[Pdns-users] Limit on TCP querys.

Klaus Darilion klaus.mailinglists at pernau.at
Mon Dec 5 22:22:54 UTC 2011

On 05.12.2011 21:24, Grant Keller wrote:
> On 12/04/2011 10:17 PM, Peter van Dijk wrote:
>> Hi Grant,
>> On Dec 4, 2011, at 21:44 , Grant Keller wrote:
>>> On 12/03/2011 10:40 AM, Peter van Dijk wrote:
>>>> Hello Grant,
>>>> On Dec 3, 2011, at 1:14 , Grant Keller wrote:
>>>>> When I run a large number of querys against my PDNS 3.0 auth
>>>>> server, I am seeing a number of timeouts on my querys. For example,
>>>>> if I run 19000 tcp querys at 5-6 querys per second, I end up with
>>>>> about 400 querys failed due to timeouts. Most of the time outs
>>>>> occur in batches, where I see all querys or every other query
>>>>> timeout. Is that simply too many tcp querys for PDNS to handle?
>>>> Depending on how you are doing this, you may be hitting the
>>>> max-tcp-connections default, which is 10. If you want to do lots of
>>>> TCP queries, I suggest increasing max-tcp-connections a lot.
>>>> Kind regards,
>>>> Peter van Dijk
>>> The max-tcp-connection was set to 1000, and figured that would be
>>> high enough, should I increase the limit further?
>> 1000 sounds like it should be enough. Can you share how you are
>> running these queries? And is PowerDNS logging anything during your
>> tests, especially around times of failure?
>> Kind regards,
>> Peter van Dijk
> A quick and dirty perl script runs the querys, using Net::DNS::Resolver
> to run tcp querys with a timeout set to 1 second:
> http://pastebin.com/QEG5kVR1
> the list of domains I use is located here:
> ftp://ftp.sonic.net/pub/users/gkeller/dns/querys.tar.bz2
> One thing to note is that these are all domains the server is
> authoritative for, and it is looking up the A record of each.
> The server I am running the querys against is granttest.noc.sonic.net,
> which is a test box with no other traffic. If you need any more info,
> let me know.

You really should check the existing TCP connections when the timeouts 
start. Probably you should also check for TCP connections waiting to be 
torn down (TIME_WAIT). There also might be issues if connection tracking 
is enabled and netfilter runs out of memory. Is there some firewall/NAT 
between the client and the server?

What does tcp_timeout really mean? Is the timeout triggered when waiting 
for the DNS response or even before during establishment of the TCP 



More information about the Pdns-users mailing list