BIND 9.2.3, large zone xfer and 100% CPU Utilization
Alex Rainchik
rainchik at mail.ru
Mon Apr 26 01:54:30 UTC 2004
jstewart at ccs.carleton.ca (John A. Stewart) wrote in message news:<c6c41s$6ar$1 at sf1.isc.org>...
> We were stumped with the same problem for a while. Our first attempt at
> solving the problem was to move dns service to a dedicated machine. That
> helped, but there was still a window after the zone transfer had completed
> where the dns server would not respond.
>
> What we do now is
>
> 1) We have two BIND daemons that only handle the RBL+ zone. One server
> transfers the zone from mail-abuse.com while the other server transfers
> the zone from the first server. This ensures that one of the servers
> will always be able to respond since the two servers will never be
> trying to apply a zone update simulataneously.
>
> 2) We have two bind daemons that are used by our client machines to handle
> dns queries and that are authoritative for all our domains. These
> servers forward RBL+ lookups to the two dns servers that carry the
> RBL+ zone. As I explained in 1), one of these two servers should always
> be able to respond immediately. To restrict who can access RBL+ data
> as per our contract with mail-abuse.org we need to use the view
> facility in BIND.
>
> 3) Physically, we have two machines running dns services. Each machine
> runs two BIND daemons (one general purpose and one RBL+ only). Of
> course, the second BIND daemon has to be bound to a separate virtual
> interface.
>
> 4) The RBL+ BIND daemon is a memory hog. It uses around 400MB of virtual
> memory versus only 100 to 200MB for the general purpose DNS server.
> Memory consumption was roughly twice as high before we thought to
> recompile BIND as 32bit application.
>
>
John,
Thank you for sharing your solution! I think I'll try to implement it
on our site. Thank you again!
While I was researching the issue I had to come up with a "quick fix",
so I've added "min-refresh-time 86400;" to RBL+ zone in my named.conf.
Now this zone is updated once every 24 hours instead of every 3 hours.
Another nice idea was to make my server master server for RBL+ zone
and download zone file from cron, but it didn't seem to eliminate CPU
spikes and going into "no resposne" state.
P.S. I was on the phone with mail-abuse's tech support just to confirm
they do not support IXFR at this time...
More information about the bind-users
mailing list