Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CLOSE_WAIT #148

Open
publicarray opened this issue May 4, 2018 · 3 comments
Open

CLOSE_WAIT #148

publicarray opened this issue May 4, 2018 · 3 comments

Comments

@publicarray
Copy link

publicarray commented May 4, 2018
edited
Loading

I'm not sure but I think the wrapper is not closing closed connections properly:

good

$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN     
tcp        0      0 dnscrypt-768656ff6d:443 10.152.0.2:34008        TIME_WAIT  
tcp        0      0 dnscrypt-768656ff6d:443 10.152.0.3:50373        TIME_WAIT  
tcp        0      0 dnscrypt-768656ff:55576 unbound.default.svc.:53 TIME_WAIT  
tcp        0      0 dnscrypt-768656ff6d:443 10.152.0.2:50374        TIME_WAIT  
tcp        0      0 dnscrypt-768656ff:55574 unbound.default.svc.:53 TIME_WAIT  
tcp        0      0 dnscrypt-768656ff:55578 unbound.default.svc.:53 TIME_WAIT  
tcp        0      0 dnscrypt-768656ff6d:443 10.152.0.3:50371        TIME_WAIT  
tcp        0      0 dnscrypt-768656ff6d:443 10.152.0.2:50367        TIME_WAIT  
tcp        0      0 dnscrypt-768656ff:55556 unbound.default.svc.:53 TIME_WAIT  
tcp        0      0 dnscrypt-768656ff6d:443 10.152.0.3:50372        TIME_WAIT  
tcp        0      0 dnscrypt-768656ff6d:443 10.152.0.3:50190        TIME_WAIT  
tcp        0      0 dnscrypt-768656ff:55558 unbound.default.svc.:53 TIME_WAIT  
tcp        0      0 dnscrypt-768656ff:55582 unbound.default.svc.:53 TIME_WAIT  
tcp        0      0 dnscrypt-768656ff:55580 unbound.default.svc.:53 TIME_WAIT  
tcp        0      0 dnscrypt-768656ff6d:443 10.56.2.1:20834         TIME_WAIT  
tcp        0      0 dnscrypt-768656ff:55586 unbound.default.svc.:53 TIME_WAIT  
tcp        0      0 dnscrypt-768656ff6d:443 10.56.2.1:20834         TIME_WAIT  
tcp        0      0 dnscrypt-768656ff:55586 unbound.default.svc.:53 TIME_WAIT  
udp        0      0 0.0.0.0:48047           0.0.0.0:*                          
udp        0      0 0.0.0.0:443             0.0.0.0:*                          
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path

As it happens

$ netstat -a -n
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN     
tcp        0      0 10.56.2.13:43356        10.59.242.77:53         TIME_WAIT  
tcp        0      0 10.56.2.13:443          10.152.0.3:52602        TIME_WAIT  
tcp        0      0 10.56.2.13:43328        10.59.242.77:53         TIME_WAIT  
tcp        0      0 10.56.2.13:443          10.152.0.2:52641        TIME_WAIT  
tcp      323      0 10.56.2.13:443          10.56.2.1:57788         CLOSE_WAIT 
tcp        0      0 10.56.2.13:443          10.152.0.3:51751        TIME_WAIT  
tcp        0      0 10.56.2.13:43390        10.59.242.77:53         TIME_WAIT  
udp        0      0 0.0.0.0:48010           0.0.0.0:*                          
udp        0      0 0.0.0.0:443             0.0.0.0:*                          
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path

Bad (no more queries are being answered untill a dnscrypt-wrapper restart)

$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN     
tcp      323      0 dnscrypt-768656ff6d:443 10.152.0.3:3232         CLOSE_WAIT 
tcp       48      0 dnscrypt-768656ff6d:443 10.152.0.3:53468        CLOSE_WAIT 
tcp      195      0 dnscrypt-768656ff6d:443 10.152.0.2:34023        CLOSE_WAIT 
tcp      323      0 dnscrypt-768656ff6d:443 10.152.0.3:1908         CLOSE_WAIT 
tcp       48      0 dnscrypt-768656ff6d:443 10.152.0.2:53527        CLOSE_WAIT 
tcp       48      0 dnscrypt-768656ff6d:443 10.152.0.3:49746        CLOSE_WAIT 
tcp      259      0 dnscrypt-768656ff6d:443 10.152.0.2:58956        CLOSE_WAIT 
tcp      259      0 dnscrypt-768656ff6d:443 10.152.0.3:32736        CLOSE_WAIT 
tcp       48      0 dnscrypt-768656ff6d:443 10.152.0.2:49736        CLOSE_WAIT 
tcp       48      0 dnscrypt-768656ff6d:443 10.152.0.2:20808        CLOSE_WAIT 
tcp      195      0 dnscrypt-768656ff6d:443 10.152.0.3:3420         CLOSE_WAIT 
tcp      259      0 dnscrypt-768656ff6d:443 10.152.0.3:1915         CLOSE_WAIT 
tcp      323      0 dnscrypt-768656ff6d:443 10.152.0.2:58366        CLOSE_WAIT 
tcp      195      0 dnscrypt-768656ff6d:443 10.152.0.2:3404         CLOSE_WAIT 
tcp      387      0 dnscrypt-768656ff6d:443 10.152.0.3:35672        CLOSE_WAIT 
tcp       48      0 dnscrypt-768656ff6d:443 10.56.2.1:9866          CLOSE_WAIT 
tcp      387      0 dnscrypt-768656ff6d:443 10.152.0.3:3424         CLOSE_WAIT 
tcp      195      0 dnscrypt-768656ff6d:443 10.152.0.2:3416         CLOSE_WAIT 
udp        0      0 0.0.0.0:443             0.0.0.0:*                          
udp        0      0 0.0.0.0:54437           0.0.0.0:*                          
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path

$ ss -tano
State      Recv-Q Send-Q                        Local Address:Port                                       Peer Address:Port              
LISTEN     0      128                                       *:443                                                   *:*                  
CLOSE-WAIT 323    0                                10.56.2.13:443                                          10.152.0.3:30367              
CLOSE-WAIT 195    0                                10.56.2.13:443                                          10.152.0.3:9494               
CLOSE-WAIT 195    0                                10.56.2.13:443                                           10.56.2.1:52484              
CLOSE-WAIT 259    0                                10.56.2.13:443                                          10.152.0.2:56356              
CLOSE-WAIT 387    0                                10.56.2.13:443                                          10.152.0.2:14286              
CLOSE-WAIT 387    0                                10.56.2.13:443                                          10.152.0.2:52527              
CLOSE-WAIT 48     0                                10.56.2.13:443                                           10.56.2.1:29095              
CLOSE-WAIT 48     0                                10.56.2.13:443                                          10.152.0.2:4251               
CLOSE-WAIT 195    0                                10.56.2.13:443                                          10.152.0.3:61126              
CLOSE-WAIT 387    0                                10.56.2.13:443                                          10.152.0.2:14283              
CLOSE-WAIT 131    0                                10.56.2.13:443                                          10.152.0.2:7763               
CLOSE-WAIT 259    0                                10.56.2.13:443                                          10.152.0.3:52521              
CLOSE-WAIT 131    0                                10.56.2.13:443                                          10.152.0.2:14285              
CLOSE-WAIT 195    0                                10.56.2.13:443                                           10.56.2.1:52524              
CLOSE-WAIT 48     0                                10.56.2.13:443                                          10.152.0.2:50186              
CLOSE-WAIT 259    0                                10.56.2.13:443                                          10.152.0.3:31341              
CLOSE-WAIT 195    0                                10.56.2.13:443                                          10.152.0.2:7767               
CLOSE-WAIT 48     0                                10.56.2.13:443                                          10.152.0.3:9773               
CLOSE-WAIT 387    0                                10.56.2.13:443                                          10.152.0.3:61116              
CLOSE-WAIT 323    0                                10.56.2.13:443                                           10.56.2.1:52501              
CLOSE-WAIT 323    0                                10.56.2.13:443                                          10.152.0.3:14269              
CLOSE-WAIT 323    0                                10.56.2.13:443                                          10.152.0.3:7758               
CLOSE-WAIT 323    0                                10.56.2.13:443                                          10.152.0.3:30361              
CLOSE-WAIT 48     0                                10.56.2.13:443                                          10.152.0.3:49210              
CLOSE-WAIT 259    0                                10.56.2.13:443                                          10.152.0.2:52517              
ESTAB      322    0                                10.56.2.13:443                                          10.152.0.2:52531              
CLOSE-WAIT 259    0                                10.56.2.13:443                                          10.152.0.2:14268              
CLOSE-WAIT 48     0                                10.56.2.13:443                                          10.152.0.3:29382              
CLOSE-WAIT 323    0                                10.56.2.13:443                                           10.56.2.1:52483              
CLOSE-WAIT 259    0                                10.56.2.13:443                                           10.56.2.1:52502              
CLOSE-WAIT 387    0                                10.56.2.13:443                                          10.152.0.3:52498              
CLOSE-WAIT 323    0                                10.56.2.13:443                                          10.152.0.2:7764               
CLOSE-WAIT 195    0                                10.56.2.13:443                                          10.152.0.3:52499              
CLOSE-WAIT 195    0                                10.56.2.13:443                                          10.152.0.3:16982

I'm using GCP with kubernetes. So traffic routed like this: GCP LoadBalancer->kubernetes-service->dnscrypt-wrapper-container->kubernetes-service->unbound-container

Restarting dnscrypt-wrapper temporarily fixes the problem
@publicarray
Copy link
Author

@jedisct1 Would you have any ideas?

@kumaya
Copy link

kumaya commented Jul 2, 2018
edited
Loading

Was there a known solution to this problem ?

@publicarray
Copy link
Author

publicarray commented Jul 2, 2018
edited
Loading

Yea I switched to this repo/branch jedisct1/dnscrypt-wrapper:xchacha-stamps since that is what the dnscrypt-server-docker image uses. This works very well in docker.

@publicarray publicarray reopened this Jul 2, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kumaya @publicarray