Re: max-cache-size query
On Wed 02 of Jun 2010 00:45:42 you wrote: One obvious solution to keeping the firewall guys happy would just be to make them not burn state entries for the nameserver at all Firewalls in front of nameservers cause an ungodly amount of issues for no real benefit... I will transfer that to our vendors, but, my question is still not answered. Why on earth such huge defference in the number of connections on the firewall with the max-cache-size on and off? I still don't get it. P. Just sayin'... W On Jun 1, 2010, at 8:35 AM, Techi wrote: Hallo, Recently, I faced huge problems with my DNS servers (bind crashed with no apparent reason). Some of the symptons were: * Huge number of connections on our firewalls (15). * A lot of errors in syslog about max file descriptors limits reached (currently on system, the FD limit is 4096, the default of centos) Anyway, after the proposal of a friend of mine, I removed the the max-cache- size limit (that was set to 256MB. After a restart of bind, the FW guys reported a huge drop on connections (1)! Additionally, I have no crashes so far (in contract with 1-2 per week). So, why: a. bind generated so much traffic? b. Is it possible to have bind crash because I could not handle the cache clean-up and on the same time to serve requests? Thank you ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --- Schizophrenia beats being alone. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: max-cache-size query
On 06/02/10 01:31, Techi wrote: but, my question is still not answered. Why on earth such huge defference in the number of connections on the firewall with the max-cache-size on and off? I still don't get it. Imagine the cache as a bucket. With a large bucket the chances of the answer that any given client needs being in the bucket already are higher, which means they can connect, get their answer, and disconnect quickly, without the resolver having to make any additional connections to the outside world. With a small bucket if the answer the client needs isn't there already it has to wait while the resolver makes anywhere from 1-4 _additional_ connections to the outside world before it can finally get its answer and go away. I'm seriously twisting things here to make a good story, but hopefully it gives you more of an idea of what is happening. When it comes to the size of the cache on a name server you should set it to about 80% of the available ram on the system. If that turns out not to be enough, add more ram, or get a bigger system. hth, Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
max-cache-size query
Hallo, Recently, I faced huge problems with my DNS servers (bind crashed with no apparent reason). Some of the symptons were: * Huge number of connections on our firewalls (15). * A lot of errors in syslog about max file descriptors limits reached (currently on system, the FD limit is 4096, the default of centos) Anyway, after the proposal of a friend of mine, I removed the the max-cache- size limit (that was set to 256MB. After a restart of bind, the FW guys reported a huge drop on connections (1)! Additionally, I have no crashes so far (in contract with 1-2 per week). So, why: a. bind generated so much traffic? b. Is it possible to have bind crash because I could not handle the cache clean-up and on the same time to serve requests? Thank you ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: max-cache-size query
What version of BIND are you running? If you're getting FD limits, I'd think it's an older version with a bug, and your problems might also be alleviated by upgrading. Todd. -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Techi Sent: Tuesday, June 01, 2010 8:36 AM To: bind-users@lists.isc.org Subject: max-cache-size query Hallo, Recently, I faced huge problems with my DNS servers (bind crashed with no apparent reason). Some of the symptons were: * Huge number of connections on our firewalls (15). * A lot of errors in syslog about max file descriptors limits reached (currently on system, the FD limit is 4096, the default of centos) Anyway, after the proposal of a friend of mine, I removed the the max-cache- size limit (that was set to 256MB. After a restart of bind, the FW guys reported a huge drop on connections (1)! Additionally, I have no crashes so far (in contract with 1-2 per week). So, why: a. bind generated so much traffic? b. Is it possible to have bind crash because I could not handle the cache clean-up and on the same time to serve requests? Thank you ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: max-cache-size query
On Tue 01 of Jun 2010 15:43:54 you wrote: What version of BIND are you running? If you're getting FD limits, I'd think it's an older version with a bug, and your problems might also be alleviated by upgrading. Version: bind-9.3.6-4.P1.el5_4.2 I cannot upgrade. Company's policy is to use only Centos packages :( Anyway, I believe that it is not a true 9.3 since for example, I can set the allow-query-cache statement of 9.5. Of course, only RH can say that and I am not RH. Cheers. Todd. -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Techi Sent: Tuesday, June 01, 2010 8:36 AM To: bind-users@lists.isc.org Subject: max-cache-size query Hallo, Recently, I faced huge problems with my DNS servers (bind crashed with no apparent reason). Some of the symptons were: * Huge number of connections on our firewalls (15). * A lot of errors in syslog about max file descriptors limits reached (currently on system, the FD limit is 4096, the default of centos) Anyway, after the proposal of a friend of mine, I removed the the max-cache- size limit (that was set to 256MB. After a restart of bind, the FW guys reported a huge drop on connections (1)! Additionally, I have no crashes so far (in contract with 1-2 per week). So, why: a. bind generated so much traffic? b. Is it possible to have bind crash because I could not handle the cache clean-up and on the same time to serve requests? Thank you ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: max-cache-size query
On Tue, Jun 01, 2010 at 03:52:56PM +0300, Techi wrote: On Tue 01 of Jun 2010 15:43:54 you wrote: What version of BIND are you running? If you're getting FD limits, I'd think it's an older version with a bug, and your problems might also be alleviated by upgrading. Version: bind-9.3.6-4.P1.el5_4.2 I cannot upgrade. Company's policy is to use only Centos packages :( Anyway, I believe that it is not a true 9.3 since for example, I can set the allow-query-cache statement of 9.5. Of course, only RH can say that and I am not RH. You are right, it is not a true 9.3.6-P1, it contains numerous enhancements from later releases (like allow-query-cache). If you set too low max-cache-size and it is really busy recursion server (from number of connections it seems it really is) then BIND will often hit upper cache watermark and will start cache cleanup, which is, at least in 9.3.X series, quite expensive operation. Additionally, when cache is too small and cleaned too often, BIND will ask again and again for the same records, which means huge number of connections. If you hit again the crash you should probably open a report in the CentOS tracker. Regards, Adam -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Techi Sent: Tuesday, June 01, 2010 8:36 AM To: bind-users@lists.isc.org Subject: max-cache-size query Hallo, Recently, I faced huge problems with my DNS servers (bind crashed with no apparent reason). Some of the symptons were: * Huge number of connections on our firewalls (15). * A lot of errors in syslog about max file descriptors limits reached (currently on system, the FD limit is 4096, the default of centos) Anyway, after the proposal of a friend of mine, I removed the the max-cache- size limit (that was set to 256MB. After a restart of bind, the FW guys reported a huge drop on connections (1)! Additionally, I have no crashes so far (in contract with 1-2 per week). So, why: a. bind generated so much traffic? b. Is it possible to have bind crash because I could not handle the cache clean-up and on the same time to serve requests? Thank you ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Adam Tkac, Red Hat, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: max-cache-size query
One obvious solution to keeping the firewall guys happy would just be to make them not burn state entries for the nameserver at all Firewalls in front of nameservers cause an ungodly amount of issues for no real benefit... Just sayin'... W On Jun 1, 2010, at 8:35 AM, Techi wrote: Hallo, Recently, I faced huge problems with my DNS servers (bind crashed with no apparent reason). Some of the symptons were: * Huge number of connections on our firewalls (15). * A lot of errors in syslog about max file descriptors limits reached (currently on system, the FD limit is 4096, the default of centos) Anyway, after the proposal of a friend of mine, I removed the the max-cache- size limit (that was set to 256MB. After a restart of bind, the FW guys reported a huge drop on connections (1)! Additionally, I have no crashes so far (in contract with 1-2 per week). So, why: a. bind generated so much traffic? b. Is it possible to have bind crash because I could not handle the cache clean-up and on the same time to serve requests? Thank you ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --- Schizophrenia beats being alone. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users