External Name Server Timeouts

Merton Campbell Crockett m.c.crockett at adelphia.net
Fri Mar 3 17:35:57 UTC 2006 

I have an external master name server running BIND 9.3.1 on a SuSE  
Linux 9.3 system.  Periodically, the name server stops responding to  
DNS queries from the Internet.  In some instances when this occurs,  
all external name servers will become unresponsive.

During these incidents, the external name server appears to remain  
responsive to DNS requests forwarded from internal name servers.   
However, it is not clear if the responses to the internal DNS  
requests are from the external name servers cache or not.  A quick  
check using tcpdump seems to indicate that the name server is sending  
DNS requests to the Internet but may not be receiving any responses.

A "weird" element of these incidents is that they don't appear to  
impact the ability of internal users to access the Internet, i.e.  
there are no problem tickets being opened by users claiming to be  
unable to access external systems.  The problem tickets that are  
opened are from users on the road, at home, or at customer sites that  
are unable to establish VPN connections.

During the last incident, I noticed that the external name server was  
being inundated with DNS requests to update the external zone file  
from an IP address, 196.25.255.194, assigned to an Internet Service  
Provider in Zaire.  Dynamic updates are not permitted but the name  
server appears to be going through all the steps needed to perform a  
dynamic update before rejecting the request.  Log entries indicate  
that the check for no existing RRset entries succeeded before  
reporting that the update request was denied.

Is there a BIND option that would reject DNS update requests when the  
RRset request is made?

I am attempting to eliminate BIND 9 as the cause of the DNS  
timeouts.  My suspicion is that the DNS timeouts are being caused by  
the SideWinder G2 firewall that was installed in November.

Before November, the external master name server was running BIND 8  
on a BSD/OS 4.3.1 system configured as a bastion host/firewall and  
directly accessible from the Internet.  I can't recall a single  
incident where the old system would fail to respond to external DNS  
queries under any DoS attacks.


Merton Campbell Crockett
m.c.crockett at adelphia.net

More information about the bind-users mailing list