Wael Shahin wael.shahin at
Thu Sep 21 12:54:02 UTC 2006

I have 2 public DNS servers one as primary and the other one is secondary,
both are behind PIX firewall


BIND Version: bind-9.3.2-33.fc5


PIX: Cisco Adaptive Security Appliance Software Version 7.1

Problem Description:

1- Most queries are resolved just fine but some returns the following error
"Server Failed", not timed out.

By restarting the named daemon those records resolves fine for a while then
the problem happens again.

2- When restarting named daemon sometimes I get the error that it is already
running when trying to start, and by initiating /etc/init.d/named start, it
starts fine afterward.

3- Some records are cached even though TTL is expired.

Steps taken to resolve the issue:

1- Removed the DNS Inspection from PIX firewall.

2- Defined edns packet size to 512.

3- Defined max ttl cache

 Configuration File:

options {

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

version "Whatever";

allow-query { any; };

allow-recursion { localhost; trusted; };

blackhole { badguys; };

notify yes;

max-cache-ttl 172800;

max-ncache-ttl 172800;

datasize default;

max-cache-size 80000000;

allow-transfer { secondaries; };

also-notify {;;}; // all zones

allow-notify { secondaries; };

recursive-clients 30000;

Dry Networks don't pass by lakes !!!

More information about the bind-users mailing list