Hi Ricky,
Try running a "dig +trace www.nhc.noaa.gov," then query each record in
the chain and see which one's slow to respond. I don't see anything
crazy in your named.conf. Something you didn't mention: does clearing
cache make a difference?
John
--
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu
On Mon, Sep 18, 2017 at 8:03 AM, Levesque, Ricky (SNB)
<ricky.leves...@snb.ca> wrote:
> Good day,
>
> I’ve been having an interesting issue with BIND and wondering if anyone has
> had this before or knows how to fix it.
>
>
>
> The issue is,
>
> I have 2 recursive/caching DNS servers running BIND
> 9.9.4-RedHat-9.9.4-51.el7, which are slow to query for this particular
> domain.
>
> Noaa.gov (as well as its sub domains. Specifically – www.nhc.noaa.gov )
>
> By slow I mean, it takes approximately 3500ms to query while most other
> domains take less than 100ms to query.
>
> What’s worst, the domains (noaa.gov) becomes unqueriable after a few hours
> or a day and I need to clear the DNS servers cache to allow it to work
> again.
>
>
>
> The domains have very very low TTL’s (30s) and use DNSsec
>
>
>
> Error:
>
> ##dig www.nhc.noaa.gov
>
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52364
>
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 3, ADDITIONAL: 7
>
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 4096
>
> ;; QUESTION SECTION:
>
> ;www.nhc.noaa.gov. IN A
>
>
>
>
>
> Fixes I have attempted so far:
>
> Reboot servers (2 centos servers running on vmware)
>
> Update system
>
> Try a default config file
>
> Updated vmware tools
>
> Clear DNS cache (temporary fix)
>
> Checked firewall for abnormal data
>
> Updated root hints
>
>
>
> Config:
>
>
>
> acl internal {
>
> *removed*;
>
> localhost;
>
> };
>
>
>
> options {
>
> listen-on port 53 { *removed*;
>
> 127.0.0.1;
>
> ;
>
> };
>
> listen-on-v6 port 53 { none;
>
> #::1;
>
> };
>
> directory "/var/named";
>
> dump-file "/var/named/data/cache_dump.db";
>
> statistics-file "/var/named/data/named_stats.txt";
>
> memstatistics-file "/var/named/data/named_mem_stats.txt";
>
>
>
> dnssec-enable no;
>
> dnssec-validation no;
>
> dnssec-lookaside auto;
>
>
>
> // Conform to RFC1035
>
> auth-nxdomain no;
>
>
>
> // Allowed Port Ranges
>
> use-v4-udp-ports { range 32768 65535; };
>
> use-v6-udp-ports { range 32768 65535; };
>
> recursive-clients 15000;
>
> server-id none;
>
> version none;
>
> interface-interval 0;
>
> allow-query { internal;
>
> };
>
> allow-recursion { internal;
>
> };
>
> max-ncache-ttl 3600;
>
> allow-query-cache { internal;
>
> };
>
> };
>
>
>
> logging {
>
> channel default_debug {
>
> syslog local4;
>
> severity debug;
>
> };
>
> };
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
