Topic: Huge amount of DNS sessions?

[Marco Hess]

I am regularly getting complaints from my users that the Internet connection appears to be out or very slow (and this has been going on for a while, so it is not a recent release problem).

When I gety such complaint and check the diagnostics page on my Draytek router, it is more often than not that my SME server is showing a huge sessions count. Easily well over 5000 or so while the actual Internet bandwidth in use is quite low (10% or so).  My Draytek currently even shows a total recorded peak of 8847 sessions.

Looking through the NAT table, it shows that a very large portion of these sessions from my SME server are pretty much all with a destination port 53 for DNS.

So I suspect that 'slow Internet' is pretty much slow DNS responses but I am not sure how to prove this.

The core questions is really why my SME server is needing this many 1000's of sessions for DNS? It does not sound right to me.

Is this some sort of cache that is being refreshed? If so can I wipe such a cache to start with a clean slate?

I tried restarting /service/dnscache and /service/dnscache.forwarder but that does not seem to make a difference.

This SME is one I had for years. Diligently upgraded over the years but essentially the same.

As a side thought,  while my Draytek seems to be coping alright with the number of sessions, over the years I went through a number of different gateways that were 'unreliable' and often needed resetting. Is it possible that these other routers got overwhelmed with the number of sessions and simply 'crashed' or 'locked up' on the number of sessions requested from my SME?

[mmccarn]

Don't forget that DNSBL and RHSBL use DNS.  A high level of spam being blocked by dnsbl would show high DNS traffic but low total bandwidth (since the inbound spam connections are dropped).

Another option is that your server has been compromised, and you're *sending* spam -- you would see lots of DNS lookups as your server attempts to deliver mail, but if you're listed on a block list your bandwidth would stay low (everyone would block your connections).

To more directly address your issue:
- tinydns, dnscache, and dnscache.forwarder are all reset at each reboot - I think they cache to memory and don't use cache files.
- are your clients using the SME for DNS?  Is your SME talking to the root servers for DNS, or is it talking to a corporate DNS server or another off-site DNS server?
- I used to configure my DHCP servers to give clients multiple DNS servers.  I found that both windows and mac systems misbehaved if the first DNS server listed stopped responding.
- If you look at the dnscache and dnscache.forwarder log files, do the dns queries look reasonable for your office?

[Marco Hess]

Don't forget that DNSBL and RHSBL use DNS.  A high level of spam being blocked by dnsbl would show high DNS traffic but low total bandwidth (since the inbound spam connections are dropped).

Being compromised is a scary thought but I don't think that is the case. I think I would have seen other symptoms as well then. I did run that script to check for hidden processes and nothing was detected, so I think I am Ok from that perspective.

I do get a fair amount of spam, but I had not realized that Spam could be knocking on the door and cause DNS lookups. But would this not also mean that there should also be huge amounts of sessions incoming on my SMTP port?

[Knuddi]

It actually does not require huge amount of spam to generate a lot of DNS traffic - every single mail, dependent of your configuration, is checked up against various lists each generating a DNS lookup.

If you check your config with "config show qpsmtpd" you can see which lists are being checked for each mai via the RBLList and SBLList configs.

[Stefano]

I had similar issues in the past (SME 7.X)

every time I solved using my ISP dns server as external dns resolver

Code: [Select]

config setprop dnscache Forwarder MY_ISP_DNS_SERVER_IP
service dnscache restart

HTH

[Knuddi]

Or use Google or OpenDNS - they are quick quick and sometimes more reliable than the ISP

[Marco Hess]

Thanks for the suggestions. I think I am going to run for a while with the DNS set to my ISP and see if the problem goes away.

[CharlieBrady]

So I suspect that 'slow Internet' is pretty much slow DNS responses but I am not sure how to prove this.

The core questions is really why my SME server is needing this many 1000's of sessions for DNS? It does not sound right to me.

Is this some sort of cache that is being refreshed? If so can I wipe such a cache to start with a clean slate?

Emptying the DNS cache will only make DNS lookups take longer, because your server won't have any cached records.

You shouldn't do anything until you diagnose your problem.

If you think name resolution is causing Internet access to be slow for your users then you should study dnscache logs to see how much elapsed time there is in resolving some names.

The dnscache logs themselves aren't really human readable, but a script is provided which preprocesses the logs so that they are understandable.

You can view the log like so:

sudo cat /var/log/dnscache.forwarder/current | sudo perl /service/dnscache/dnscache-log.pl | tai64nlocal | less

You will then see what names are being resolved, and what the progress is in doing so.

When I look at my logs, most of the log entries I see are related to DNS blacklist lookups by qpsmtpd.