LFD Stalling During DNS Lookups

Post Reply
user4473
Junior Member
Posts: 7
Joined: 20 Aug 2012, 16:28

LFD Stalling During DNS Lookups

Post by user4473 »

Hello,

I'm using generic CSF 6.0 on Gentoo.

I have a couple custom regexes that scans apache access_log and modsec_audit log. The regexes work correctly. When these rules match there is a flood of errors from a single ip, 10's of accesses per second.

Looking at strace, LFD seems to be trying to resolve the hostname for every logline that matches the pattern? Is this correct? On hosts with valid DNS, or a valid DNS server where the ip just doesn't resolve (NXDOMAIN), this is not a problem. But on hosts with a down/unreachable DNS server (SERVFAIL)), this causes LFD to "queue up" many hundreds of resolve requests while it waits for each SERVFAIL to time-out. While LFD is backed up like this, it fails to match any further log entries, and it's impossible to even restart LFD without hard kill -9'ing it... *Error* attempt to start lfd when it is already running, at line 132

Thanks
ForumAdmin
Moderator
Posts: 1504
Joined: 01 Oct 2008, 09:24

Re: LFD Stalling During DNS Lookups

Post by ForumAdmin »

That is probably due to either entry lookups in csf.rignore or when LF_LOOKUPS is enabled. We'll look at using a dns cache in the next release.
Post Reply