BIND not answering queries while large zone loads

Martin Eian martin.eian at itea.ntnu.no
Fri Jan 16 07:57:29 UTC 2004


> We have a number of large zones (most of them dnsbls). Some of the zones
> are around 80-90 Mb in size. I've noticed some problems that *seem* to
> corelate to the loading and / or transferring of large zones where BIND
> is very slow or completely unresponsive for a minute or two. Does anyone
> else see this problem, and if so, can anything be done about it?

We've got the same problem (bind 9.2.2 unresponsive when reloading large 
zones, not during transfer).

> This problem seems to come up even when BIND is built with threads;
> generally I build it without.

Same experience here, multiple threads does not solve the problem. Mark 
Andrews explained why in this email:

Message-Id: <200401122232.i0CMWI15032774 at drugs.dv.isc.org>

> We're running Debian Linux 3.0 on x86 hardware with 2.4.20 and 2.4.24
> kernels; hardware ranges from single 550 PIII to dual 800 PIII to single
> 2Ghz P4; almost all of the machines have at least 1 Gb of memory. BIND
> version is a mixture of 9.2.2-P3 and 9.2.3.

Our hw is SunFire 280R w/4GB RAM (dual USIII 750MHz CPU), Solaris 9. 
Bind was compiled with Sun's cc (forte) w/native threads.

> Lastly, if there is no good way to avoid this, should we try to keep all
> the dnsbls on a separate machine and use forwarders to forward queries
> to those machines? Should I give rbldnsd another look?

You don't need to run them on a separate machine, running another 
instance of named on the same machine works just as well (but on a 
different port).

Hint: If you want to restrict access to the dnsbl zones, use stub zones 
(not forward, forward zones do not have support for allow-query). 
Example from named.conf:

zone "<name of zone>" {
         type stub;
         forward only;
         forwarders { <IP of nameserver> port <port of named instance>;};
         masters { <IP of nameserver> port <port of named instance>;};
         allow-query {
                 127.0.0.1;
                 <IP or subnet in CIDR notation>;
         };
};

Then you run a separate named on the port specified above. Both 
'forwarders' and 'masters' point to the same IP/port.

-- 
Martin Eian,
Norwegian University of Science and Technology


More information about the bind-users mailing list