Troubleshooting BIND stops responding
mje at posix.co.za
Thu Mar 30 10:02:07 UTC 2017
On 30/03/2017 06:35, i.chudov at volga.ttk.ru wrote:
> Greetings to everyone!
> I'm an engineer at local ISP and we have to provide 2 DNS servers running
> BIND for our clients. We have logs full of various BIND errors but are
> unable to gain full understanding of the problem. The main problem is that
> the BIND at 220.127.116.11 sometimes stops responding after working fine
> for about a week. Then BIND just doesn't return any responses and we have
> to restart it. There is a suspicion of a weak (because other services are
> running normally) DoS attack but I don't know the right way to determine
> if it is so or not. I would be glad if anyone be so kind to help us to
> solve this issue.
> The machines have the IPv4 addresses: 18.104.22.168 (BIND version 9.9.4) and
> 22.214.171.124 (BIND version 9.9.5-r3) and have to resolve hostnames only
> for ISP customers (and refuse to resolve for others) BUT we want to be
> able to resolve our specific zones like vtt.net for anybody trying in case
> of authoritative nameserver failures
Stopping right here, Recursive lookup and Authoritative services are
completely different services - and require different servers
(preferably, though you could run multiple incidents of nameservers on a
single server - but that can get ugly).
Your two recursive servers should remain as recursive servers, only
giving replies to your customer base. When you start running DNSSEC,
this becomes even more important, a recursive server running as an
authoritative server for a zone can not give a proper DNSSEC reply when
asked about Zones carried in its config.
Rather keep things simple.
I would presume that you have multiple authoritative servers for your
"vtt.net" domain. If you need more redundancy, add in more authoritative
nameservers or better still an AnyCast instance. Even any of your local
Authoritative Nameservers should ask your recursive servers when they
need to look up information that is not part of the Zones they manage.
Enough of the preaching.
If you were to run IPv6, a number of errors would disappear, otherwise
force BIND not to do any IPv6. Adding IPv6 though would be preferable. ;-)
Don't think though that any of this is causing your problem. You could
always upgrade your version of BIND. On my Gentoo Laptop, I'm running
BIND 9.11.0-P3, so you are a bit behind.
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
More information about the bind-users