DNS timeout -> memory usage?

All,

Has anyone else seen an impact in changing the dns_session_timeout parameter in bro?

I have been wrestling with Bro's memory usage for a while now (using bro 2.2 from securityonion to monitor DNS server traffic), and recently tried changing the dns_session_timeout value from the default of 10 seconds to 1 second. That has changed bro's memory consumption dramatically. While at the default 10 second timeout, Bro was slowly growing in RAM usage until the Linux OOM manager killed it (and broctl cron automatically restarted it...lather, rinse, repeat). With the 1 second timeout bro's been steady at ~200MB/worker for the past couple days.

While I'm happy that this seems to have fixed a problem, I'm wondering what other impact that change has had. Obviously, if the DNS server starts responding slowly bro will see the request and response as separate sessions...I think I can live with that. Is that the only impact of changing the dns_session_timeout variable?

Thanks.

aaron

I’d expect another impact besides decreasing “accuracy” of dns.log to be increased entries in conn.log due to some DNS replies falling outside the timeout threshold. Also, I think too low of a threshold could also have some performance cost due to increased amount of events being raised which end up expiring sessions too early.

You may be interested in recent commits in Bro’s git repository to the DNS scripts that (for one thing) attempt to put more well-defined bounds on how much state they hold on to. It could be your traffic hits certain corner cases that, in Bro 2.2 and earlier, could cause the DNS script’s state management logic to do poorly. If that’s the case, I can see setting a low value for “dns_session_timeout” being a workaround because it may coincidentally force state to be expired more frequently.

- Jon