Hello list,Sorry to bother you but I really need help since I cannot figure out what I am doing wrong. I am trying to set up a new DNS server: it behaves as expected in a test environment, but in a production environment, it seems to get overloaded, the number of recursive clients increases until it reaches recursive-clients, a lot of timeouts occure and the server is no more able to answers to any query. The main clients of this server are spam filters (spamassassin) and mail routers. I have googled for this issue and the only thing I have found that may explain this issue is that our firewalls are mishandling packets fragmentation/size larger than 512 bits. So I have checked this using this thread http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/cfa8c63ec6bd08d6 and it seems everything is fine. So, as a last resort, I bother you... Do you have any hint that would help me to track down what is wrong?
Thank you for your help. Kind regards, cedric. Possibly usefull informations: System: Debian testing Bind version: 9.6.1.dfsg.P1-1 --------%<--------%<--------%<--------%<--------%<--------%<--------%<-------- named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. //// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
--------%<--------%<--------%<--------%<--------%<--------%<--------%<--------
named.conf.options
logging {
channel debug {
file "/tmp/debug";
severity debug 2;
print-category yes;
print-time yes;
print-severity yes;
};
category default {
debug;
};
};
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses
replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; // conform to RFC1035
// listen-on-v6 { any; };
allow-transfer {
X.X.X.X;
Y.Y.Y.Y;
};
allow-query-cache { any; };
allow-recursion { any; };
querylog yes;
recursive-clients 2000;
};
--------%<--------%<--------%<--------%<--------%<--------%<--------%<--------
named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
// include "/etc/bind/zones.rfc1918";
include "/etc/bind/zone.hint";
include "/etc/bind/zones.rfc1912";
include "/etc/bind/zones.rfc1918";
include "/etc/bind/zones.master";
include "/etc/bind/zones.slave";
--------%<--------%<--------%<--------%<--------%<--------%<--------%<--------
/etc/default/bind9
# run resolvconf?
RESOLVCONF=yes
# startup options for the server
OPTIONS="-4 -u bind"
--------%<--------%<--------%<--------%<--------%<--------%<--------%<--------
# dig +norec +dnssec www.google.com @a.root-servers.net
; <<>> DiG 9.6.1-P1 <<>> +norec +dnssec www.google.com @a.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55758
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 16
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.google.com. IN A
;; AUTHORITY SECTION:
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800 IN A 192.5.6.30
a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30
b.gtld-servers.net. 172800 IN A 192.33.14.30
b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30
c.gtld-servers.net. 172800 IN A 192.26.92.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
h.gtld-servers.net. 172800 IN A 192.54.112.30
i.gtld-servers.net. 172800 IN A 192.43.172.30
j.gtld-servers.net. 172800 IN A 192.48.79.30
k.gtld-servers.net. 172800 IN A 192.52.178.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
m.gtld-servers.net. 172800 IN A 192.55.83.30
;; Query time: 10 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Mon Feb 8 15:03:49 2010
;; MSG SIZE rcvd: 531
--------%<--------%<--------%<--------%<--------%<--------%<--------%<--------
# dig +dnssec +norec +ignore dnskey se @A.NS.se
; <<>> DiG 9.6.1-P1 <<>> +dnssec +norec +ignore dnskey se @A.NS.se
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26467
;; flags: qr aa; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;se. IN DNSKEY
;; ANSWER SECTION:
se. 3600 IN DNSKEY 256 3 5
AwEAAcw0ItlUtYfr5Ioq7lGRL2Z5ktMVViXawp91+aXJrk/AEM+m2Kh0
ql63TqgXD0EtqO48BnEOKB5vrKXkORIrq1J23XgVoVmnQWg8iLPFzw8b
h5IBRgCCAdwNUKvv/Q/bgBgTYYMxdGrUzClLNAZ0zMutj/9X3hazjFxy OxVddwRr
se. 3600 IN DNSKEY 256 3 5
AwEAAdWp++Y+hjEa/0eRobZT9hWJnxFKXaG/HKrlAFfC69Yd7x5nXQBn
l1+Ipgc8TYuTaUYCzkS4mu21cDvHn4sHO5HEdbIbwh+iJw6DVBDKVOMA
nQC/m6UVCjB6hgdNgWm20t7QxpqwmZTxtTZvk6pUkzmkX6o0X3yeaSB2 JEDwgsGV
se. 3600 IN DNSKEY 257 3 5
AwEAAeeGE5unuosN3c8tBcj1/q4TQEwzfNY0GK6kxMVZ1wcTkypSExLC
BPMS0wWkrA1n7t5hcM86VD94L8oEd9jnHdjxreguOZYEBWkckajU0tBW
wEPMoEwepknpB14la1wy3xR95PMt9zWceiqaYOLEujFAqe6F3tQ14lP6
FdFL9wyCflV06K1ww+gQxYRDo6h+Wejguvpeg33KRzFtlwvbF3AapH2G
XCi4Ok2+PO2ckzfKoikIe9ZOXfrCbG9ml2iQrRNSM4q3zGhuly4NrF/t
9s9jakbWzd4PM1Q551XIEphRGyqcbA2JTU3/mcUVKfgrH7nxaPz5DoUB 7TKYyQgsTlc=
se. 3600 IN DNSKEY 256 3 5
AwEAAb/vMpi2PrRQEFzo8S2A7uz2m/xdZ+39yiEBaFfxSg5nY8RN+nrQ
ixVoMWrvOzVZtig05rwWKCXmvvX5fiXpHpPtpyKUArmYHVPk730g4T8R
3qnioMWDrp0Iwl4eu+CyzFhlH8dpVkgFnBV73D5Ip5Wp82MoYiBzL+zl m4YebNKx
se. 3600 IN RRSIG DNSKEY 5 1 3600
20100212235600 20100206062318 64656 se.
y9bI9ADoG4HaF2QdLdGsRMt9B1PFrlpPpQYUCziXIP1+HtPIRH96toHH
ZJ1sWCn0DPsOxaiShL3voETtr9x7tl87qdaSJM1kr96Ivbim+06MKf2J
wi8ocrKrGOX4QGXBgmpUBBpDHWKq4zrt0ViYJ17CpZMkWPXUo+/6BupR 1PM=
se. 3600 IN RRSIG DNSKEY 5 1 3600
20100314000000 20100202085826 8779 se.
yA7sRAwnUTF6am9IlxmGF828jaWeNCRwf/QUozFYuTRspad3iFzx4u4i
XkhOrDv4jCtTfYBT5JOhLlB1Yg2C6sP9VKrLEMFkDDNQwpn4OmVkZTRK
ZoxPuAnIhs1uHOFPhqRr/5AFMtngYJH66UWGbPv8KFJd4gHb0tNSR2SZ
1zbDpxYA6gg14j7a7b/bHqqqNoNse46k5SYyypWe+N+ihS4+QPI29pdx
JcdF8mgu9xJdcmZUgrrOTBnWqjcYaGpfy07oixi32QLa7bcBPr0CZ43d
a4hWDDbJO3COdux6TamQsDahSB7qoOa/u7OW3gprNQqykuShU8cVmYVF oqyNyg==
;; Query time: 48 msec ;; SERVER: 192.36.144.107#53(192.36.144.107) ;; WHEN: Mon Feb 8 15:04:52 2010 ;; MSG SIZE rcvd: 1203 --------%<--------%<--------%<--------%<--------%<--------%<--------%<-------- Log extract: ...08-Feb-2010 14:39:56.391 query-errors: debug 1: client X.X.X.X#12695: query failed (SERVFAIL) for 11.94.88.195.dnsbl.sorbs.net/IN/A at query.c:4619 08-Feb-2010 14:39:56.391 query-errors: debug 2: fetch completed at resolver.c:3121 for 11.94.88.195.dnsbl.sorbs.net/A in 30.000143: timed out/success [domain:dnsbl.sorbs.NET,referral:0,restart:1,qrysent:13,timeou
t:12,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]08-Feb-2010 14:39:56.392 query-errors: debug 1: client X.X.X.X#48028: query failed (SERVFAIL) for euro-index.be/IN/A at query.c:4619 08-Feb-2010 14:39:56.392 query-errors: debug 2: fetch completed at resolver.c:3121 for euro-index.be/A in 30.000085: timed out/success [domain:.,referral:0,restart:1,qrysent:11,timeout:10,lame:0,neterr:0,badresp:
0,adberr:0,findfail:0,valfail:0]08-Feb-2010 14:39:56.392 query-errors: debug 1: client X.X.X.X#48028: query failed (SERVFAIL) for euro-index.be/IN/MX at query.c:4619 08-Feb-2010 14:39:56.393 query-errors: debug 2: fetch completed at resolver.c:3121 for euro-index.be/MX in 30.000111: timed out/success [domain:.,referral:0,restart:1,qrysent:11,timeout:10,lame:0,neterr:0,badresp
:0,adberr:0,findfail:0,valfail:0]08-Feb-2010 14:39:56.394 query-errors: debug 1: client X.X.X.X#48028: query failed (SERVFAIL) for 218.208.78.194.dnsbl.sorbs.net/IN/A at query.c:4619 08-Feb-2010 14:39:56.394 query-errors: debug 2: fetch completed at resolver.c:3121 for 218.208.78.194.dnsbl.sorbs.net/A in 30.000152: timed out/success [domain:dnsbl.sorbs.NET,referral:0,restart:1,qrysent:13,time
out:12,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]08-Feb-2010 14:39:56.396 query-errors: debug 1: client X.X.X.X#48028: query failed (SERVFAIL) for 218.208.78.194.zen.spamhaus.org/IN/A at query.c:4619 08-Feb-2010 14:39:56.396 query-errors: debug 2: fetch completed at resolver.c:3121 for 218.208.78.194.zen.spamhaus.org/A in 30.000175: timed out/success [domain:zen.spamhaus.org,referral:0,restart:1,qrysent:22,ti
meout:21,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]08-Feb-2010 14:39:56.396 query-errors: debug 1: client X.X.X.X#48028: query failed (SERVFAIL) for euro-index.be.fulldom.rfc-ignorant.org/IN/A at query.c:4619 08-Feb-2010 14:39:56.396 query-errors: debug 2: fetch completed at resolver.c:3121 for euro-index.be.fulldom.rfc-ignorant.org/A in 30.000098: timed out/success [domain:rfc-ignorant.org,referral:0,restart:4,qrysen
t:4,timeout:3,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0]08-Feb-2010 14:39:56.417 query-errors: debug 1: client X.X.X.X#12695: query failed (SERVFAIL) for 11.94.88.195.zen.spamhaus.org/IN/A at query.c:4619 08-Feb-2010 14:39:56.417 query-errors: debug 2: fetch completed at resolver.c:3121 for 11.94.88.195.zen.spamhaus.org/A in 30.000161: timed out/success [domain:zen.spamhaus.org,referral:0,restart:1,qrysent:22,time
out:21,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]08-Feb-2010 14:39:56.418 query-errors: debug 1: client X.X.X.X#12695: query failed (SERVFAIL) for ukrs238770.pur3.net.fulldom.rfc-ignorant.org/IN/A at query.c:4619 08-Feb-2010 14:39:56.418 query-errors: debug 2: fetch completed at resolver.c:3121 for ukrs238770.pur3.net.fulldom.rfc-ignorant.org/A in 30.000102: timed out/success [domain:rfc-ignorant.org,referral:0,restart:4,
qrysent:4,timeout:3,lame:0,neterr:0,badresp:0,adberr:4,findfail:0,valfail:0]08-Feb-2010 14:39:56.479 query-errors: debug 1: client X.X.X.X#35810: query failed (SERVFAIL) for 227.228.181.88.combined.njabl.org/IN/A at query.c:4619 08-Feb-2010 14:39:56.479 query-errors: debug 2: fetch completed at resolver.c:3121 for 227.228.181.88.combined.njabl.org/A in 30.000118: timed out/success [domain:combined.njabl.org,referral:0,restart:1,qrysent:1
1,timeout:10,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]08-Feb-2010 14:39:56.479 query-errors: debug 1: client X.X.X.X#35810: query failed (SERVFAIL) for 3.42.27.212.combined.njabl.org/IN/A at query.c:4619 08-Feb-2010 14:39:56.479 query-errors: debug 2: fetch completed at resolver.c:3121 for 3.42.27.212.combined.njabl.org/A in 30.000156: timed out/success [domain:combined.njabl.org,referral:0,restart:1,qrysent:10,t
imeout:9,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] ...
<<attachment: cedric_lejeune.vcf>>
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
