Wim Holemans Netwerkdienst Universiteit Antwerpen Network Services University of Antwerp
One of the problems is that these firewalls are going to be replaced soon and we don't want to spend to much effort in trying to fix what seems an annoying side-effect of something caused by a DNS system. We actually captured dns traffic around our AD server and were we see an average of 500 dns packets/5s in/out in normal conditions, this drops to about 100 for 20 seconds and then rises to 2000 dns packets/5sec causing our resolving servers to send a multiple amount of requests to the outside world killing the firewall. We know changed the settings on the AD server to only use 2 of the resolving servers (which have a max recursive clients implemented) and checked the box, saying that the AD server could do his own lookups if the forwarders are not available. >Any chance of using network devices (firewalls, intelligent switches) to >rate limit connections from the AD/DNS server to the bind server? > >Is the odd behavior of the AD/DNS server causing issues with the clients >making the original request? Have you tried tracking down the original >source of the query? Could that be the ultimate source of the traffic >burst? > >It seems unlikely that MSDNS would intentionally hold DNS requests. Have >you tried troubleshooting that? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
