named.stats - Contains BIND server statistics
The named.stats file contains server statistics for
queries to and from hosts in a BIND environment. You can
use this data to determine the load on a DNS server and
diagnose problems.
See the named(8) reference page for information about how
to specify the name and location of the named.stats file;
the default is /var/tmp/named.stats.
The query fields for global and per-node statistics, as
specified in the LEGEND section of the named.stats file,
are defined as follows: Received a response from a node
Received a negative response from a node Received a
response from a node that this node had to forward
Received an extra answer from a node Received a server
failed message (SERVFAIL) from a node Received a format
error message (FORMERR) from a node Received some other
error from a node Received an zone transfer request message
(AXFR) from a node Received a lame delegation from a
node Received some IP options from a node Sent a node a
system query Sent a node an answer Forwarded a query to a
node Sent a node a retry Sent to a node, but the send
failed (in sendto) Received a query from a node Received
an inverse query from a node Received a query from a node
that this node had to forward Received a retry from a node
Received a query using TCP from a node Forwarded a
response to a node Sent a node a server failed message
(SERVFAIL) Sent a node a format error message (FORMERR)
Sent a non-authoritative answer to a node Sent a negative
response to a node
The following example is an excerpt of a named.stats file:
+++ Statistics Dump +++ (917839766) Sun Jan 31 22:29:26
1999 370508 time since boot (secs) 370508 time since
reset (secs) 130 Unknown query types 711033 A queries
35 NS queries 37 CNAME queries 40 SOA
queries 2 MB queries 198963 PTR queries 26088 MX
queries 1 TXT queries 20 AAAA queries 60910
ANY queries ++ Name Server Statistics ++ (Legend)
RR RNXD RFwdR RDupR RFail
RFErr RErr RAXFR RLame ROpts
SSysQ SAns SFwdQ SDupQ SErr
RQ RIQ RFwdQ RDupQ RTCP
SFwdR SFail SFErr SNaAns SNXD (Global)
537 231 479 0 2 10 0 0 5 0 54 56382 479 8 2
38849 3 0 0 6 479 2 5 19057 1285 [0.0.0.0]
0 0 2 0 0 0 0 0 0 0 0 0 0 4 0 0 0 0 0 0 23 1 0
0 0 [4.0.38.18]
0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 2 0 0 0 0 0 0 0
0 0 [4.0.147.94]
0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0
0 0 . . .
The values in each entry below the (Global) delimeter are
separated into five groups, each with five numbers. These
groups of numbers correlate to the fields in the Legend
section of the file, which are separated into similar
groups.
From the left of an entry, the first field is RR, the next
is RNXD, and so on. In the next group of five on the same
line, the first field is RFErr, the next is RErr, and so
on.
In the Global entry, you can see that, in total, there
were 537 queries received, 231 negatives responses
received, 479 queries that were forwarded to other BIND
servers, and so on. Subsequent entries can be interpreted
in a similar manner.
The Global values in this example are indicative of several
problems: RFail = 2
The server received 2 failure messages from a node
or nodes. There might be a problem with the nodes
that attempted to query the server. Find the IP
addresses of the nodes and contact the administrators.
RFErr = 10
The server received 10 improperly formatted queries
from a node or nodes. If this happens consistently,
a hacker might be trying to break into the
server. You should run a monitoring tool to collect
more data. RLame = 5
The server received 5 lame delegations. This problem
occurs if nodes query the server for information
regarding a zone for which it has no authority.
It is usually a temporary condition, but if
the problem persists, contact the nodes' administrators
and ask them to check their configurations.
RDupR = 8
A node or nodes sent multiple copies of the same
query to the server. These errors are usually
benign, but nodes should give up after 3 attempts.
If the number of duplicates is fairly high, there
might be a problem with the nodes or the network.
SErr = 2
The server attempted to send 2 queries to a forwarder
or forwarders by using the sendto system
call, and the attempts failed. Check your configuration
and make sure that all of the forwarders you
listed are reachable. RIQ = 3
The server received 3 inverse queries. These
queries are usually benign, but if the value is
fairly high, a hacker might be trying to break into
the server. You should run a monitoring tool to
collect more data. SFail = 2
The server sent 2 failure messages to a node or
nodes. These failures are usually benign, but
might not be under certain conditions. If the
server sends many SFail errors to one node, there
might be a problem with that node. If the node is
another nameserver, it might be lame nameserver.
If the node is a host, it is sending abnormal
queries. You should find the offending node and
resolve the problem. SFerr = 5
The server informed a node or nodes that their
requests were improperly formatted. The value of
this field usually correlates to the RFErr field.
You should find the offending node and resolve the
problem.
The syslogd daemon offers a partial listing of the
named.stats data in the daemon.log file.
Commands: named(8), syslogd(8)
named.stats(4)
[ Back ] |
