UDP "storms" from local bind?

Kevin Darcy kcd at daimlerchrysler.com
Thu Sep 12 00:10:51 UTC 2002


Alexander Newald wrote:

> "Kevin Darcy" <kcd at daimlerchrysler.com> schrieb im Newsbeitrag
> news:aljdcf$2div$1 at isrv4.isc.org...
> >
> > Alexander Newald wrote:
> >
> > > Hello,
> > >
> > > I have a box with the latest stable bind running. It is used for a web
> and
> > > mailserver as the dns resolver. It do resolves direktly through the root
> > > server.
> > >
> > > I notice that from time to time (about 10-15 times a day) for about 30
> > > secounds to 1 minute a very high upd traffik is produced by bind. It
> also
> > > happens when no request are done to bind. What is it about?
> >
> > What do you mean by "very high" UDP traffic?
> >
> > Is this nameserver configured as a stub and/or a slave nameserver for any
> > zone(s)? Maybe that traffic consists of serial-number checks (?)
> > - Kevin
>
> Hello,
>
> the server do not have any own zones. It is just setup to be the nameserver
> for the local net. Lookups are done by
>
> zone "." {
>         type hint;
>         file "/opt/bind-9.2.0/etc/db.cache";
>         };
>
> that is nearly the only entry in the named.conf file, except from some
> access rules. Normally traffik from the bind box to the outside world is
> about 1 KB / s or even less. But in the situation of the "storm" traffik
> goes up to 64 KB / s and higher.

How are you determining that no requests are being made to the nameserver? Are
you actually generating query logs, or are you just assuming no activity
because the web and/or mail server on the box don't happen to be processing
anything at the time? I suspect there's some process on your box which is
periodically "waking up" and generating a lot of queries. Even
serial-number-checking traffic wouldn't generate such an excessive amount of
traffic, unless you had hundreds of slave/stub zones.

Another possibility is that something on your machine has its *own* resolver
and is not using the BIND nameserver at all. This too, should be discernible by
correlating the traffic logs with the query logs for the same time intervals.


- Kevin





More information about the bind-users mailing list