High recursive client counts
Jason Brandt
jbrandt at fsmail.bradley.edu
Fri Mar 28 14:36:46 UTC 2014
Our public DNS servers are on site as well. I user forwarders (as opposed
to slaves) from our resolvers to our public DNS servers for our internal
domains, and the resolvers still responded for internal domains, even when
the recursive count was high and external domains weren't responding.
On Thu, Mar 27, 2014 at 5:26 PM, Mark Andrews <marka at isc.org> wrote:
>
> In message <53349E66.8050405 at ksu.edu>, "Lawrence K. Chen, P.Eng." writes:
> >
> >
> > On 03/26/14 04:02, Sam Wilson wrote:
> > > In article <mailman.2530.1395774135.20661.bind-users at lists.isc.org>,
> > > Jason Brandt <jbrandt at fsmail.bradley.edu> wrote:
> > >
> > >> For now, I've disabled DNS inspection on our firewall, as it is an
> ancient
> > >> Cisco firewall services module, and that seems to have stabilized
> things,
> > >> but it's only been 30 minutes or so. Until I get a few days in, I'll
> keep
> > >> researching.
> > >
> > > We used to run DNS inspection on our FWSMs. We didn't notice any
> issues
> > > with DNS resolution per se, but we did find that turning it off dropped
> > > the FWSM CPU from ~70% to less than 30%. We're not aware of any issues
> > > that using DNS inspection might have caused.
> > >
> > > Sam
> > >
> >
> > I had to get our DNS servers exempted from our Procera, as it was
> interfering
> > DNSSEC. The security analyst said it considered some of the large
> encrypted
> > UDPs as P2P.
> >
> > So, every few days (less during busy times), a recursive caching query
> server
> > would stop answering....where restarting it would make it work again.
> It was
> > to the point where I had our monitoring system restart bind as needed.
> >
> > Eventually, my manager asked about all strange notifications. Where he
> then
> > pushed it up to the CISO to get the analyst to make the change to stop
> > interfering with DNS.
> >
> > They had done a test a few months earlier, and said we didn't complain
> then.
> > I went back through the logs, and found that it had been interfering
> > then...but the weekend test wasn't enough to cause any servers to stop
> responding.
> >
> > I didn't think to see what the client counts were. Though another time
> when
> > the Procera had stopped passing any traffic, the counts did get really
> high
> > before they stopped working.
> >
> > Need to work on figuring out how to have it resolve local domains when
> > Internet connection is down.
>
> Slave the local zones is the simplest solution.
>
> > --
> > Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
> > For: Enterprise Server Technologies (EST) -- & SafeZone Ally
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Jason K. Brandt
Systems Administrator
Bradley University
(309) 677-2958
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140328/b30598d6/attachment.html>
More information about the bind-users
mailing list