BIND 9.2.3, large zone xfer and 100% CPU Utilization

Alex Rainchik rainchik at mail.ru
Mon Apr 26 01:54:30 UTC 2004


jstewart at ccs.carleton.ca (John A. Stewart) wrote in message news:<c6c41s$6ar$1 at sf1.isc.org>...

> We were stumped with the same problem for a while.  Our first attempt at
> solving the problem was to move dns service to a dedicated machine.   That
> helped, but there was still a window after the zone transfer had completed
> where the dns server would not respond.
> 
> What we do now is
> 
>    1) We have two BIND daemons that only handle the RBL+ zone.  One server
>       transfers the zone from mail-abuse.com while the other server transfers
>       the zone from the first server.  This ensures that one of the servers
>       will always be able to respond since the two servers will never be
>       trying to apply a zone update simulataneously.
> 
>    2) We have two bind daemons that are used by our client machines to handle
>       dns queries and that are authoritative for all our domains.  These
>       servers forward RBL+ lookups to the two dns servers that carry the
>       RBL+ zone.  As I explained in 1), one of these two servers should always
>       be able to respond immediately.  To restrict who can access RBL+ data
>       as per our contract with mail-abuse.org we need to use the view 
>       facility in BIND.
> 
>    3) Physically, we have two machines running dns services.  Each machine
>       runs two BIND daemons (one general purpose and one RBL+ only).  Of
>       course, the second BIND daemon has to be bound to a separate virtual
>       interface.
> 
>    4) The RBL+ BIND daemon is a memory hog.  It uses around 400MB of virtual
>       memory versus only 100 to 200MB for the general purpose DNS server.
>       Memory consumption was roughly twice as high before we thought to
>       recompile BIND as 32bit application.
> 
> 

John, 

Thank you for sharing your solution! I think I'll try to implement it 
on our site. Thank you again!

While I was researching the issue I had to come up with a "quick fix", 
so I've added "min-refresh-time 86400;" to RBL+ zone in my named.conf. 
Now this zone is updated once every 24 hours instead of every 3 hours.

Another nice idea was to make my server master server for RBL+ zone 
and download zone file from cron, but it didn't seem to eliminate CPU 
spikes and going into "no resposne" state.

P.S. I was on the phone with mail-abuse's tech support just to confirm 
they do not support IXFR at this time...


More information about the bind-users mailing list