High recursive client counts
Lawrence K. Chen, P.Eng.
lkchen at ksu.edu
Thu Mar 27 21:55:50 UTC 2014
On 03/26/14 04:02, Sam Wilson wrote:
> In article <mailman.2530.1395774135.20661.bind-users at lists.isc.org>,
> Jason Brandt <jbrandt at fsmail.bradley.edu> wrote:
>> For now, I've disabled DNS inspection on our firewall, as it is an ancient
>> Cisco firewall services module, and that seems to have stabilized things,
>> but it's only been 30 minutes or so. Until I get a few days in, I'll keep
> We used to run DNS inspection on our FWSMs. We didn't notice any issues
> with DNS resolution per se, but we did find that turning it off dropped
> the FWSM CPU from ~70% to less than 30%. We're not aware of any issues
> that using DNS inspection might have caused.
I had to get our DNS servers exempted from our Procera, as it was interfering
DNSSEC. The security analyst said it considered some of the large encrypted
UDPs as P2P.
So, every few days (less during busy times), a recursive caching query server
would stop answering....where restarting it would make it work again. It was
to the point where I had our monitoring system restart bind as needed.
Eventually, my manager asked about all strange notifications. Where he then
pushed it up to the CISO to get the analyst to make the change to stop
interfering with DNS.
They had done a test a few months earlier, and said we didn't complain then.
I went back through the logs, and found that it had been interfering
then...but the weekend test wasn't enough to cause any servers to stop responding.
I didn't think to see what the client counts were. Though another time when
the Procera had stopped passing any traffic, the counts did get really high
before they stopped working.
Need to work on figuring out how to have it resolve local domains when
Internet connection is down.
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
More information about the bind-users