BIND 9.2.3, large zone xfer and 100% CPU Utilization

John A. Stewart jstewart at ccs.carleton.ca
Fri Apr 23 19:08:42 UTC 2004


In <c692n2$22bk$1 at sf1.isc.org> rainchik at mail.ru (Alex Rainchik) writes:

>Hello,

>We are using BIND 9.2.3 on Solaris8, transfering ~45Mb zone from mail-abuse.com
>every three hours, as they don't support IXFR feature. The issue we have is that
>at the end of the transfer "named" goes berserk and CPU utlilization goes trough
>the roof, up to 100% for about 5-10 minutes. 

>During those 5-10 minutes "named" does not respond to any queries, "rdnc status"
>does not work either. It's the only zone xfer running at that time....

We were stumped with the same problem for a while.  Our first attempt at
solving the problem was to move dns service to a dedicated machine.   That
helped, but there was still a window after the zone transfer had completed
where the dns server would not respond.

What we do now is

   1) We have two BIND daemons that only handle the RBL+ zone.  One server
      transfers the zone from mail-abuse.com while the other server transfers
      the zone from the first server.  This ensures that one of the servers
      will always be able to respond since the two servers will never be
      trying to apply a zone update simulataneously.

   2) We have two bind daemons that are used by our client machines to handle
      dns queries and that are authoritative for all our domains.  These
      servers forward RBL+ lookups to the two dns servers that carry the
      RBL+ zone.  As I explained in 1), one of these two servers should always
      be able to respond immediately.  To restrict who can access RBL+ data
      as per our contract with mail-abuse.org we need to use the view 
      facility in BIND.

   3) Physically, we have two machines running dns services.  Each machine
      runs two BIND daemons (one general purpose and one RBL+ only).  Of
      course, the second BIND daemon has to be bound to a separate virtual
      interface.

   4) The RBL+ BIND daemon is a memory hog.  It uses around 400MB of virtual
      memory versus only 100 to 200MB for the general purpose DNS server.
      Memory consumption was roughly twice as high before we thought to
      recompile BIND as 32bit application.


Here is the core section of the named.conf file from one of our general 
dns servers.  zones.conf is a file containing all the zones that are common
to both the internal and global view.

view "internal" {
   match-clients { 134.117/16; };

        zone "rbl-plus.mail-abuse.org" {
                type forward;
                forwarders { 134.117.1.12; 134.117.1.13; };
        };

        include "zones.conf";
};

view "global" {
        match-clients { any; };

        zone "rbl-plus.mail-abuse.org" {
                type master;
                file "/dev/null";
        };

        include "zones.conf";
};

-- 
John Stewart -- Computing and Communications Services, Carleton University
Internet: jstewart at ccs.carleton.ca                       613-520-2600x3707
"measure twice, cut once"


More information about the bind-users mailing list