dns cache issue
Kevin Darcy
kevin.darcy at fcagroup.com
Thu Jan 10 15:17:01 UTC 2019
Offhand, sounds like your LAN is saturated so the queries might not be
getting to BIND in the first place. Or the replies aren't getting back.
It's unlikely that QoS is going to help this, you indicated that QoS was on
your "router", and that is typical -- usually QoS is found on WAN links.
(Although, on the other hand, you mentioned VoIP, and VoIP sometimes
requires applying QoS at the LAN level too).
You currently have query logging turned off. If it's not too
resource-intensive, you might want to consider turning that on, to verify
whether the queries are getting to BIND. Or, run a packet capture on the
BIND side. Packet capture on the BIND device should also help to identify
any issues talking upstream (e.g. to TLD servers or auth servers for
domains like google.com). Packet capture on the *client* side would
probably be necessary for definitive proof of whether replies are being
dropped by the LAN (compare what the server sent side-by-side with what the
client saw).
I was intrigued by "server fe80::/16 { bogus yes; }; " in your config. Have
you had issues with IPv6 link-local addresses being associated with
delegated nameservers? I haven't noticed this, but then again, I haven't
been looking for that particular misconfiguration specifically...
- Kevin
On Thu, Jan 10, 2019 at 12:06 AM Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> With new windows update last day, we notice something strange, our local
> DNS cache server timeout on lookups.
>
> For example lookup google.com, 1 minute later fails timeout looking up,
> but since it has already looked it up it should have returned answer from
> cache yes? google has a 5min TTL, my cache doesnt cacher it for even 1ns
> it seems
>
> QoS on router gives DNS (udp and tcp)and VoIP highest priority, everything
> else is default QoS must be working because if I do
> host www.google.com $externalDNSserver I get an answer pretty much
> right away, immediately try again on our local dns server it times out
> cant connect to any servers.
> this contrinues on, if I drop the LAN port on switch the windows update
> machine uses, it resolves google.com again, bring back up that port, it
> times out again.
>
> this only happens on congestion, with our cable link maxed out.
>
> (never thought i'd see the day when a windows pc would take out an entire
> network)
>
> Below is my named.conf I have to be missing something ?
>
> BIND 9.11.2-P1
> running on Linux i686 3.16.58 #1 SMP Sat Sep 29 11:06:24 AEST 2018
> built by make with defaults
>
> acl "trusted" { localhost; 198.162.100.0/24; };
> acl "sysop" { localhost; 192.168.100.6; };
>
> options {
> directory "/var/named";
> allow-query { trusted; };
> allow-query-cache { trusted; };
> allow-transfer { sysop; };
> transfer-format many-answers;
> masterfile-format text;
> interface-interval 0;
> response-policy {zone "rpz.lan"; };
> dnssec-enable yes;
> dnssec-validation auto;
> empty-zones-enable yes;
> };
>
> server fe80::/16 { bogus yes; };
>
> logging {
> category lame-servers { null; };
> category edns-disabled { null; };
> category client { null; };
> category dnssec { null; };
> //channel log_queries { file "/var/named/query.log";
> print-category yes; };
> //category queries { log_queries; };
> channel log-rpz { file "/var/log/rpz.log" versions 10 25m;
> severity info; };
> category rpz { log-rpz; };
> };
>
> zone "." {
> type hint;
> file "root.cache";
>
> zone "rpz.lan" {
> type master;
> file "rpz.lan";
> allow-query { trusted; };
> allow-update {none;};
> notify no;
> };
>
>
> zone "akamai.net" {
> type forward;
> forward first;
> forwarders { xxxxxx; xxxxxx; };
> };
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190110/f74e8aed/attachment.html>
More information about the bind-users
mailing list