From: Jose Celestino <japc@co.sapo.pt>
To: supervision@list.skarnet.org
Subject: Re: dnscache endless resolving loop
Date: Thu, 28 Feb 2008 15:38:21 +0000 [thread overview]
Message-ID: <20080228153820.GB10982@co.sapo.pt> (raw)
In-Reply-To: <20080228152254.GA21748@home.power>
Words by Alex Efros [Thu, Feb 28, 2008 at 05:22:54PM +0200]:
> Hi!
>
> Probably this isn't a right maillist to ask, but I think this will be
> interesting to people here.
>
No, the right list would be dns@list.cr.yp.to.
> On one of my server I permanently have issue with dnscache, which looks
> like this:
>
> PID PPID TIME+ %CPU %MEM PR NI S VIRT SWAP RES UID COMMAND
> 3301 507 49:42.59 16.6 0.4 15 0 R 4148 2200 1948 1000 dnscache
> 11519 507 602:44.67 3.3 0.2 15 0 R 2860 2052 808 1001 svlogd
> 15610 26870 0:00.20 0.3 0.3 15 0 R 3588 1884 1704 0 top
>
> i.e. dnscache permanently use ~15% CPU (TIME+ column show less time for
> dnscache than for it svlogd just because I restarted dnscache some time
> ago). This server isn't very powerful (Celeron 2GHz, 512RAM), so this
> issue slowdown server significantly. Of course I can disable svlogd for
> dnscache (because writing huge amount of logd to disk also slowdown it),
> but I need logs to find out what's wrong.
>
Yes, "/dev/null"ing the logs is a good idea for extremely busy servers.
>
> Restarting dnscache solve this issue for about a hour, and then it arise
> again (probably it initiated by some spammer who connect to my qmail from
> this IP, and tcpserver trying to resolve it).
>
You have the ip that does the dns queries on the logs:
2008-02-28_14:28:42.67086 query 1260583 7f000001:a399:3ad9 12 30.91.240.124.in-addr.arpa.
7f000001 is the ip (hex)
>
> According to logs, dnscache again and again trying to resolve PTR
> 124.240.91.30, and every time got negative result (which it doesn't cache,
> AFAIK).
>
It didn't got a negative result, it got a timeout (and that's why it
didn't cache it).
>
> I spend enough time trying to find out WHO is sending these PTR requests
> to dnscache (is anybody knows how to find out process which own UDP port?
> things like netstat can't answer to question "who is asking my DNS
> server")... dnscache run on 127.0.0.1 so it isn't remote attack.
>
> After all I got an Idea: maybe it's dnscache is the one who asking
> dnscache? :) I did strace, and, yes, it looks like dnscache send PTR
> requests to itself in endless loop. Look:
>
Yes. Because the authoritative for 91.240.124.in-addr.arpa. is
remove.this.nserver.to.enable.zone.at.apnic.net and this is 127.0.0.1:
$ dnsqr ns 91.240.124.in-addr.arpa.
2 91.240.124.in-addr.arpa:
118 bytes, 1+1+0+1 records, response, noerror
query: 2 91.240.124.in-addr.arpa
answer: 91.240.124.in-addr.arpa 80944 NS remove.this.nserver.to.enable.zone.at.apnic.net
additional: remove.this.nserver.to.enable.zone.at.apnic.net 1871 A 127.0.0.1
Anyway, send any further questions to the above mentioned list, this is OT
here.
--
Jose Celestino
----------------------------------------------------------------
http://www.msversus.org/ ; http://techp.org/petition/show/1
http://www.vinc17.org/noswpat.en.html
----------------------------------------------------------------
"If you would have your slaves remain docile, teach them hymns."
-- Ed Weathers ("The Empty Box")
next prev parent reply other threads:[~2008-02-28 15:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-28 15:22 Alex Efros
2008-02-28 15:38 ` Jose Celestino [this message]
2008-02-28 16:30 ` Alex Efros
2008-02-28 16:16 ` Charlie Brady
2008-02-28 16:21 ` Alex Efros
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080228153820.GB10982@co.sapo.pt \
--to=japc@co.sapo.pt \
--cc=supervision@list.skarnet.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).