External Name Server Timeouts
Merton Campbell Crockett
m.c.crockett at adelphia.net
Fri Mar 3 17:35:57 UTC 2006
I have an external master name server running BIND 9.3.1 on a SuSE
Linux 9.3 system. Periodically, the name server stops responding to
DNS queries from the Internet. In some instances when this occurs,
all external name servers will become unresponsive.
During these incidents, the external name server appears to remain
responsive to DNS requests forwarded from internal name servers.
However, it is not clear if the responses to the internal DNS
requests are from the external name servers cache or not. A quick
check using tcpdump seems to indicate that the name server is sending
DNS requests to the Internet but may not be receiving any responses.
A "weird" element of these incidents is that they don't appear to
impact the ability of internal users to access the Internet, i.e.
there are no problem tickets being opened by users claiming to be
unable to access external systems. The problem tickets that are
opened are from users on the road, at home, or at customer sites that
are unable to establish VPN connections.
During the last incident, I noticed that the external name server was
being inundated with DNS requests to update the external zone file
from an IP address, 196.25.255.194, assigned to an Internet Service
Provider in Zaire. Dynamic updates are not permitted but the name
server appears to be going through all the steps needed to perform a
dynamic update before rejecting the request. Log entries indicate
that the check for no existing RRset entries succeeded before
reporting that the update request was denied.
Is there a BIND option that would reject DNS update requests when the
RRset request is made?
I am attempting to eliminate BIND 9 as the cause of the DNS
timeouts. My suspicion is that the DNS timeouts are being caused by
the SideWinder G2 firewall that was installed in November.
Before November, the external master name server was running BIND 8
on a BSD/OS 4.3.1 system configured as a bastion host/firewall and
directly accessible from the Internet. I can't recall a single
incident where the old system would fail to respond to external DNS
queries under any DoS attacks.
Merton Campbell Crockett
m.c.crockett at adelphia.net
More information about the bind-users
mailing list