dns故障引发子网流量异常（DNS fault raises subnet traffic anomalies）

dns故障引发子网流量异常（DNS fault raises subnet traffic anomalies） dns故障引发子网流量异常(DNS fault raises subnet traffic anomalies) This is a friend of network fault, fault is typical, troubleshooting ideas more desirable. So the journey to find the solution, all told the world, hope everyone after use. 1. Symptom description Customers call report center network is basically normal, but a subnet suddenly slows down. This is the local railway network services company, the company provides Web services and Internet access service for ordinary users. A few days ago, the area of service users reflect the network speed is very slow, Email also need to wait more than 60 seconds over time to Unicom. This area is divided into a sub network, network management system from the host housing observation found that in addition to the area (subnet) router traffic is very high (test 97%), interactive traffic center network routers and other sub networks was below 40%. In addition, no other special phenomenon. 2 、 diagnostic process Railway maintenance personnel conducted their own network debugging but did not find the fault, unable to disconnect the network user service stop to check, and turn to us, I was sent out. It should be said that judging from the symptoms of this fault is relatively simple, as long as the found routing subnet traffic sources can quickly determine the direction of fault further, it can find out the source of traffic immediately. From the network topology, fault sub network and Network Center for the E1 link. There is a hall fault sub network below, only interact with some business data center network should not have too much traffic. In addition, the number of Web server under the subnet to 45 units, the network management system report center 97% the traffic is certainly too high. I consider the effective flow only in one situation can more occupy the E1 channel, that is the fault of multimedia documents between the website and the subnet network site or server transmission or download service will cause this situation. But the management staff asked that the network does not provide such as multimedia video playback and download service. It can only use tools to detect. Because of the relatively small size of the network fault management system, network support only to router level management, switch and server etc. using the desktop switches cheap, it can not support the network management. The network access switch tester for testing, started carrying the network management function, you can see the router observation flow and network management system the flow is the same, are around 97%. (ylmf skills) This view is connected with the router traffic center network, is about 997%, indicating that the channel router link performance is basically normal. But this will inevitably lead to high flow channel router congestion and packet loss, so from the perspective of flow is not normal. Now need to understand is that the routing traffic is so high where it came from. The packets arriving at the router and later to. So you can quickly locate to the data source and the source channel traffic congestion so high. The router channel network traffic analyzer access network monitoring and analysis, results showed that 95% of the traffic flow data server, and the majority of HTTP and Email. Among them, Internet traffic accounted for 88%, traffic sources distribution of local traffic accounted for 7%. instructions to check the flow of the analyzer, no traffic concentration application discovery, IP address distribution is balanced, the highest rate accounted for only 0.5%.. These data suggest that the application proportion of user equilibrium, the cause of the malfunction should be in the application process rather than a centralized user "bombardment" such as hackers. That is to say, the process and application of channel should be out of the question. The reason is that these flow at channel design should not reach the business hall network service server, but should enter the Internet directly from the Internet router center network. So, the flow is to be guided to the direction of the business hall server? Here we carry out further analysis, we know that the IP data packet in the transmission process will address resolution in the router (ARP), or domain name analysis in the local DNS. If the path analysis problems, the IP transmission of data packet and exchange will be a problem. According to the traffic analyzer's instructions, the arbitrary choose 10 IP address routing tracking test results for tracking network tester is that they must pass through a DNS server. And imitate the business hall of known members of the network are local and foreign users ICMP monitoring and route tracking test, the data packet redirection ICMP monitoring target accounted for 82%. Not up to the number of data packets for 13%. which show that only about 2% of the users can access the normal route to the target site, the remaining 95% of the IP data packet to go through competition or re sent to the routing part The opportunity arrives at the destination This transformation can focus on examination of the main router routing table and DNS table. Since the majority of Internet traffic is directed to the business server, so you can focus on the server. Check the DNS query to the DNS server by network tester, observation results showed that DNS conversion table has a considerable proportion to business hall network service server. I suspect the DNS server is out of the question! So the notification center network management personnel will restart the DNS server and quickly set up a network management network business report later returned to normal. Using network analyzer Internet toolkit querying the DNS server, you can see to business server data has disappeared, which indicates that the network has been fully restored to normal work but good times don't last long., about 3 minutes after the fault appears again, still have 97% of the channel flow is directed to a subnet. Because the DNS server set only one, no backup server, and had to immediately came to the center of network computer room, to check the DNS server and its peripheral equipment. The test server adapter and cable and router. In order not to interrupt the normal service, the author makes network management personnel set up a temporary installation of DNS server in another backup server. After a brief interruption of business, the replacement of a new DNS server application started. See the subnet router traffic immediately reduced to 1.5%. after 30 minutes of work after all users were restored to the normal working state, fault elimination. 3, the cause of the failure As we all know, the DNS server for the user domain names into IP addresses, generally does not appear what problem. But for some reason, causing all point to the business office network service server address translation in this case. The similar business server does not have the routing function, IP packets that are sent either are rejected, collocated, ignored, or returned to unreachable or redirected packets. This is what we often observe when monitoring ICMP The number of users of local railway is not much, but with higher network bandwidth for the ATM link 155M, a large surplus, so Internet users access to the Internet speed is mainly affected by the subnet bandwidth. Because many users through E1 invalid link congestion, routing redirection and cause serious delay of IP data. A large number of packets to hold only 2M bandwidth of the subnet router, traffic reached 97%, resulting in sub network speed suddenly slow, serious congestion router phenomenon. 4, two suggestions (1) the.DNS server should have a regular medical examination" Based on DNS service in order to prevent instability caused by business interruption or error, many network administrators are installed in the alternate DNS server set up DNS server, which is not only the installation of a DNS server. But it also poses a potential danger, which is the main DNS server, backup server automatically put into operation, it will sacrifice the network bandwidth, the overall performance of the system decreased. The danger is that the decline in performance is often to imperceptibly. So, in order to ensure that the network is often in good working condition, the conversion network managers need to periodically check the DNS server. The fault at the DNS error led to the user's IP data packets on the subnet server, but if the alignment is not a server in the local network of network center instead of a machine, then the fault strength will be weakened, the user will not feel very obviously slower. It may not feel obvious "discomfort" which makes the network for a long time to stop the operation. Like people, regular physical examination is necessary for timely detection of disease and risk. And how to discover the problems of routing optimization, and network test in the regular project content on a large network, it is necessary, we must adhere to the regular maintenance and testing. (2) real time monitoring of network status Many network devices such as routers, switches, hubs, can only support SNMP network management function, but in order to monitor the network channel function, network equipment also need to support full RMON and RMON2. use this equipment set up the network management and fault diagnosis function is very good. But the real problem is that such a network device the price of ordinary network equipment 6 ~ 10 times, it is difficult for users to accept. Therefore, in order to monitor the service flow and the proportion of application and network sources, unpack analysis records and when necessary, suggestions for users to install monitoring interface in the server channel or channel routing. If necessary at any time will flow analyzer, network analyzer access monitoring and analysis. In this way, the fault detection time can be shortened to 20 minutes or so. Of course, if the money. Xu, you can also flow analyzer long-term access channel for a number of important network devices at full speed, transparent traffic monitoring, so that you can reduce the fault location time to less than 1 minutes This "home visit" generally works well. In fact, every visit is a chance to learn and improve. Maybe the above case is just a case. You may not meet, But troubleshooting ideas or worth learning. In addition, I suggest that the hope can cause everybody's attention at the end of the two.