Bind 8.3.3 of debian package / CPU 100%

Ladislav Vobr lvobr at ies.etisalat.ae
Fri Sep 10 23:38:09 UTC 2004 

bind has lot of problems, when there are clients requests for domains
which are completely unreachable (All their namerservers are down). It
makes recursive server very busy. You as administrator will have tough
time to discover it since unreachable servers/domains are not logged
anywhere (lame servers are but not unreachable, perhaps isc consider
them less important)

CPU will go high, network traffic generated by bind will go high,
recursive-queue gets full, your clients will get very poor response, and
maximum you get from the logs, if you are lucky to use bind9 is
recursive-queue is full.

It is very very hard to analyze 500req/sec to discover perfectly valid
and regular domain not even so frequent (20-30 req/sec from the total
traffic is enough) and bogus these servers, basically telling bind to
stop querying them. Bind is the only one who knows that this domain is
unreachable for bind, but doesn't tell it to anybody and waste all the
resources on it.

We had a problem, when we got blocked by af.mil servers, we didn't see
such a big traffic, maybe around 20-40 requests/sec to these domains,
but it impacted severely bind performance, bogusing them solve the
problem in the short term, but discovering them was next to magic :-),
bind doesn't bother at all to tell you look I am wasting more than half
of my resources on these 4-5 servers, I will not stop, I will not slow
down, I will not alert you as well, I consider it perfectly normal:-(

Ladislav

Nicolas LIENARD wrote:
> Hi,
> I was using a BIND 8.3.3 version from Debian package for a DNS CACHE server.
> 
> Some days ago, the CPU increased to 100% taken by named process.
> 
> I tried to debug (ndc debug, ndc querylog) and analysed log  (for flood) but nothing suspicious.
> 
> I tried to restart process and nothing change too.
> 
> So, i finaly install BIND9 from debian package and it resolved the CPU load problem.
> 
> The uptime of the box is 200 days and is using by thousands users. (500 queries / s).
> 
> Sometimes, in past,  we met  problems load but it was from specific IP which flood and we use iptables to block them.
> 
> in this case, only an update changed the situation.
> 
> Does somebody meet this kind of problem. ?
> 
> regards,
> 
> nicolas li?nard
> 
> 
> 
> 
> 
> 
> 
>

More information about the bind-users mailing list