Weird performance issue.

Cedric Lejeune cedric.lejeune at arcelormittal.com
Thu Aug 21 09:21:10 UTC 2008 

Unfortunately, MAC address are not 'hardcoded' in our firewall, at least 
not thoses regarding DNS servers. One thing I have forgotten in my 
previous post is that our mail router _is_ currently running pretty fine 
using the new server. But as soon as we switch IP address, everything 
goes wrong =/
Thanks for your help.

Kind regards,

cedric.

Fr34k wrote:
> Is your firewall set to arp for different MAC addresses?
> If so, was that updated to reflect the changes you are trying to make?
> I did Checkpoint in a former life, and I can remember defining static arp entries for some of the NAT setup we had.
> Is is all I can think of or remember.
> HTH
> 
> 
> 
> ----- Original Message ----
> From: Cedric Lejeune <cedric.lejeune at arcelormittal.com>
> To: bind-users at isc.org
> Sent: Wednesday, August 20, 2008 10:08:40 AM
> Subject: Weird performance issue.
> 
> Hello list,
> We currently running two instances of bind9, each one on a different 
> host. Both hosts have their own IP address and basic tests work perfectly:
> - ping of external server(s) work fine (FQDN and IP address)
> - host resolution works fine
> - named processes number is quite low (~16)
> 
> The problem occurs when we try to move IP address from master server to 
> slave server:
> - ping of external server(s) failed (FQDN and IP address)
> - host resolution take a huge time to complete or do not complete at all 
> (timeout)
> - processes number increases significantly (~1000, which seems to 
> correspond to recursive-clients default value)
> 
> We have taken care of everything we can think of:
> - bind9 configuration
> - network configuration
> - arp resolution
> - firewall configuration (although being a CheckPoint firewall, Smart 
> Defense does not seem to cause any issue since only logging is 
> activated, cf 
> http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/cfa8c63ec6bd08d6 
> . Firewall log does not show anything weird too.)
> 
> Log do not show anything relevant to me, except the well known "too many 
> timeouts resolving 'ns2.highergroundtech.com/AAAA' (in 
> 'highergroundtech.com'?): disabling EDNS" message.
> 
> We currently running BIND9 on Linux Debian:
> - the one running perfectly is a quite outdated 9.2.1-2.woody.1 package
> - the one causing problem is a quite up to date 1:9.5.0.dfsg.P1-2 package
> 
> Configuration files have only been updated to reflect releases changes.
> 
> Do you have any hint or advice so I can at least look at where the issue 
> comes from and then try to solve it?
> 
> Thanks for your help,
> 
> Kind regards,
> 
> cedric.
>

More information about the bind-users mailing list