Museum

Home

Lab Overview

Retrotechnology Articles

⇒ Online Manual

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

named(8)

syslogd(8)

named.stats(4)  —  File Formats

NAME

named.stats − Contains BIND server statistics

DESCRIPTION

The named.stats file contains server statistics for queries to and from hosts in a BIND environment.  You can use this data to determine the load on a DNS server and diagnose problems. 

See the named(8) reference page for information about how to specify the name and location of the named.stats file; the default is /var/tmp/named.stats. 

The query fields for global and per-node statistics, as specified in the LEGEND section of the named.stats file, are defined as follows:

RRReceived a response from a node

RNXDReceived a negative response from a node

RFwdRReceived a response from a node that this node had to forward

RDupRReceived an extra answer from a node

RFailReceived a server failed message (SERVFAIL) from a node

RFErrReceived a format error message (FORMERR) from a node

RErrReceived some other error from a node

RAXFRReceived an zone transfer request message (AXFR) from a node

RLameReceived a lame delegation from a node

ROptsReceived some IP options from a node

SSysQSent a node a system query

SAnsSent a node an answer

SFwdQForwarded a query to a node

SDupQSent a node a retry

SErrSent to a node, but the send failed (in sendto)

RQReceived a query from a node

RIQReceived an inverse query from a node

RFwdQReceived a query from a node that this node had to forward

RDupQReceived a retry from a node

RTCPReceived a query using TCP from a node

SFwdRForwarded a response to a node

SFailSent a node a server failed message (SERVFAIL)

SFErrSent a node a format error message (FORMERR)

SNaAnsSent a non-authoritative answer to a node

SNXDSent a negative response to a node

EXAMPLES

The following example is an excerpt of a named.stats file:

+++ Statistics Dump +++ (917839766) Sun Jan 31 22:29:26 1999
370508  time since boot (secs)
370508  time since reset (secs)
130     Unknown query types
711033  A queries
35      NS queries
37      CNAME queries
40      SOA queries
2       MB queries
198963  PTR queries
26088   MX queries
1       TXT queries
20      AAAA queries
60910   ANY queries
++ Name Server Statistics ++
(Legend)
        RR      RNXD    RFwdR   RDupR   RFail
        RFErr   RErr    RAXFR   RLame   ROpts
        SSysQ   SAns    SFwdQ   SDupQ   SErr
        RQ      RIQ     RFwdQ   RDupQ   RTCP
        SFwdR   SFail   SFErr   SNaAns  SNXD
(Global)
        537 231 479 0 2  10 0 0 5 0  54 56382 479 8 2  38849 3 0 0 6  479 2 5
19057 1285
[0.0.0.0]
        0 0 2 0 0  0 0 0 0 0  0 0 0 4 0  0 0 0 0 0  23 1 0 0 0
[4.0.38.18]
        0 0 0 0 0  0 0 0 0 0  0 2 0 0 0  2 0 0 0 0  0 0 0 0 0
[4.0.147.94]
        0 0 0 0 0  0 0 0 0 0  0 1 0 0 0  1 0 0 0 0  0 0 0 0 0
.
.
.

The values in each entry below the (Global) delimeter are separated into five groups, each with five numbers.  These groups of numbers correlate to the fields in the Legend section of the file, which are separated into similar groups. 

From the left of an entry, the first field is RR, the next is RNXD, and so on.  In the next group of five on the same line, the first field is RFErr, the next is RErr, and so on. 

In the Global entry, you can see that, in total, there were 537 queries received, 231 negatives responses received, 479 queries that were forwarded to other BIND servers, and so on.  Subsequent entries can be interpreted in a similar manner. 

The Global values in this example are indicative of several problems:

       •RFail = 2

The server received 2 failure messages from a node or nodes.  There might be a problem with the nodes that attempted to query the server.  Find the IP addresses of the nodes and contact the administrators. 

       •RFErr = 10

The server received 10 improperly formatted queries from a node or nodes.  If this happens consistently, a hacker might be trying to break into the server.  You should run a monitoring tool to collect more data. 

       •RLame = 5

The server received 5 lame delegations.  This problem occurs if nodes query the server for information regarding a zone for which it has no authority.  It is usually a temporary condition, but if the problem persists, contact the nodes’ administrators and ask them to check their configurations. 

       •RDupR = 8

A node or nodes sent multiple copies of the same query to the server.  These errors are usually benign, but nodes should give up after 3 attempts.  If the number of duplicates is fairly high, there might be a problem with the nodes or the network. 

       •SErr = 2

The server attempted to send 2 queries to a forwarder or forwarders by using the sendto system call, and the attempts failed.  Check your configuration and make sure that all of the forwarders you listed are reachable. 

       •RIQ = 3

The server received 3 inverse queries.  These queries are usually benign, but if the value is fairly high, a hacker might be trying to break into the server.  You should run a monitoring tool to collect more data. 

       •SFail = 2

The server sent 2 failure messages to a node or nodes.  These failures are usually benign, but might not be under certain conditions.  If the server sends many SFail errors to one node, there might be a problem with that node.  If the node is another nameserver, it might be lame nameserver.  If the node is a host, it is sending abnormal queries.  You should find the offending node and resolve the problem. 

       •SFerr = 5

The server informed a node or nodes that their requests were improperly formatted.  The value of this field usually correlates to the RFErr field.  You should find the offending node and resolve the problem. 

FILES

daemon.log

The syslogd daemon offers a partial listing of the named.stats data in the daemon.log file. 

RELATED INFORMATION

Commands: named(8), syslogd(8)
 

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026