<html><head></head><body><div>Hi Jeroen,</div><div><br></div><div>I've recompiled with --enable-recvmmsg and left --enable-checking (for now).</div><div>However, the old version was also compiled with "--enable-mmap" which I now deactivated since it is marked as being experimental.</div><div>This is the current compile line:</div><div><br></div><div>./configure --prefix=/usr --with-configdir=/etc/nsd --with-nsd_conf_file=/etc/nsd/nsd.conf --with-pidfile= --with-dbfile=/var/lib/nsd/nsd.db --with-zonesdir=/etc/nsd --with-xfrdfile=/var/lib/nsd/xfrd.state --enable-root-server --enable-ratelimit --enable-checking --enable-dnstap --enable-systemd --enable-pie --enable-relro-now --enable-recvmmsg --enable-packed --enable-memclean</div><div><br></div><div>Franky</div><div><span></span></div><div><br></div><div>On Fri, 2022-09-16 at 13:19 +0200, Jeroen Koekkoek wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>Hi Franky,<br></div><div><br></div><div>You may want to disable "--enable-checking", that's enabling debug<br></div><div>information and negatively impacts performance. --disable-recvmmsg is<br></div><div>something you do want to enable because it gets multiple UDP messages<br></div><div>with one syscall and thus improves performance.<br></div><div><br></div><div>Maybe it helps if you set the reload timeout a bit higher? It's hard to<br></div><div>tell with the provided information what can be changed to keep the<br></div><div>server from becoming unresponsive. Maybe you can share the<br></div><div>configuration? You may want to have a look at the tuning section of the<br></div><div>manual (<a href="https://nsd.docs.nlnetlabs.nl/en/latest/running/tuning.html">https://nsd.docs.nlnetlabs.nl/en/latest/running/tuning.html</a>). I<br></div><div>wouldn't bother with Processor Affinity just yet, the first section may<br></div><div>already do wonders for your setup.<br></div><div><br></div><div>Best,<br></div><div>Jeroen<br></div><div><br></div><div><br></div><div>On Fri, 2022-09-16 at 10:34 +0200, Franky Van Liedekerke via nsd-users<br></div><div>wrote:<br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>Hi,<br></div><div><br></div><div>I seem to have an issue with one nameserver (the one running nsd<br></div><div>4.6.0, but it also happened with the nsd package that came with<br></div><div>ubuntu itself):<br></div><div><br></div><div>on a regular basis the server just hangs. No coredumps (the server is<br></div><div>configured to coredump), nothing in nsd logs, nothing in syslog<br></div><div>except always the same final message that happens to arrive on the<br></div><div>central logserver just before the OS hang:<br></div><div>"TCP: request_sock_TCP: Possible SYN flooding on port 53. Sending<br></div><div>cookies."<br></div><div><br></div><div>After that message, it's game over for that server: not even the<br></div><div>console is responsive anymore. It's a vm, so we see the cpu spiking<br></div><div>in the vm stats on the host so I'm assuming something is taking up<br></div><div>all cpu causing a huge load, but I'm unable to pinpoint it since ...<br></div><div>it hangs :-) . Other dns servers (running bind) with the same kernel<br></div><div>parameters for flooding (burst), don't show the message (so maybe<br></div><div>just 1 server is being targetted, but it still shouldn't crash like<br></div><div>that).<br></div><div>Any hints on how to debug this? If somone might think it is related<br></div><div>to nsd, this is the compile line:<br></div><div>./configure --prefix=/usr --with-configdir=/etc/nsd --with-<br></div><div>nsd_conf_file=/etc/nsd/nsd.conf --with-pidfile=/run/nsd/nsd.pid --<br></div><div>with-dbfile=/var/lib/nsd/nsd.db --with-zonesdir=/etc/nsd --with-<br></div><div>xfrdfile=/var/lib/nsd/xfrd.state --disable-largefile --disable-<br></div><div>recvmmsg --enable-root-server --enable-mmap --enable-ratelimit --<br></div><div>enable-checking --enable-dnstap --enable-systemd<br></div><div><br></div><div>(I see there's an option for tcp_fastopen but not used by the person<br></div><div>that compiled it and I can't really explain the reason on -disable-<br></div><div>largefile --disable-recvmmsg, but those two shouldn't have any<br></div><div>impact)<br></div><div>The server-count=2 (server having 2 vcpu's), no mem issues seen.<br></div><div>Server is serving (as secondary) more than 7000 zones (so many xfr<br></div><div>requests, but currently we left the xfr-reload-timeout at 1 second).<br></div><div><br></div><div>With friendly regards,<br></div><div>Franky<br></div><div>_______________________________________________<br></div><div>nsd-users mailing list<br></div><div><a href="mailto:nsd-users@lists.nlnetlabs.nl">nsd-users@lists.nlnetlabs.nl</a><br></div><div><a href="https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users">https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users</a><br></div></blockquote><div><br></div></blockquote></body></html>