Mysterious load increase, BIND 8.2.2,p5

cschen at cc.nctu.edu.tw cschen at cc.nctu.edu.tw
Sat Apr 22 01:32:08 UTC 2000 

| Date: Fri, 21 Apr 2000 20:32:39 +0100
| From: Jim Reid <jim at rfc1035.com>
| 
| >>>>> "Joe" == cschen  <cschen at cc.nctu.edu.tw> writes:
| 
|     Joe> We'd checked. Both the query forwarding server and ours run
|     Joe> BIND 8.x.  - I suppose that the servers have Negative Caching
|     Joe> built-in.
| 
| Why have you configued the server to forward queries? Why not let it
| run as a proper name server and make queries to other servers for
| itself? I suspect that if you set up the name server to ONLY forward,
| it will ALWAYS forward any queries it gets. If you configure your name
| servers to do stupid things, it's only reasonable to expect they'll
| produce stupid results. Setting up forwarding name servers is almost
| always stupid IMHO. 99% of the time there is NO GOOD REASON for
| forwarding.

We'd suffered from the network bandwidth problem severely.
Henece, we'd enabled the select forwarding feature and use the default,
which is "forwarder first" according to the document html page.

In the last example listed, the PTR queries was a normal direct query
, not manually forwarding directive.
- It is phrased as "forw ..." in the BIND dumped log. I am not sure
  if it is the proper one in BIND/named term.

If DNS forwarding is stupid thing in 995 of the time, I suppose there
should be a WARNING page to discourage the usage on the formal document.
Or, there should be some guideline page describing when it is 
appropriate to enable forwarding (e.g. under what condistion, ...)

|     Joe> After we contact the dept.'s administrators, they found that
|     Joe> some lab exercise concerning some SAMBA applications were
|     Joe> doing the errorenous query....
| 
|     Joe> So, it is very simple for a lab exercise to overwhelm some
|     Joe> DNS servers on the campus. This is absolutely NOT a good
|     Joe> news.
| 
| True, but this should not come as a surprise. If you overload any
| service with an artificially high query rate, it will break in some
| way. Why didn't this department arrange their own name server(s) for
| this exercise and have the students in the lab beat up on them rather
| than the University's important one? I presume you wouldn't let some
| lab exercise stress the university's operational mail or web servers,
| so why let one overload your name servers? I would have thought that
| it was obvious to arrange for a experimental/test environment to be
| completely isolated from the organisation's operational or production
| environment.

I don't think the above to be a reasonale assumption.

Because:
1) People trust our DNS server service on campus.

2) We usually trust normal users on the campus.

3) Students are supposed to learn and develop their networking
   skill on the campus network. 

   Few are DNS experts before they do some field study and trials. They 
   usually don't mean to overwhelm the DNS services on most situations.

4) Almost all Internet applcations use DNS today. And by the distributed
   nature of the DNS framework, I don't think it is easy to let people
   know, they should not use some DNS server for their exercises.
   - You don't have to ask people to register their usages of your DNS
     services, do you ?

5) Not all teachers and school administators of the departments
   got every details of these. Especially, TAs are usually doing
   the directory jobs in the lab exercise courses.

 Every school years there are new comers. I don't suppose they are 
 qualified for all these details under most consquences.

--
 *  Joe. C.S.Chen, cschen at ns.nctu.edu.tw

More information about the bind-users mailing list