This might be a dumb answer but as the machine is part of a virtual server, perhaps you have simply run out of entropy? I know its a Resolver... but isn't perhaps BIND using Entropy to randomly talk on different ports to get answers?
What about installing the 'haveged' package, www.irisa.fr/caps/projects/hipsor I don't see this doing any harm. I've personally found that not doing this on Virtual machines just makes them 'choke up'. On Tue, 2014-03-25 at 13:20 -0500, Jason Brandt wrote: > Cathy, > Thank you for your comments. I will continue to investigate, it > helps to have avenues to look down though. > > > As far as build version, we are aware that we aren't at current stable > release. However we've tried to stick to the distro release as much > as possible, to help streamline patching. But if this continues to be > an issue, it's something we will definitely consider. > > > The thing that's strange to me, is that we can mostly alleviate the > symptoms, by using a forwarder. Currently I'm using an internal > Windows 2003 server in the same subnet, on the same switch, to forward > through, however I was previously using 8.8.8.8, and it was behaving > well too. It seems to happen worst when simply using the root hints. > > > Rndc recursing doesn't seem to be much help. The queries are all > over, including google, adobe, amazon, microsoft, etc, as a > combination of A/AAAA/PTR/TXT records, from a variety of different > clients on different subnets and in different firewall zones. At a > glance, I don't see any correlation. > > > Again, I'll keep investigating, and appreciate all the input! > > > Jason > > > On Tue, Mar 25, 2014 at 12:34 PM, Cathy Almond <cat...@isc.org> wrote: > Packet tracing and/or looking at rndc recursing is good - then > you'll > > see which client queries are waiting for answers from > authoritative servers. > > Depending on what you've upgraded from, this might be a > problem with > whether or not your infrastructure can handle EDNS0 and large > packet > sizes. Newer version of BIND set the DO bit by default on the > iterative > queries, so perhaps some servers are sending back larger > response than > you were receiving before. It's worth checking that your > network > infrastructure can handle both EDNS0 and large UDP packet > sizes (and DNS > queries via TCP of course too). See > https://www.dns-oarc.net/oarc/services/replysizetest > > I should also comment that the distro BIND 9.8 that you're > using isn't > the current ISC version, so you're missing-out on recent fixes > - you > might be better off with a self-build of 9.8.7-W1 or 9.8.5-W1: > http://www.isc.org/downloads/ > > These also might be helpful: > > https://kb.isc.org/article/AA-00771/46/Which-version-of-BIND-do-I-want-to-download-and-install.html > > https://kb.isc.org/article/AA-00768/46/Getting-started-with-BIND-how-to-build-and-run-named-with-a-basic-recursive-configuration.html > > HTH > > Cathy > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users > to unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > > > > -- > Jason K. Brandt > Systems Administrator > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
