[ratelimits] Happy Patch Customer

John Marshall john.marshall at riverwillow.com.au
Fri Jun 15 16:33:53 UTC 2012 

First, Paul and Vernon, THANK YOU for this patch!
  
On a customer server yesterday, I noticed named (BIND 9.8.3-P1) using a
steady 12% total CPU (on a 4-CPU machine).  I tried stopping/starting
named, thinking that it may have hit a bug, and noticed that, during the
brief interval that it was off, I was seeing messages like the following
being logged:

 dragon kernel: Limiting icmp unreach response from 2057 to 200 packets/sec

So, I guessed that something was hammering the DNS server and causing
the high CPU usage.  I found the discussion on the dns-operations list
and Paul's post regarding the rate-limit patch.

BEFORE APPLYING THE PATCH

 - named (BIND 9.8.3-P1) using a steady 12% CPU
 - inbound network traffic sitting at 1.4Mbps
 - outbound network traffic sitting at 43.9Mbps

AFTER APPLYING THE PATCH (rrl-983.patch)

 - named (BIND 9.8.3-vjs163.18-P1) using a steady 1.8% CPU
 - inbound network traffic stting at 1.4Mbps
 - outbound network traffic sitting at 0.5Mbps

The queries are all ANY queries for the apex of one of the signed zones
on that server.  The rate-limit config I added post-patch is:

        rate-limit {
                responses-per-second 10;
                errors-per-second 10;
                log-only no;
                max-table-size 10000;
                min-table-size 10000;
        };

I captured some traffic before and after patching.  I got tcpdump to
filter 100,000 DNS request/reply packets to a capture file.  It only
took 40-50 seconds!  I have the raw pcap files, tcpdump reports and
dnstop reports available here:

 http://dragon.componentfactory.net/~john/ratelimits/

I also included an extract from syslog showing the patch's rate-limit
messages.  Is there a switch to rate-limit or disable the rate-limit
messages?

I look after 8 public-facing DNS servers and, so far, this is the only
one to have been hit, and the target is just one of its zones.

-- 
John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20120616/46183da1/attachment.pgp>

More information about the ratelimits mailing list