DNS High CPU Loads, any ideas why??

[Howard Leadmon]

   Several weeks ago for whatever reason, I found out my two main DNS 
servers started using 100% CPU and became sluggish at responding to it's
requests.  The DNS was running on a couple dual CPU Sparc 10's and 20's
I had at the office, but prior to this they were only using maybe 10-15%
CPU tops.  I replaced my primary server with a modern day Intel PII based
machine running under BSD, but even that box is now running 70% CPU at
most times.  

 Whats strange is at times the DNS servers will only use a couple % of
the CPU for some period of time, and then just change and peg the processor
for days at a time.  I can't find any logical reason why it will be running
along at say 3-5% CPU on the box for a day or two, then jump to 70%+ for
days out of the blue.

 This almost stinks of some type of DoS attack, and I added router filters
to block all outside packets to the general public to all but UPD on port 53.
I was using BIND-8.2.2p5, and even tried the new RC3 of 8.2.3, but the same
results.  When I look at IP traffic load on the switch ports going to the
nameservers, things seem OK with peak traffic at may 100kbps, so not like
some major UDP smurf hitting the servers either.

 I guess I am wondering has my DNS loading just gotten to the point that I
need boxes like Intel SMP 700mhz PC's just to do my DNS, or has someone 
found a way to make my life miserable by DoSing my DNS servers.  Has anyone
run into this problem before??  Also anyone have any good ideas on how to
try and figure out whats up with this before I go crazy??   I have enough
DNS knowledge to run a good nameserver, but as for trying to track this one 
down I will admit I am a bit lost, so any hints, pointers, or suggestions
would be most appreciated...


---
Howard Leadmon - howardl at abs.net - http://www.abs.net
ABSnet Internet Services - Phone: 410-361-8160 - FAX: 410-361-8162