DNS server Health Check

Source: Internet
Author: User
Tags domain server nslookup
Article Title: explores the running status of DNS servers. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
In Linux, it also provides a popular BIND server, which is the most commonly used server software for building DNS servers. There are many articles about BIND installation. Now let's talk about the maintenance topic. How can we understand the running status of the DNS server? Is it busy and load-intensive? All this is important for system administrators.
To learn about the running status of the DNS server, you can view the log files generated by the DNS server during running.
BIND 8 provides some means to control the log system. However, the logs generated by the default status are enough to understand the current running status of the DNS server.
By default, BIND generates logs through syslog and stores them in the/var/log/message file. Note: The following four files are involved:
/Var/log/message.1
/Var/log/message.2
/Var/log/message.3
/Var/log/message.4
In fact, logs are stored in five files to prevent files from being too large. When the message file is large enough, it becomes message.1, and the original message.1 becomes message.2 ......, The content of message.4 disappears.
Because the log information in this file is generated by syslog, it is not all about BIND log information. Run the following command to select all BIND logs:
More/var/log/message | grep named>/tmp/named. log
Note: The process name of the BIND server is named.
In this way, BIND-related log information in/var/log/message will be written into the/tmp/named. log file. There are two main types of logs: LOG_NOTICE and LOG_INFO.
  
1. LOG_NOTICE-level logs
1. Each time the BIND server named is started, the following LOG_NOTICE-level log information is generated:
Nov 28 10:37:45 www named [10134]: starting. named 8.2.2-P3
Where:
Nov 28 10:37:45 indicates the server startup time
Www display the name of the machine where the DNS server is located
Named [10134]: displays the DNS server process name and process ID.
Starting. the DNS server is being started.
Named 8.2.2-p3 displays the BIND Software Version
2. When an HUP signal is sent to the DNS server to restart the DNS server, the following LOG_NOTICE-level log information is generated:
Nov 28 10:37:45 www named [10134]: reloading nameserver
Where:
Nov 28 10:37:45 indicates the restart time of the server
Www display the name of the machine where the DNS server is located
Named [10134]: displays the DNS server process name and process ID.
Reloading. indicates that the DNS server is being restarted.
Nameserver displays the name of the server being restarted
  
2. LOG_INFO-level logs
When the DNS server is running, a set of LOG_INFO-level logs are generated every one hour to report the running status of the DNS server:
Dec 26 10:23:52 www named [1033]: Cleaned cache of 26 RRset
Dec 26 10:23:52 www named [1033]: USAGE 977797432 976760631 CPU = 6.55u/6.24 s child cpu = 0u/0 s
Dec 26 10:23:52 www named [1033]: NSTATS 977797432 976760631 0 = 2 A = 13192
CNAME = 321 PTR = 11204 MX = 1173 TXT = 4 AAAA = 32 ANY = 4956
Dec 26 10:23:52 www named [1033]: XSTATS 977797432 976760631 RR = 7629 RNXD = 1368
RFwdR = 4836 RDupR = 51 RFail = 159 RFErr = 0 RErr = 12 RAXFR = 0 RLame = 175 ROpts = 0
SSysQ = 2082 SAns = 26234 SFwdQ = 4520 SDupQ = 1263 SErr = 0 RQ = 30889 RIQ = 4 RFwdQ = 0
RDupQ = 259 RTCP = 2 SFwdR = 4836 SFail = 6 SFErr = 0 snans = 21753 SNXD = 10276
  
Next we will explain it one by one:
1. Dec 26 10:23:52 www named [1033]: Cleaned cache of 26 RRset
This is the first line of each set of log information, indicating that the Cache is being cleared.
Where:
Dec 26 10:23:52 indicates the log generation time
Www display the name of the machine where the DNS server is located
Named [1033]: displays the DNS server process name and process ID.
Cleaned cache of 26 RRset indicates that the cache is being cleared
2. Dec 26 10:23:52 www named [1033]: USAGE 977797432 976760631 CPU = 6.55u
/6.24 s child cpu = 0u/0 s
This row is the USAGE line used to count the CPU time occupied by the DNS server.
Where:
Dec 26 10:23:52 indicates the log generation time
Www display the name of the machine where the DNS server is located
Named [1033]: displays the DNS server process name and process ID.
USAGE row mark
The value of 977797432 976760631 977797432-976760631 is the total number of seconds that the DNS server runs.
CPU = 6.55u/6.24 s indicates that the DNS server uses the user State for 6.55 seconds, and the system state for 6.24 seconds (u indicates the user,
S stands for system ),
The child cpu represents the CPU usage of the DNS server sub-process.
3. Dec 26 10:23:52 www named [1033]: NSTATS 977797432 976760631 0 = 2 A = 13192
CNAME = 321 PTR = 11204 MX = 1173 TXT = 4 AAAA = 32 ANY = 4956
This row is an NSTATS row used to count the total number of received queries.
Where:
Dec 26 10:23:52 indicates the log generation time
Www display the name of the machine where the DNS server is located
Named [1033]: displays the DNS server process name and process ID.
NSTATS row mark
The value of 977797432 976760631 977797432-976760631 is the total number of seconds that the DNS server runs.
0 = 2 represents two DNS queries of unknown type
A = 13192 represents 13192 Class A address queries (the most standard)
CNAME = 321 indicates that 321 CNAME class addresses are queried. (generally, some versions of sendmail use the CNAME program.
The canonicalized email address is also sent by dig or nslookup)
PTR = 11204 indicates that the pointer queries 11204 (many software uses this method to find IP addresses)
MX = 1173 indicates 1173 email exchanges (initiated by the email sending Program)
TXT = 4 indicates that the application performs a total of 4 text queries.
AAAA = 32 indicates 32 AAAA queries
ANY = 4956 some Sendmail Address query methods, a total of 4956
Note: There may also be:
NS = xx indicates the Name Server Query (for example, the name server tries to find the root domain server)
SOA = xx indicates secondary DNS update
HINFO = xx host Information Query
NSAP = xx maps the domain name to the OSI Network Service Access Point address
AXFR = xx secondary DNS zone transfer
These do not appear in this example.
4. Dec 26 10:23:52 www named [1033]: XSTATS 977797432 976760631 RR = 7629 RNXD = 1368
RFwdR = 4836 RDupR = 51 RFail = 159 RFErr = 0 RErr = 12 RAXFR = 0 RLame = 175 ROpts = 0 SSysQ = 2082
SAns = 26234 SFwdQ = 4520 SDupQ = 1263 SErr = 0 RQ = 30889 RIQ = 4 RFwdQ = 0
RDupQ = 259 RTCP = 2
SFwdR = 4836 SFail = 6 SFErr = 0 snans = 21753 SNXD = 10276
This is an XSTATS row used to count other data.
Where:
Dec 26 10:23:52 indicates the log generation time
Www display the name of the machine where the DNS server is located
Named [1033]: displays the DNS server process name and process ID.
NSTATS row mark
The value of 977797432 976760631 977797432-976760631 is the total number of seconds that the DNS server runs.
RR = 7629 indicates that a total of 7629 responses are received from other hosts (the number of responses obtained from queries sent by DNS to other machines or processes is irrelevant to RQ)
RNXD = 1368 indicates that a total of 1368 answers were received "No such domain ".
RFwdR = 108 receive 108 responses to the original query
RDupR = 51 repeated responses: 51 (when the DNS does not find the original query that caused the response in its pending query list, the response is a repeated response)
RFail = 159 received 159 SERVFAIL (Remote Server Error)
RFErr = 0 didn't receive FORMERR (the remote name server considers that the query of the local name server has a format error)
Rerr = 12 receive 12 errors except SERVFAIL and FORMERR
RAXFR = 0 0 total 0 transfers
RLame = 175 receive 175 bad authorizations (meaning some zones are authorized to other name servers, and this name server is not the authority of this zone)
ROpts = 0 total number of packets with IP option received is 0
SSysQ = 2082 a total of 2082 system queries were issued (system queries are performed by the local name server. Mostly for root name servers)
SAns = 26234 answered a total of 26234 queries
SFwdQ = 4520 is not on this name server, but there are a total of 4520 forwarding entries.
SDupQ = 1263 repeated queries: 1263
SErr = 0 Total Number of non-SERVFAIL and FORMERR errors
RQ = 30889 a total of 30889 queries are received
RIQ = 4 received four reverse queries (reverse query is used to map the address to the name, and now this function is implemented by PTR. Earlier nslookup uses this query)
RFwdQ = 0 no query to be further processed
RDupQ = 259 a total of 259 duplicate queries
RTCP = 2 receive two queries over TCP connections (generally UDP)
SFwdR = 4836 responses forwarded by other name servers: 4836
SFail = 6 6 SERVFAIL responses
SFErr = 0 Number of FORMERR responses
Snail ans = 21753 unauthoritative answers totaling 21753
SNXD = 10276: no answer for this domain
  
These statistics are the total statistics from the DNS activation to the present, rather than the statistics in this hour. How does one measure the load on a DNS server? It's easy to simply divide the total number of queries by the total time of DNS running. Don't you know? In this example, the DNS server is running: 977797432-976760631 = 1036801 seconds = 288 hours
Note: You can obtain data from lines 2nd, 3, and 4.
Total query requests include: 2 + 13192 + 321 + 11204 + 1173 + 4 + 32 + 4956 = 20884
Note: You can obtain the number of rows from 2nd, that is, 107 query requests per hour, less than two times per second. It can be seen that the load is still relatively small.
  

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.