allow-recursion slowing server to crawl

Marco C. Coelho maillist1 at argontech.net
Wed Feb 27 23:32:58 UTC 2013 

Just so the list has the same answer,

Mark Andrews was right.
This server was being hammered so hard that logging the rejects was 
killing the performance.
adding:
logging {
   category default { null; };
   //category lame-servers { null; };
};

to named.conf fixed the performance issues.

mc

On 2/27/2013 5:18 PM, Mark Andrews wrote:
> I suspect this is just logging. send the security channel to null;
> for a while.  Once your server gets off the I'm a recursive reflector
> lists you can turn it on again.
>
> In message <512E7940.7060003 at argontech.net>, "Marco C. Coelho" writes:
>> I discovered my bind 9 server was being used in a DDOS attack so I
>> decided (late) to block outside networks from making recursive
>> requests.  The problem is every time I enable this, the time for DNS
>> queries goes from 0-1ms to 2000-6000ms or just times out completely.
>> The options section is below. I've commented it out so as to enable my
>> network to run.
>>
>> There are thousands of my clients that need recursion from this server.
>> It is also authoritative for many domains.
>>
>> There is a semi busy mail server on this same box that uses DNS as well.
>>
>> I googled this to death with no real suggestions.  I've tried it with
>> ACL and without.
>>
>> Any suggestions would be appreciated.
>>
>> Marco
>>
>> acl "internal" {
>>     24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; "localnets"; "localhost";
>> };
>>
>> options {
>>     directory "/var/named";
>>     /*
>>      * If there is a firewall between you and nameservers you want
>>      * to talk to, you might need to uncomment the query-source
>>      * directive below.  Previous versions of BIND always asked
>>      * questions using port 53, but BIND 8.1 uses an unprivileged
>>      * port by default.
>>      */
>>     // query-source address * port 53;
>>     recursive-clients 1000;
>>     recursion yes;
>>     //allow-query { any; };
>>     //allow-recursion { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
>> "localnets"; "localhost"; };
>>     //allow-recursion { "internal"; };
>>     //allow-query-cache { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
>> "localnets"; "localhost"; };
>>     listen-on-v6 { none; };
>>     listen-on { 24.202.224.2; };
>>     version "8.2.3-REL";
>> };
>>
>> -- 
>> Argon Technologies Inc.
>> Marco Coelho, President, CEO
>> POB 875
>> 4612 Wesley St.
>> Greenville, TX 75402
>> 903-455-5036
>> 903-455-2115 Fax
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>>   from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Argon Technologies Inc.
Marco Coelho, President, CEO
POB 875
4612 Wesley St.
Greenville, TX 75402
903-455-5036
903-455-2115 Fax

More information about the bind-users mailing list