Hi Zach, On Fri, Dec 19, 2025 at 12:04:08AM +0000, Zach Pearson wrote: > During a recent DNS outage, TCP connections from HAProxy to DNS resolvers > spiked. Even after DNS recovered, connections stayed ~3,000 (normal is ~2). > Although dns_process_idle_exp should clean up idle sessions, it didn't in > this state. tcpdump showed the DNS server closing idle connections after > ~30s, but HAProxy immediately reopened them. Restarting HAProxy was required > to return to normal connection counts. Setting maxconn on resolvers (also > could test pulling in this > patch<https://github.com/haproxy/haproxy/commit/5288b39011b2449bfa896f7932c7702b5a85ee77>) > mitigates the spike but not the post-recovery persistence. > > Environment > HAProxy version: > HAProxy version 2.9.4-9839cb-6 2024/07/31 - https://haproxy.org/ > Status: stable branch - will stop receiving fixes around Q1 2025. > Known bugs: http://www.haproxy.org/bugs/bugs-2.9.4.html > Running on: Linux 5.15.173.1-2.cm2 #1 SMP Fri Feb 7 02:18:38 UTC 2025 x86_64
First, congrats for your in-depth analysis. But as you can see above, this version is long outdated, it has been missing 14 months of fixes in its branch (roughly 548 patches) and that branch was dropped 9 months ago. A quick check shows that 64 patches were applied to the DNS code alone since then, 22 of which were bug fixes. I really don't see the point in trying to cherry-pick random patches to this dead version, it could happen to work around the problem by pure luck or break something else, and in any case nobody will be able to help you set a diagnostic on the resulting observations. Please try to reproduce the issue with a maintained version so that it is possible to analyse what's happening and a fix can be designed if the problem persists. In addition, please have a look here to see the list of the 353 bugs (19 major and 140 medium) that still affect the version you're running: https://www.haproxy.org/bugs/bugs-2.9.4.html your service is affected with many cases of possible response truncation and data corruption on HTTP/1 and HTTP/2 which have long been fixed, it doesn't make sense to keep such a version in production. Regards, willy
