Re: W2k DNS limitation\load
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 08/04/04
- Previous message: Sharad Naik: "Re: DMZ access by IP # not url"
- In reply to: RRK: "Re: W2k DNS limitation\load"
- Next in thread: Jonathan de Boyne Pollard: "Re: W2k DNS limitation\load"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 4 Aug 2004 01:02:31 -0700
The way I am hearing this is that the application is written
so that it requires a completed answer (no exist or yes, here)
to its query and is not able to hand a referral (go ask here) as
the response.
If this is so then that application should not be doing the resolution
but instead using the system libraries for a resolver. IIRC it is the
responsibility of the resolver to determine the kind of response it
received and to act accordingly. If they want to implement their
own resolution, then they should do so - completely .
That said, it sounds to me that you may be up against the limit at
which the DNS server sends back referrals instead of completing
the resolution so it can return an answer. IIRC there was an adjustment
added sometime after W2k release in order to harden the DNS server
against denial of service attacks based on flooding it with recursive
queries.
The following might help you to see if DNS server is taking protective
action - I do not know - but there may be an informational message that
could help inform us here.
<quote>
To adjust the level of DNS logging in Event Viewer, use the registry key
listed below.
NOTE: In Windows NT 4.0, SP4 or later is required for this key to work.
Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
Value: EventLogLevel
Type: REG_DWORD
Data values:
0 - Event logging disabled
1 - Only error events
2 - Warning and error events
4 - Information, warning, and error events
For example, if the data value is set to 1, no warning or information events
are logged
</quote>
If the above does turn up anything new, then the following may
be of assistance:
http://support.microsoft.com/?id=259302
http://support.microsoft.com/?id=287513
I have spent a little time trying to chase down the reg value
introduced when the DoS prevention code was added, but
have not yet turned it up.
If this is what is going on, the reg entry governing the behavior
may be documented in the later KBs of the sequence starting at
http://support.microsoft.com/?id=813963
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "RRK" <google@walkersca.com> wrote in message news:uRn2QWdeEHA.3684@TK2MSFTNGP09.phx.gbl... > William, > > Error msg from application: > >2004-07-22 00:26:46 Resolver: Warning: received 1036450 unusable > (non-recursive) responses from 192.168.1.1; see User's Guide for details. > > After talking with the software vendor i kinda figured out what is really > happening. The application needs a recursive response from the DNS server > when the DNS server response with a non-recursive response, it logs it > saying it can't use it. So my question would be why does MS DNS > send those type of unusable responses. If this is just an interim response > from DNS, and the full response will still be provided, then i can ignore > it. If it is > indeed the final response, why is it being sent by the DNS rather than a > failure response? > They said from past clients it has come down to a load issue when dealing > with MS DNS, so they would love to know more about it so they can see how to > work around it. > > I'm going to try to capture the response in question to see what it looks > like. I'll post the info when i have it available to me. > > have a good night > > > "William Stacey [MVP]" <staceywREMOVE@mvps.org> wrote in message > news:uY7yhwVeEHA.3684@TK2MSFTNGP09.phx.gbl... > > MS DNS should/may be posting some kind of error also. Check your DNS > event > > log. You may see something interesting. > > > > -- > > William Stacey, MVP > > > > "RRK" <google@walkersca.com> wrote in message > > news:ezvLZfSeEHA.3840@TK2MSFTNGP10.phx.gbl... > > > William, > > > > > > I will get a hold of the software vendor and have them explain what > their > > > error is so I can post it. Posting their error would be meaningless > since > > > its an error msg they created not MS DNS. > > > > > > In the mean time I'm going to setup NetMon and start logging when the > > issues > > > occurs. However, i would love to know what to exactly look for, and > what > > > DNS debug log settings i should either turn on, or what to look for so > > that > > > i can get more information. > > > > > > thanks William for helping. > > > > > > "William Stacey [MVP]" <staceywREMOVE@mvps.org> wrote in message > > > news:OHEtLjPeEHA.592@TK2MSFTNGP11.phx.gbl... > > > > > recursive queries\sec range from 800-2200 > > > > > queries received\sec range from 150-800 > > > > > queries sent\sec range from 150-800 > > > > > > > > Just curious what kind of requirements require 800-2200 dns queries > per > > > > second? > > > > Naturally, most of these should be cached after first resolve so you > > > should > > > > be answering from cache most of time. Unless somekind of unique deal > > > going > > > > on. Either way, am curious. tia. > > > > > > > > > I get tons of recursive query time-outs and fails > > > > > *maybe I should bump up time-out threshold? > > > > > > > > Timeouts from your DNS server waiting on Reply from > Forwarders/RootHints > > > ?? > > > > If so, not sure I would peg that a MS DNS server issue or issue in > front > > > of > > > > your DNS server (i.e. network delay, packet drops, routing issue, > > > forwarder > > > > issue, etc.) Would need to drill down into the NetMon to see the RD > > > Request > > > > and the Reply or not Reply as the case may be. > > > > > > > > > > > > > The software vendor told me I should dump MS DNS it can't handle the > > > large > > > > loads, but I don't > > > > > except that as an answer. > > > > > > > > I would also hope that is not the answer. I have found that most > people > > > > that are fond of *nix or other platforms tend to use that same answer > > for > > > > *everything instead of figuring out what the real issue it. What if > > you > > > > change platforms and the issue remains?? Are they so sure of that > > > possition > > > > that they are willing to cover the cost of change if that was not the > > > issue? > > > > I would ask that question for fun to see what the reply is. > > > > > > > > That said, I am not discounting that it could be MS DNS under stress > > here, > > > > but have not seen info yet that would lead to that conclusion. I > would > > > > first try studying some NetMons to see what is going on - great tool > for > > > > this kind of thing. If the Replies are not coming back in time, then > I > > > > don't see how that is a MS DNS issue - but maybe something else is > going > > > on. > > > > I would also PerfMon the Network stack and UDP stats to see if > something > > > > shows up there or how stressed the network is. I would also disable > all > > > > network cards but one just to ease your diag matrix. Also disable all > > > > protocols but TCP/IP - if possible. > > > > > > > > Could you also post the exact message (one or two) in the Log? > > > > Cheers > > > > > > > > -- > > > > William Stacey, MVP > > > > > > > > > > > > > > > > > >
- Previous message: Sharad Naik: "Re: DMZ access by IP # not url"
- In reply to: RRK: "Re: W2k DNS limitation\load"
- Next in thread: Jonathan de Boyne Pollard: "Re: W2k DNS limitation\load"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
