Welcome! Log In Create A New Profile

proxied requests hang when DNS response has wrong ident

Forum List Message List New Topic Print View

Pramod Korathota

July 15, 2014 06:06AM

We have recently discovered a very rare occurence when requests through
nginx will hang if the resolver sends a response with a mismatching ident.
We are seeing this in production with 1.7.1 and I have been able to
re-produce with 1.7.3. The relevant parts of the config are:

resolver 10.65.255.4;

location / {
proxy_pass http://$host.internal$request_uri;
}

So we basically proxy <customer>.atlassian.net to
<customer>.atlassian.net.internal. The resolver is a pdns recursor running
on the same machine.

The error we see in the logs is:

2014/06/19 20:22:29 [error] 28235#0: wrong ident 57716 response for
customer.atlassian.net.internal, expect 39916
2014/06/19 20:22:29 [error] 28235#0: unexpected response for
customer.atlassian.net.internal
2014/06/19 20:22:59 [error] 28235#0: *23776286
customer.atlassian.net.internal could not be resolved (110: Operation timed
out), client: 83.244.247.165, server: *.atlassian.net, request: "GET
/plugins/ HTTP/1.1", host: "customer.atlassian.net", referrer: "
https://customer.atlassian.net/secure/Dashboard.jspa"

I have been able to re-produce this error in a test environment - this is
what I used:

- a basic python script pretending to be a recursive resolver, which can
mangle the ident of a response. The resolver directive of nginx is pointed
to this recursor. I added in a delay of 100ms before sending a reply (based
on http://code.activestate.com/recipes/491264-mini-fake-dns-server/).
- A proxy configuration same as above - only the resolver and
location/proxy_pass line was added to a default nginx config
- Static webserver as the backend
- GNU parallel + curl to issue concurrent requests

When the ident is correct, the system behaves as expected. However, if an
ident is incorrect, AND nginx gets multiple concurrent (5) requests for
that same backend, we see all the requests hanging. Doing a tcpdump for DNS
traffic shows the first request go out, and the response coming back with
the wrong ident, but no subsequent dns requests. The critical factor seems
to be multiple incoming requests to nginx, while a dns request is in-flight.

If needed I can provide all the scripts and config I used to produce the
error.

Thanks!

Pramod Korathota
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
proxied requests hang when DNS response has wrong ident	Pramod Korathota	July 15, 2014 06:06AM
Re: proxied requests hang when DNS response has wrong ident	Ruslan Ermilov	July 15, 2014 07:42AM
Re: proxied requests hang when DNS response has wrong ident	Pramod Korathota	July 15, 2014 10:02PM
Re: proxied requests hang when DNS response has wrong ident	Jason Woods	August 18, 2014 06:42AM
Re: proxied requests hang when DNS response has wrong ident	Valentin V. Bartenev	August 18, 2014 07:08AM
Re: proxied requests hang when DNS response has wrong ident	Jason Woods	August 18, 2014 08:46AM
Re: proxied requests hang when DNS response has wrong ident	B.R.	August 18, 2014 09:18AM
Re: proxied requests hang when DNS response has wrong ident	itpp2012	August 18, 2014 09:19AM
Re: proxied requests hang when DNS response has wrong ident	Valentin V. Bartenev	August 18, 2014 09:24AM
Re: proxied requests hang when DNS response has wrong ident	Jason Woods	August 18, 2014 10:56AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 278

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018