[Pdns-users] Limit on TCP querys.

Klaus Darilion klaus.mailinglists at pernau.at
Mon Dec 5 22:22:54 UTC 2011 

On 05.12.2011 21:24, Grant Keller wrote:
> On 12/04/2011 10:17 PM, Peter van Dijk wrote:
>> Hi Grant,
>>
>> On Dec 4, 2011, at 21:44 , Grant Keller wrote:
>>
>>> On 12/03/2011 10:40 AM, Peter van Dijk wrote:
>>>> Hello Grant,
>>>>
>>>> On Dec 3, 2011, at 1:14 , Grant Keller wrote:
>>>>
>>>>> When I run a large number of querys against my PDNS 3.0 auth
>>>>> server, I am seeing a number of timeouts on my querys. For example,
>>>>> if I run 19000 tcp querys at 5-6 querys per second, I end up with
>>>>> about 400 querys failed due to timeouts. Most of the time outs
>>>>> occur in batches, where I see all querys or every other query
>>>>> timeout. Is that simply too many tcp querys for PDNS to handle?
>>>> Depending on how you are doing this, you may be hitting the
>>>> max-tcp-connections default, which is 10. If you want to do lots of
>>>> TCP queries, I suggest increasing max-tcp-connections a lot.
>>>>
>>>> Kind regards,
>>>> Peter van Dijk
>>>
>>> The max-tcp-connection was set to 1000, and figured that would be
>>> high enough, should I increase the limit further?
>>
>> 1000 sounds like it should be enough. Can you share how you are
>> running these queries? And is PowerDNS logging anything during your
>> tests, especially around times of failure?
>>
>> Kind regards,
>> Peter van Dijk
>
> A quick and dirty perl script runs the querys, using Net::DNS::Resolver
> to run tcp querys with a timeout set to 1 second:
>
> http://pastebin.com/QEG5kVR1
>
> the list of domains I use is located here:
>
> ftp://ftp.sonic.net/pub/users/gkeller/dns/querys.tar.bz2
>
> One thing to note is that these are all domains the server is
> authoritative for, and it is looking up the A record of each.
>
> The server I am running the querys against is granttest.noc.sonic.net,
> which is a test box with no other traffic. If you need any more info,
> let me know.

You really should check the existing TCP connections when the timeouts 
start. Probably you should also check for TCP connections waiting to be 
torn down (TIME_WAIT). There also might be issues if connection tracking 
is enabled and netfilter runs out of memory. Is there some firewall/NAT 
between the client and the server?

What does tcp_timeout really mean? Is the timeout triggered when waiting 
for the DNS response or even before during establishment of the TCP 
connection?

regards
klaus


regards
Klaus

More information about the Pdns-users mailing list