Bind9 overloaded, recursive clients and timeout.

Cedric Lejeune cedric.lejeune at arcelormittal.com
Mon Feb 8 14:25:09 UTC 2010


Hello list,

Sorry to bother you but I really need help since I cannot figure out 
what I am doing wrong. I am trying to set up a new DNS server: it 
behaves as expected in a test environment, but in a production 
environment, it seems to get overloaded, the number of recursive clients 
increases until it reaches recursive-clients, a lot of timeouts occure 
and the server is no more able to answers to any query. The main clients 
of this server are spam filters (spamassassin) and mail routers. I have 
googled for this issue and the only thing I have found that may explain 
this issue is that our firewalls are mishandling packets 
fragmentation/size larger than 512 bits. So I have checked this using 
this thread 
http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/cfa8c63ec6bd08d6 
and it seems everything is fine. So, as a last resort, I bother you... 
Do you have any hint that would help me to track down what is wrong?

Thank you for your help.

Kind regards,

cedric.

Possibly usefull informations:

System: Debian testing
Bind version: 9.6.1.dfsg.P1-1

--------%<--------%<--------%<--------%<--------%<--------%<--------%<--------

named.conf

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in 
/etc/bind/named.conf.local

include "/etc/bind/named.conf.options";

include "/etc/bind/named.conf.local";

--------%<--------%<--------%<--------%<--------%<--------%<--------%<--------

named.conf.options

logging {
         channel debug {
                 file "/tmp/debug";
                 severity debug 2;
                 print-category yes;
                 print-time yes;
                 print-severity yes;
         };

         category default {
                 debug;
         };
};

options {
         directory "/var/cache/bind";

         // If there is a firewall between you and nameservers you want
         // to talk to, you may need to fix the firewall to allow multiple
         // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

         // If your ISP provided one or more IP addresses for stable
         // nameservers, you probably want to use them as forwarders.
         // Uncomment the following block, and insert the addresses 
replacing
         // the all-0's placeholder.

         // forwarders {
         //      0.0.0.0;
         // };

         auth-nxdomain no;       // conform to RFC1035
//      listen-on-v6 { any; };

         allow-transfer {
                 X.X.X.X;
                 Y.Y.Y.Y;
         };

         allow-query-cache { any; };
         allow-recursion { any; };

         querylog yes;

         recursive-clients 2000;
};

--------%<--------%<--------%<--------%<--------%<--------%<--------%<--------

named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
// include "/etc/bind/zones.rfc1918";

include "/etc/bind/zone.hint";
include "/etc/bind/zones.rfc1912";
include "/etc/bind/zones.rfc1918";
include "/etc/bind/zones.master";
include "/etc/bind/zones.slave";

--------%<--------%<--------%<--------%<--------%<--------%<--------%<--------

/etc/default/bind9

# run resolvconf?
RESOLVCONF=yes

# startup options for the server
OPTIONS="-4 -u bind"

--------%<--------%<--------%<--------%<--------%<--------%<--------%<--------

# dig +norec +dnssec www.google.com @a.root-servers.net

; <<>> DiG 9.6.1-P1 <<>> +norec +dnssec www.google.com @a.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55758
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 16

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; AUTHORITY SECTION:
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.

;; ADDITIONAL SECTION:
a.gtld-servers.net.     172800  IN      A       192.5.6.30
a.gtld-servers.net.     172800  IN      AAAA    2001:503:a83e::2:30
b.gtld-servers.net.     172800  IN      A       192.33.14.30
b.gtld-servers.net.     172800  IN      AAAA    2001:503:231d::2:30
c.gtld-servers.net.     172800  IN      A       192.26.92.30
d.gtld-servers.net.     172800  IN      A       192.31.80.30
e.gtld-servers.net.     172800  IN      A       192.12.94.30
f.gtld-servers.net.     172800  IN      A       192.35.51.30
g.gtld-servers.net.     172800  IN      A       192.42.93.30
h.gtld-servers.net.     172800  IN      A       192.54.112.30
i.gtld-servers.net.     172800  IN      A       192.43.172.30
j.gtld-servers.net.     172800  IN      A       192.48.79.30
k.gtld-servers.net.     172800  IN      A       192.52.178.30
l.gtld-servers.net.     172800  IN      A       192.41.162.30
m.gtld-servers.net.     172800  IN      A       192.55.83.30

;; Query time: 10 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Mon Feb  8 15:03:49 2010
;; MSG SIZE  rcvd: 531

--------%<--------%<--------%<--------%<--------%<--------%<--------%<--------

# dig +dnssec +norec +ignore dnskey se @A.NS.se

; <<>> DiG 9.6.1-P1 <<>> +dnssec +norec +ignore dnskey se @A.NS.se
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26467
;; flags: qr aa; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;se.                            IN      DNSKEY

;; ANSWER SECTION:
se.                     3600    IN      DNSKEY  256 3 5 
AwEAAcw0ItlUtYfr5Ioq7lGRL2Z5ktMVViXawp91+aXJrk/AEM+m2Kh0 
ql63TqgXD0EtqO48BnEOKB5vrKXkORIrq1J23XgVoVmnQWg8iLPFzw8b 
h5IBRgCCAdwNUKvv/Q/bgBgTYYMxdGrUzClLNAZ0zMutj/9X3hazjFxy OxVddwRr
se.                     3600    IN      DNSKEY  256 3 5 
AwEAAdWp++Y+hjEa/0eRobZT9hWJnxFKXaG/HKrlAFfC69Yd7x5nXQBn 
l1+Ipgc8TYuTaUYCzkS4mu21cDvHn4sHO5HEdbIbwh+iJw6DVBDKVOMA 
nQC/m6UVCjB6hgdNgWm20t7QxpqwmZTxtTZvk6pUkzmkX6o0X3yeaSB2 JEDwgsGV
se.                     3600    IN      DNSKEY  257 3 5 
AwEAAeeGE5unuosN3c8tBcj1/q4TQEwzfNY0GK6kxMVZ1wcTkypSExLC 
BPMS0wWkrA1n7t5hcM86VD94L8oEd9jnHdjxreguOZYEBWkckajU0tBW 
wEPMoEwepknpB14la1wy3xR95PMt9zWceiqaYOLEujFAqe6F3tQ14lP6 
FdFL9wyCflV06K1ww+gQxYRDo6h+Wejguvpeg33KRzFtlwvbF3AapH2G 
XCi4Ok2+PO2ckzfKoikIe9ZOXfrCbG9ml2iQrRNSM4q3zGhuly4NrF/t 
9s9jakbWzd4PM1Q551XIEphRGyqcbA2JTU3/mcUVKfgrH7nxaPz5DoUB 7TKYyQgsTlc=
se.                     3600    IN      DNSKEY  256 3 5 
AwEAAb/vMpi2PrRQEFzo8S2A7uz2m/xdZ+39yiEBaFfxSg5nY8RN+nrQ 
ixVoMWrvOzVZtig05rwWKCXmvvX5fiXpHpPtpyKUArmYHVPk730g4T8R 
3qnioMWDrp0Iwl4eu+CyzFhlH8dpVkgFnBV73D5Ip5Wp82MoYiBzL+zl m4YebNKx
se.                     3600    IN      RRSIG   DNSKEY 5 1 3600 
20100212235600 20100206062318 64656 se. 
y9bI9ADoG4HaF2QdLdGsRMt9B1PFrlpPpQYUCziXIP1+HtPIRH96toHH 
ZJ1sWCn0DPsOxaiShL3voETtr9x7tl87qdaSJM1kr96Ivbim+06MKf2J 
wi8ocrKrGOX4QGXBgmpUBBpDHWKq4zrt0ViYJ17CpZMkWPXUo+/6BupR 1PM=
se.                     3600    IN      RRSIG   DNSKEY 5 1 3600 
20100314000000 20100202085826 8779 se. 
yA7sRAwnUTF6am9IlxmGF828jaWeNCRwf/QUozFYuTRspad3iFzx4u4i 
XkhOrDv4jCtTfYBT5JOhLlB1Yg2C6sP9VKrLEMFkDDNQwpn4OmVkZTRK 
ZoxPuAnIhs1uHOFPhqRr/5AFMtngYJH66UWGbPv8KFJd4gHb0tNSR2SZ 
1zbDpxYA6gg14j7a7b/bHqqqNoNse46k5SYyypWe+N+ihS4+QPI29pdx 
JcdF8mgu9xJdcmZUgrrOTBnWqjcYaGpfy07oixi32QLa7bcBPr0CZ43d 
a4hWDDbJO3COdux6TamQsDahSB7qoOa/u7OW3gprNQqykuShU8cVmYVF oqyNyg==

;; Query time: 48 msec
;; SERVER: 192.36.144.107#53(192.36.144.107)
;; WHEN: Mon Feb  8 15:04:52 2010
;; MSG SIZE  rcvd: 1203

--------%<--------%<--------%<--------%<--------%<--------%<--------%<--------

Log extract:

...
08-Feb-2010 14:39:56.391 query-errors: debug 1: client X.X.X.X#12695: 
query failed (SERVFAIL) for 11.94.88.195.dnsbl.sorbs.net/IN/A at 
query.c:4619
08-Feb-2010 14:39:56.391 query-errors: debug 2: fetch completed at 
resolver.c:3121 for 11.94.88.195.dnsbl.sorbs.net/A in 30.000143: timed 
out/success [domain:dnsbl.sorbs.NET,referral:0,restart:1,qrysent:13,timeou
t:12,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
08-Feb-2010 14:39:56.392 query-errors: debug 1: client X.X.X.X#48028: 
query failed (SERVFAIL) for euro-index.be/IN/A at query.c:4619
08-Feb-2010 14:39:56.392 query-errors: debug 2: fetch completed at 
resolver.c:3121 for euro-index.be/A in 30.000085: timed out/success 
[domain:.,referral:0,restart:1,qrysent:11,timeout:10,lame:0,neterr:0,badresp:
0,adberr:0,findfail:0,valfail:0]
08-Feb-2010 14:39:56.392 query-errors: debug 1: client X.X.X.X#48028: 
query failed (SERVFAIL) for euro-index.be/IN/MX at query.c:4619
08-Feb-2010 14:39:56.393 query-errors: debug 2: fetch completed at 
resolver.c:3121 for euro-index.be/MX in 30.000111: timed out/success 
[domain:.,referral:0,restart:1,qrysent:11,timeout:10,lame:0,neterr:0,badresp
:0,adberr:0,findfail:0,valfail:0]
08-Feb-2010 14:39:56.394 query-errors: debug 1: client X.X.X.X#48028: 
query failed (SERVFAIL) for 218.208.78.194.dnsbl.sorbs.net/IN/A at 
query.c:4619
08-Feb-2010 14:39:56.394 query-errors: debug 2: fetch completed at 
resolver.c:3121 for 218.208.78.194.dnsbl.sorbs.net/A in 30.000152: timed 
out/success [domain:dnsbl.sorbs.NET,referral:0,restart:1,qrysent:13,time
out:12,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
08-Feb-2010 14:39:56.396 query-errors: debug 1: client X.X.X.X#48028: 
query failed (SERVFAIL) for 218.208.78.194.zen.spamhaus.org/IN/A at 
query.c:4619
08-Feb-2010 14:39:56.396 query-errors: debug 2: fetch completed at 
resolver.c:3121 for 218.208.78.194.zen.spamhaus.org/A in 30.000175: 
timed out/success 
[domain:zen.spamhaus.org,referral:0,restart:1,qrysent:22,ti
meout:21,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
08-Feb-2010 14:39:56.396 query-errors: debug 1: client X.X.X.X#48028: 
query failed (SERVFAIL) for euro-index.be.fulldom.rfc-ignorant.org/IN/A 
at query.c:4619
08-Feb-2010 14:39:56.396 query-errors: debug 2: fetch completed at 
resolver.c:3121 for euro-index.be.fulldom.rfc-ignorant.org/A in 
30.000098: timed out/success 
[domain:rfc-ignorant.org,referral:0,restart:4,qrysen
t:4,timeout:3,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0]
08-Feb-2010 14:39:56.417 query-errors: debug 1: client X.X.X.X#12695: 
query failed (SERVFAIL) for 11.94.88.195.zen.spamhaus.org/IN/A at 
query.c:4619
08-Feb-2010 14:39:56.417 query-errors: debug 2: fetch completed at 
resolver.c:3121 for 11.94.88.195.zen.spamhaus.org/A in 30.000161: timed 
out/success [domain:zen.spamhaus.org,referral:0,restart:1,qrysent:22,time
out:21,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
08-Feb-2010 14:39:56.418 query-errors: debug 1: client X.X.X.X#12695: 
query failed (SERVFAIL) for 
ukrs238770.pur3.net.fulldom.rfc-ignorant.org/IN/A at query.c:4619
08-Feb-2010 14:39:56.418 query-errors: debug 2: fetch completed at 
resolver.c:3121 for ukrs238770.pur3.net.fulldom.rfc-ignorant.org/A in 
30.000102: timed out/success [domain:rfc-ignorant.org,referral:0,restart:4,
qrysent:4,timeout:3,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0]
08-Feb-2010 14:39:56.479 query-errors: debug 1: client X.X.X.X#35810: 
query failed (SERVFAIL) for 227.228.181.88.combined.njabl.org/IN/A at 
query.c:4619
08-Feb-2010 14:39:56.479 query-errors: debug 2: fetch completed at 
resolver.c:3121 for 227.228.181.88.combined.njabl.org/A in 30.000118: 
timed out/success [domain:combined.njabl.org,referral:0,restart:1,qrysent:1
1,timeout:10,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
08-Feb-2010 14:39:56.479 query-errors: debug 1: client X.X.X.X#35810: 
query failed (SERVFAIL) for 3.42.27.212.combined.njabl.org/IN/A at 
query.c:4619
08-Feb-2010 14:39:56.479 query-errors: debug 2: fetch completed at 
resolver.c:3121 for 3.42.27.212.combined.njabl.org/A in 30.000156: timed 
out/success [domain:combined.njabl.org,referral:0,restart:1,qrysent:10,t
imeout:9,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cedric_lejeune.vcf
Type: text/x-vcard
Size: 357 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100208/e09ed6ed/attachment.vcf>


More information about the bind-users mailing list