Are you using iptables Firewall? Does the problem only occur on UDP connections to the problematic IP? Or also on TCP connections to the same IP?
I had similar problems (not with bind) when the connection table of iptables "state" module were too small. Iptables started dropping packets, because it couldn't keep track of new connections. Since UDP is by definition stateless, the "state" module tries to invent some sort of connection status, based on source- and destination ports. This sometimes makes trouble. Especially when there are lots of concurrent connections and the same UDP-ports show up over and over again (e.g. when DNS-Clients do not use Source Port Randomization). You could try to remove the state module (-m state --state NEW) from your UDP firewall rule for BIND and see if that helps. I believe there are separate state tables for each network interface. This could explain, why your second IP is still responding. Regards, Stefan -----Ursprüngliche Nachricht----- Von: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] Im Auftrag von Job Gesendet: Mittwoch, 4. März 2015 00:41 An: Job; bind-users@lists.isc.org Betreff: R: Too many connections on the same IP I tried to tune kernel, with SOMAXCONN but with no solutions! When DNS queries raise up over 300 queries per second, bind has huge timeouts and often does not respond. If i work on an ip alias, everything is right! it seems bind has some limit based on local ip address. is there any solutions? Thank you again! Francesco ________________________________________ Da: bind-users-boun...@lists.isc.org [bind-users-boun...@lists.isc.org] per conto di Job [j...@colliniconsulting.it] Inviato: martedì 3 marzo 2015 11.43 A: bind-users@lists.isc.org Oggetto: Too many connections on the same IP Hello, during a massive DNS utilization our Bind 9.10.1-P1 seems not to resolve anymore, neither local zone. We shutdown one of the two nodes and all queries arrived only on one node. CPU and memory load were not too overloaded, machine was quite fine. After some fast tests, i noticed that if from clients i used an ip alias of Bind server, it worked perfectly! Only on main ip there were congestion problems, but resolving on ip aliases worked fastly! Where was i wrong? Thank you! Francesco _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
