[ratelimits] Happy Patch Customer
John Marshall
john.marshall at riverwillow.com.au
Fri Jun 15 16:33:53 UTC 2012
First, Paul and Vernon, THANK YOU for this patch!
On a customer server yesterday, I noticed named (BIND 9.8.3-P1) using a
steady 12% total CPU (on a 4-CPU machine). I tried stopping/starting
named, thinking that it may have hit a bug, and noticed that, during the
brief interval that it was off, I was seeing messages like the following
being logged:
dragon kernel: Limiting icmp unreach response from 2057 to 200 packets/sec
So, I guessed that something was hammering the DNS server and causing
the high CPU usage. I found the discussion on the dns-operations list
and Paul's post regarding the rate-limit patch.
BEFORE APPLYING THE PATCH
- named (BIND 9.8.3-P1) using a steady 12% CPU
- inbound network traffic sitting at 1.4Mbps
- outbound network traffic sitting at 43.9Mbps
AFTER APPLYING THE PATCH (rrl-983.patch)
- named (BIND 9.8.3-vjs163.18-P1) using a steady 1.8% CPU
- inbound network traffic stting at 1.4Mbps
- outbound network traffic sitting at 0.5Mbps
The queries are all ANY queries for the apex of one of the signed zones
on that server. The rate-limit config I added post-patch is:
rate-limit {
responses-per-second 10;
errors-per-second 10;
log-only no;
max-table-size 10000;
min-table-size 10000;
};
I captured some traffic before and after patching. I got tcpdump to
filter 100,000 DNS request/reply packets to a capture file. It only
took 40-50 seconds! I have the raw pcap files, tcpdump reports and
dnstop reports available here:
http://dragon.componentfactory.net/~john/ratelimits/
I also included an extract from syslog showing the patch's rate-limit
messages. Is there a switch to rate-limit or disable the rate-limit
messages?
I look after 8 public-facing DNS servers and, so far, this is the only
one to have been hit, and the target is just one of its zones.
--
John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20120616/46183da1/attachment.pgp>
More information about the ratelimits
mailing list