Strange BIND9 issue

Brad Knowles brad at stop.mail-abuse.org
Wed Jan 12 02:22:13 UTC 2005 

At 7:42 PM -0600 2005-01-11, Will Yardley wrote:

>  radon: 04:56pm# while true ; do dig yahoo.com @66.33.216.127 | grep 
>Query  ; done
>  ;; Query time: 790 msec
>  ;; Query time: 868 msec
>  ;; Query time: 753 msec
>  ;; Query time: 798 msec
>  ;; Query time: 982 msec
>  ;; Query time: 1178 msec
>  ;; Query time: 1284 msec
>  ;; Query time: 1291 msec
>  ;; Query time: 1208 msec
>  ;; Query time: 738 msec

	You're completely by-passing the local caching BIND nameserver 
here.  You're going directly the the nameserver specified in the 
command line, and the local copy of BIND is not involved at all. 
Unless that is the public IP address of your machine, but then 
queries to 127.0.0.1 or the public IP address should be going to the 
same copy of BIND running on the same machine, and I don't understand 
why this would result in the kind of difference you're seeing.

	Have you seen this kind of behaviour regardless of which IP 
address you query?

>  If I restart BIND, queries start responding quickly again. I don't see
>  any errors on the interface, and pings (from outside or to the machine
>  itself) don't show any packet loss... I don't think a networking problem
>  is the issue here.

	That's not a valid assumption.  Turn on additional debugging 
within BIND and you should see what's going on.  You can also turn on 
additional debugging within dig, and have it tell you if it's doing 
retransmits or whatever.  If dig is doing retransmits, then your 
queries are getting dropped somewhere, and that might be a network 
issue.

>          recursive-clients 6000;
>          tcp-clients 1500;
>          max-cache-size 150000000;

	Why have you defined these?  Why not make the configuration 
simpler and disable them.  If this fixes your problem, then you know 
where to look.  If not, then you know to look elsewhere.

	Try to eliminate all possible extraneous influences.

>          /* only allow queries from internal networks */
>          allow-query { dh_known_networks; 127.0.0.0/8; };

	Well, that would pretty much kill you from doing queries to the 
external IP address.

>  zone "cbl.abuseat.org" {
>          type forward;
>          forwarders { 127.0.0.1 port 54; 66.33.216.129 port 54; };
>  };
>
>  zone "socks.dnsbl.sorbs.net" {
>          type forward;
>          forwarders { 127.0.0.1 port 54; 66.33.216.129 port 54; };
>  };
>
>  [ some other dnsbls, forwarding to rbldnsd running on port 54).

	Have you tried disabling them?

>  The recursive-clients and tcp-clients setting should be more than
>  enough.

	Maybe.  Maybe not.  It's hard to tell, depending on what all else 
is happening on your box.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

More information about the bind-users mailing list