.conf? Not that I'm aware of :) $ sysctl -a | grep socket kern.ipc.numopensockets: 38 kern.ipc.maxsockets: 25600 socket: 356,25608, 37, 4099, 25140481 security.jail.socket_unixiproute_only: 1 security.jail.allow_raw_sockets: 0 The only limits I set in named.conf is ttl-stuff (lame-ttl, max-ncache-ttl, ...), clients-per-query and recursive-clients If I see the message again I'll let you know. Philippe ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AW: file descriptors and max-clients-per-query
At Thu, 14 May 2009 17:46:42 +0200, Philippe Maechler pmaechler...@glattnet.ch wrote: I'm running a bind 9.4.2-p2 and a 9.5.1-P1 both on a FreeBSD 6.x box as caching servers. let's call them ns1 and ns2 :P short after we shutdown server one we get error messages on the other server - socket: too many open file descriptors What is the other server? I assume you are getting this error message with the old 9.4.2-P2 (and not on the 9.5.1-P1). No i have the messages on both servers. If ns1 goes down, we get the messages on ns2 and vice-versa. How many sockets are open when you see this message? Normally the socket() call shouldn't fail even if named uses many sockets (it will fail anyway, but the failure mode is normally different), so it's very odd to see the above message. Are you perhaps limiting the system resource for the number of allowable open sockets? Do you set the 'files' option in your named.conf? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: file descriptors and max-clients-per-query
On Thu, 14 May 2009, Philippe Maechler wrote: Hello Everybody I'm running a bind 9.4.2-p2 and a 9.5.1-P1 both on a FreeBSD 6.x box as caching servers. let's call them ns1 and ns2 :P short after we shutdown server one we get error messages on the other server - socket: too many open file descriptors What is the other server? I assume you are getting this error message with the old 9.4.2-P2 (and not on the 9.5.1-P1). Before answering your other questions, can you please consider running the latest 9.4.x version? Versions newer than yours offer an improved and more efficient socket API on support systems (like use of kqueue on FreeBSD). If you continue to have the same problems on BIND 9.4.3 (or BIND 9.5.1-P1) or newer, please let us know. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: file descriptors and max-clients-per-query
Hello Jeremy I'm running a bind 9.4.2-p2 and a 9.5.1-P1 both on a FreeBSD 6.x box as caching servers. let's call them ns1 and ns2 :P short after we shutdown server one we get error messages on the other server - socket: too many open file descriptors What is the other server? I assume you are getting this error message with the old 9.4.2-P2 (and not on the 9.5.1-P1). No i have the messages on both servers. If ns1 goes down, we get the messages on ns2 and vice-versa. Before answering your other questions, can you please consider running the latest 9.4.x version? Versions newer than yours offer an improved and more efficient socket API on support systems (like use of kqueue on FreeBSD). I'll try to upgrade to the latest 9.4 version and let you know if I still get the messages on ns1 If you continue to have the same problems on BIND 9.4.3 (or BIND 9.5.1-P1) or newer, please let us know. Philippe ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users