Help - Bind 9.3.2 die after run several days

Alex Tang alextang at cms.hkcable.com
Tue Mar 21 03:52:43 UTC 2006 

Hi All

We are an ISP. I have upgraded my cache only dns from bind 8.37 to bind9.32, the new bind's performance very good but it  will die after run several days when busy hour. Would you give me any idea to tune the bind or my chroot procedure has some problem ?

thx very much

Dns Type: bind 9.3.2 , Cache only,

Run on change root and 2 cpu
 /bind.9.3.2/usr/local/sbin/named -u dns -t /bind.9.3.2 -n 2

Complied with mult-thread and disable IPV6
./configure --prefix=/bind.9.3.2/usr/local --disable-ipv6 --enable-threads --sysconfdir=/etc --localstatedir=/var

Server platform
SunOS dns 5.8 Generic_108528-27 sun4u sparc SUNW,Sun-Fire-V210
2cpu

2G physical memory
check by top the bind use about 800M and physical memory remain 700M
swap memory remain 4.7G
disk space used 50% only

check by prstat 
PROCESS/NLWP
named/7
cpu usage about 48% - 50 % when busy hr

no. of query about 400 - 500 when busy hr

the network traffic abut 2.5M outgoing and 1.8M incomming when busy hr

when die , cannot find out any error message in log
only this message in the query log

no more recursive clients: quota reached

My chroot procedure  is reference from 
http://cookbook.linuxsecurity.com/sp/bind9_20010430.html#BM2__Setup_chroot_and_install_BIND

the major  difference with my  procedure is mknod of tcp and udp, ldd named, etc

this is my chroot procedure
===================================
Chroot Procedure for BIND 9.3.2 in Solaris 8
The following steps assume use of the C-Shell. We start by setting a variable for the chroot environment (jail) location, and setting umask so that all files copied can be read by both groups and world. These commands are designed to be copied and pasted. 

1. Set destination directories  for chroot jail, everything will be installed in subdirectories of this tree.
		csh
		unset noclobber
		set jail='/bind.9.3.2';
		umask 022;

2. Set up empty directories and links for chroot environment: 
		cd /
		mkdir  -p /bind.9.3.2
		cd /bind.9.3.2/

		mkdir -p {dev,opt,usr,var,etc};
		mkdir -p var/{run,log,named} usr/lib;
		mkdir -p usr/local/etc
		mkdir -p usr/share/lib/zoneinfo;

3.  Create a user and group account for BIND:
		groupadd dns;

		useradd -d /bind.9.3.2 -s /bin/false -g named -c "BIND daemon" -m dns

		Create an identical user and group account within the chroot:

		grep dns /etc/passwd >> /bind.9.3.2/etc/passwd
		grep dns /etc/shadow >> /bind.9.3.2/etc/shadow
		grep dns /etc/group >> /bind.9.3.2/etc/group

Don't allow the BIND account to use ftp:
		echo "dns" >> /etc/ftpusers
4. Install the bind distribution


		cd /home/installation/bind-9.3.2
		./configure --prefix=/bind.9.3.2/usr/local --disable-ipv6 --enable-threads --sysconfdir=/etc --localstatedir=/var

		make install

5. Copy system files needed to the chroot environment

	cd /bind.9.3.2
		cp /etc/{syslog.conf,netconfig,nsswitch.conf,resolv.conf,TIMEZONE} /bind.9.3.2/etc
Use ldd to see what shared object libraries named relies on:
		ldd /bind.9.3.2/usr/local/sbin/named

		# ldd /bind.9.3.2/usr/local/sbin/named
		        libnsl.so.1 =>   /usr/lib/libnsl.so.1
		        libsocket.so.1 =>        /usr/lib/libsocket.so.1
		        libpthread.so.1 =>       /usr/lib/libpthread.so.1
		        libthread.so.1 =>        /usr/lib/libthread.so.1
		        libc.so.1 =>     /usr/lib/libc.so.1
		        libdl.so.1 =>    /usr/lib/libdl.so.1
		        libmp.so.2 =>    /usr/lib/libmp.so.2
		        /usr/platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1

		cp -p /usr/lib/libnsl.so.1  \
		/usr/lib/libsocket.so.1 /usr/lib/libc.so.1 \
		/usr/lib/libthread.so.1 /usr/lib/libpthread.so.1 \
		/usr/lib/libdl.so.1 /usr/lib/libmp.so.2 \
		/usr/platform/SUNW,Sun-Fire-V210 /lib/libc_psr.so.1 \
		/bind.9.3.2/usr/lib

Copy over Timezone files

		mkdir -p /bind.9.3.2/usr/share/lib/zoneinfo;
		cp -p -R /usr/share/lib/zoneinfo/ /bind.9.3.2/usr/share/lib/

Create a loop-back for syslog.
		mkdir /bind.9.3.2/etc/.syslog_door
		mount -F lofs /etc/.syslog_door /bind.9.3.2/etc/.syslog_door


Create a directory for DNS data; we assume it is in /var/named:

		mkdir -p /bind.9.3.2/var/named/system

6. Setting up DNS Data Files

		cp -p /home/installation/new_dns/named.conf /bind.9.3.2/etc/
		cp -p /home/installation/new_dns/rndc.conf /bind.9.3.2/etc
		cp -p /home/installation/new_dns/rndc.key /bind.9.3.2/etc

		cp -p /home/installation/new_dns/db.cache /bind.9.3.2/var/named/system/
		cp -p /home/installation/new_dns/db.127.0.0 /bind.9.3.2/var/named/system/


4. Setting Jail Permissions

Next, we set permissions on files, so that root owns files and named can read all files and write some files. Then, disable any SUID/SGID files. 
The PID file is put in /var/run and not /usr/local, because we don't want the named user to be able to write to /usr/local/etc (and hence named.conf). The location of the PID file is specified in named.conf. 

		cd /bind.9.3.2

		chgrp -R dns *

# remove group write from var, write access to opt and usr
		chmod -R g-w var;
		chmod -R a-w opt usr;

		chmod 770 /bind.9.3.2/var/named;

	touch /bind.9.3.2/var/run/named.pid
 	touch /bind.9.3.2/var/log/debug_dns.log
	touch /bind.9.3.2/var/log/event_dns.log
	touch /bind.9.3.2/var/log/query_dns.log
	touch /bind.9.3.2/var/log/named.memstats
	touch /bind.9.3.2/var/log/named.stats
 	touch /bind.9.3.2/var/log/named.db
		chown dns:dns /bind.9.3.2/var/log/* /bind.9.3.2/var/run/named.pid;

		chgrp -R dns /bind.9.3.2/var/log /bind.9.3.2/var/run;
		chmod 774 /bind.9.3.2/var/run /bind.9.3.2/var/log;
		chmod -R o-r /bind.9.3.2/var/run /bind.9.3.2/var/log;

# Allow named to access BIND config file:
		chgrp named /bind.9.3.2/etc;
		chown root:dns /bind.9.3.2/etc/named.conf;
		chmod 644 /bind.9.3.2/etc/named.conf;
		chown root:dns /bind.9.3.2/etc/rndc.*;
		chmod 644 /bind.9.3.2/etc/rndc.*;
		chmod 755 /bind.9.3.2/etc;

# Remove SUID or SGID bits, if any exist:
		find . -type f -exec chmod ug-s {} \;

# Remove world access:
		chmod -R o-w * /bind.9.3.2/usr
7. Set up devices for communication, console, syslog, etc. 
		cd /bind.9.3.2/dev
		mknod tcp c 42 0
		mknod udp c 41 0
		mknod log c 21 5 
		mknod null c 13 2 
		mknod zero c 13 12 
		chgrp sys null zero
		chmod 666 null 

		mknod conslog c 21 0
		mknod syscon c 0 0 
		chmod 620 syscon
		chgrp tty syscon
		chgrp sys conslog

On Solaris 8, provide access to /dev/random, by  

		cd /bind.9.3.2/dev
		mknod random c 35 0
		chgrp sys random
		chmod 644 random

More information about the bind-users mailing list