Bind Timeout on External Names (8.2.3)

Pete Peterson petersonp at
Thu Oct 4 12:28:50 UTC 2001

We have been running two nameservers for a long time, using Bind 8.2.3
under Red Hat Linux 6.2.  These machines have been running since January
or so with 8.2.3 and have been running Bind for over 3.5 years with
*NO* problems.

Starting around noon on Tuesday, BOTH of these machines developed a timeout
problem which manifested itself in people being unable to resolve outside
names.  Names for which the machines are authoritative resolve properly,
but we get timeouts on the external names.

I did some nslookup and dig tests on ns1 (

I had had 'nameserver' and 'nameserver' lines in
resolv.conf.  When the problem occurred on ns1, the connection to
always failed and would respond, at least if *it* hadn't
already developed the problem.  I tried adding 'nameserver'
explicitly and, not surprisingly, it timed out as well as

Here's an example (I left just the nameserver line in resolv.conf
at this point to shorten the messages:
[root at ns1 /etc]# dig

; <<>> DiG 8.3 <<>> 
; Bad server: -- using default server and timer opts
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_nsend to server default -- Connection timed out

If I stop and restart named, the problem goes away for a while:

[root at ns1 /etc]# service named restart
Shutting down named: [  OK  ]
Starting named: [  OK  ]

[root at ns1 /etc]# dig

; <<>> DiG 8.3 <<>> 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;;, type = A, class = IN

;; ANSWER SECTION:        15M IN A

;; AUTHORITY SECTION:            15M IN NS            15M IN NS       auth00.ns.uu.NET.

auth00.ns.uu.NET.       1d17h43m3s IN A

;; Total query time: 118 msec
;; WHEN: Wed Oct  3 09:18:43 2001
;; MSG SIZE  sent: 33  rcvd: 139

These machines are behind a firewall which allows only port 25 and port 53
connections to them.  Temporarily we have blocked *all* outside connections
to ns2, but the problems continue on BOTH machines, so the problems doesn't
seem to result from some outside attack.

We have the following forwarder info in named.conf as recommended by
Genuity, our connectivity provider:
options {
        directory "/var/named"; // running directory for named
        forwarders {
Here is a bunch of observations:

When the problem occurs, pointing nslookup, dig, or host at the forwarders
resolves the name fine.

As the problem develops, external name resolution seems to start taking
longer and then fails completely.

Sometimes dig and/or host will resolve the name, but nslookup will not,
or "dig" or "host" will work, but
"dig" or 
"host" will fail on ns1 (similar result
for ns2).

Stopping and restarting named "fixes" the problem for a while.  "A while"
might be anywhere from less than 1/2 hour to several hours.  Since the
problem occurs on two separate machines, I suspected it was related to
some problem in our network, but if that's the case, why does restarting
named make the problem go away?  Our network people didn't see anything
unusual that would explain the problem.

It appeared that when the problem occurred, it would happen on both
machines at once, but I currently have a crontab job that tries every 5
minutes to resolve an outside address and restarts named when it fails ---
the resulting log from overnight last night shows that both machines
didn't always fail at once.  Of course the different levels of failure
mentioned above may have made the test fail on one machine and not on
the other.

We've been unable to correlate the appearance of this problem with any
other change or event.


    Has anybody seen a problem like this?

    Any suggestions about what I should look at or ask others to check?

    Are there any further data I could provide to help the diagnosis?


I'd appreciate any help I could get with this problem.  It's causing
serious pain! :-(

        pete peterson
        GenRad, Inc.
        7 Technology Park Drive
        Westford, MA 01886-0033

        petersonp at or rep at
        +1-978-589-7478 (GenRad);
        +1-978-589-2088 (Closest FAX); +1-978-589-7007 (Main GenRad FAX)

More information about the bind-users mailing list