Recursive Timeout with Windows 2000 Domain Controller

e12pilot e12pilot at gmail.com
Thu Sep 28 22:11:48 UTC 2006


All,
We are having an issue with recursive lookups and our new BIND 9.3.2
server.  The server is an HP BL35p with two dual core AMD 280 cpus and
2GB of RAM.  Server never hits swap, and currently is authoritative for
approximately 400 zones.

We recently introduced this server into our environment to replace our
current BIND nameserver running 9.2.3 .  BIND was installed via the
SUSE SLES 10 RPMs in chroot mode.

The issue occurs when our root Active Directory domain controllers use
this server as their primary recursive resolver.  The new BIND server
appears to be "throttling" requests from the Active Directory server,
here are the symptoms:

- When the Active Directory DNS resolver issues recursive requests to
the BIND server about 1 in 20 queries are returned.  Packet captures
reveal the BIND server receiving the requests, however only about 1 in
20 requests are returned.

- During this time when queries are not being returned, nslookup and
dig requests to the BIND server yield extremely fast results.  Also,
other internal DNS servers (not as query intensive), have no issues
issuing and receiving recursive requests.

- The second we change the search order on the Active Directory server
to point to our secondary BIND 9.2.3 server queries are returned
quickly to the Active Directory host.  Both the 9.3.2 and the 9.2.3
server share the identical named.conf configurations and root.hints.

Our options config is:

options {
        directory "/var/lib/named";
        dump-file "/var/log/named_dump.db";
        statistics-file "/var/log/named.stats";
        allow-recursion { trust; };  // only recurse for trusted hosts
        allow-query { trust; }; // blanket *DENY ALL* which will be
opened for each zone below
        recursive-clients 10000;
        version "not available";
};

Are there any troubleshooting suggestions folks have for helping
diagnose these issues?

Thank you,

Peter



More information about the bind-users mailing list