Discussion:
TCP connections left in CLOSE_WAIT in 9.16.15/16
u***@umbral.org.uk
2021-05-27 11:21:27 UTC
Permalink
Hello

We updated on Monday from bind-9.16.6/8 to bind-9.16.15/16 on some
public-facing authoritative nameservers. Since then, we are seeing
a build-up of inbound TCP connections to port 53 being left in
CLOSE_WAIT state indefinitely until named is restarted, or exhausting
the tcp-clients limit if not restarted. Anyone else seeing similar?

Platform is 64bit ArchLinux 5.12.6-arch1-1.

This sort of thing (netstat -tn):

tcp 1 0 194.83.56.250:53 40.113.98.76:13214
CLOSE_WAIT
tcp 1 0 194.83.56.250:53 52.232.251.180:61357
CLOSE_WAIT
tcp 1 0 194.83.56.250:53 137.116.220.118:11234
CLOSE_WAIT
tcp 1 0 194.83.56.250:53 23.100.54.67:17825
CLOSE_WAIT
tcp 1 0 194.83.56.250:53 94.245.94.142:12397
CLOSE_WAIT
etc etc etc

On cursory examination, all of the querying IPs appear to be registered
to Microsoft, may imply Windows resolvers, querying for large TXT records
without EDNS, eg the first above:

May 27 10:06:50 ns12.ja.net named[156930]: client @0x7f7b08033908
40.113.98.76#50868 (gbmc.ac.uk): query: gbmc.ac.uk IN TXT - (194.83.56.250)

May 27 10:06:50 ns12.ja.net named[156930]: client @0x7f7b0895b348
40.113.98.76#13214 (gbmc.ac.uk): query: gbmc.ac.uk IN TXT -T (194.83.56.250)


Regards,
Ronan Flood
(resurrecting an old bind-users subbed address for this, if it works!)
u***@umbral.org.uk
2021-06-01 14:40:45 UTC
Permalink
Folks, further to this issue, we still had the named.conf option

keep-response-order { any; }; // Disable TCP-pipelining

set as a workaround to an old vulnerability. Removing that appears
to have fixed the CLOSE_WAIT connections we were accumulating.

Regards,
Ronan Flood
Post by u***@umbral.org.uk
Hello
We updated on Monday from bind-9.16.6/8 to bind-9.16.15/16 on some
public-facing authoritative nameservers. Since then, we are seeing
a build-up of inbound TCP connections to port 53 being left in
CLOSE_WAIT state indefinitely until named is restarted, or exhausting
the tcp-clients limit if not restarted. Anyone else seeing similar?
Platform is 64bit ArchLinux 5.12.6-arch1-1.
tcp 1 0 194.83.56.250:53 40.113.98.76:13214 CLOSE_WAIT
tcp 1 0 194.83.56.250:53 52.232.251.180:61357 CLOSE_WAIT
tcp 1 0 194.83.56.250:53 137.116.220.118:11234 CLOSE_WAIT
tcp 1 0 194.83.56.250:53 23.100.54.67:17825 CLOSE_WAIT
tcp 1 0 194.83.56.250:53 94.245.94.142:12397 CLOSE_WAIT
etc etc etc
On cursory examination, all of the querying IPs appear to be registered
to Microsoft, may imply Windows resolvers, querying for large TXT records
Regards,
Ronan Flood
(resurrecting an old bind-users subbed address for this, if it works!)
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Loading...