Help - Bind 9.3.2 die after run several days
Alex Tang
alextang at cms.hkcable.com
Tue Mar 21 03:52:43 UTC 2006
Hi All
We are an ISP. I have upgraded my cache only dns from bind 8.37 to bind9.32, the new bind's performance very good but it will die after run several days when busy hour. Would you give me any idea to tune the bind or my chroot procedure has some problem ?
thx very much
Dns Type: bind 9.3.2 , Cache only,
Run on change root and 2 cpu
/bind.9.3.2/usr/local/sbin/named -u dns -t /bind.9.3.2 -n 2
Complied with mult-thread and disable IPV6
./configure --prefix=/bind.9.3.2/usr/local --disable-ipv6 --enable-threads --sysconfdir=/etc --localstatedir=/var
Server platform
SunOS dns 5.8 Generic_108528-27 sun4u sparc SUNW,Sun-Fire-V210
2cpu
2G physical memory
check by top the bind use about 800M and physical memory remain 700M
swap memory remain 4.7G
disk space used 50% only
check by prstat
PROCESS/NLWP
named/7
cpu usage about 48% - 50 % when busy hr
no. of query about 400 - 500 when busy hr
the network traffic abut 2.5M outgoing and 1.8M incomming when busy hr
when die , cannot find out any error message in log
only this message in the query log
no more recursive clients: quota reached
My chroot procedure is reference from
http://cookbook.linuxsecurity.com/sp/bind9_20010430.html#BM2__Setup_chroot_and_install_BIND
the major difference with my procedure is mknod of tcp and udp, ldd named, etc
this is my chroot procedure
===================================
Chroot Procedure for BIND 9.3.2 in Solaris 8
The following steps assume use of the C-Shell. We start by setting a variable for the chroot environment (jail) location, and setting umask so that all files copied can be read by both groups and world. These commands are designed to be copied and pasted.
1. Set destination directories for chroot jail, everything will be installed in subdirectories of this tree.
csh
unset noclobber
set jail='/bind.9.3.2';
umask 022;
2. Set up empty directories and links for chroot environment:
cd /
mkdir -p /bind.9.3.2
cd /bind.9.3.2/
mkdir -p {dev,opt,usr,var,etc};
mkdir -p var/{run,log,named} usr/lib;
mkdir -p usr/local/etc
mkdir -p usr/share/lib/zoneinfo;
3. Create a user and group account for BIND:
groupadd dns;
useradd -d /bind.9.3.2 -s /bin/false -g named -c "BIND daemon" -m dns
Create an identical user and group account within the chroot:
grep dns /etc/passwd >> /bind.9.3.2/etc/passwd
grep dns /etc/shadow >> /bind.9.3.2/etc/shadow
grep dns /etc/group >> /bind.9.3.2/etc/group
Don't allow the BIND account to use ftp:
echo "dns" >> /etc/ftpusers
4. Install the bind distribution
cd /home/installation/bind-9.3.2
./configure --prefix=/bind.9.3.2/usr/local --disable-ipv6 --enable-threads --sysconfdir=/etc --localstatedir=/var
make install
5. Copy system files needed to the chroot environment
cd /bind.9.3.2
cp /etc/{syslog.conf,netconfig,nsswitch.conf,resolv.conf,TIMEZONE} /bind.9.3.2/etc
Use ldd to see what shared object libraries named relies on:
ldd /bind.9.3.2/usr/local/sbin/named
# ldd /bind.9.3.2/usr/local/sbin/named
libnsl.so.1 => /usr/lib/libnsl.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libpthread.so.1 => /usr/lib/libpthread.so.1
libthread.so.1 => /usr/lib/libthread.so.1
libc.so.1 => /usr/lib/libc.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libmp.so.2 => /usr/lib/libmp.so.2
/usr/platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1
cp -p /usr/lib/libnsl.so.1 \
/usr/lib/libsocket.so.1 /usr/lib/libc.so.1 \
/usr/lib/libthread.so.1 /usr/lib/libpthread.so.1 \
/usr/lib/libdl.so.1 /usr/lib/libmp.so.2 \
/usr/platform/SUNW,Sun-Fire-V210 /lib/libc_psr.so.1 \
/bind.9.3.2/usr/lib
Copy over Timezone files
mkdir -p /bind.9.3.2/usr/share/lib/zoneinfo;
cp -p -R /usr/share/lib/zoneinfo/ /bind.9.3.2/usr/share/lib/
Create a loop-back for syslog.
mkdir /bind.9.3.2/etc/.syslog_door
mount -F lofs /etc/.syslog_door /bind.9.3.2/etc/.syslog_door
Create a directory for DNS data; we assume it is in /var/named:
mkdir -p /bind.9.3.2/var/named/system
6. Setting up DNS Data Files
cp -p /home/installation/new_dns/named.conf /bind.9.3.2/etc/
cp -p /home/installation/new_dns/rndc.conf /bind.9.3.2/etc
cp -p /home/installation/new_dns/rndc.key /bind.9.3.2/etc
cp -p /home/installation/new_dns/db.cache /bind.9.3.2/var/named/system/
cp -p /home/installation/new_dns/db.127.0.0 /bind.9.3.2/var/named/system/
4. Setting Jail Permissions
Next, we set permissions on files, so that root owns files and named can read all files and write some files. Then, disable any SUID/SGID files.
The PID file is put in /var/run and not /usr/local, because we don't want the named user to be able to write to /usr/local/etc (and hence named.conf). The location of the PID file is specified in named.conf.
cd /bind.9.3.2
chgrp -R dns *
# remove group write from var, write access to opt and usr
chmod -R g-w var;
chmod -R a-w opt usr;
chmod 770 /bind.9.3.2/var/named;
touch /bind.9.3.2/var/run/named.pid
touch /bind.9.3.2/var/log/debug_dns.log
touch /bind.9.3.2/var/log/event_dns.log
touch /bind.9.3.2/var/log/query_dns.log
touch /bind.9.3.2/var/log/named.memstats
touch /bind.9.3.2/var/log/named.stats
touch /bind.9.3.2/var/log/named.db
chown dns:dns /bind.9.3.2/var/log/* /bind.9.3.2/var/run/named.pid;
chgrp -R dns /bind.9.3.2/var/log /bind.9.3.2/var/run;
chmod 774 /bind.9.3.2/var/run /bind.9.3.2/var/log;
chmod -R o-r /bind.9.3.2/var/run /bind.9.3.2/var/log;
# Allow named to access BIND config file:
chgrp named /bind.9.3.2/etc;
chown root:dns /bind.9.3.2/etc/named.conf;
chmod 644 /bind.9.3.2/etc/named.conf;
chown root:dns /bind.9.3.2/etc/rndc.*;
chmod 644 /bind.9.3.2/etc/rndc.*;
chmod 755 /bind.9.3.2/etc;
# Remove SUID or SGID bits, if any exist:
find . -type f -exec chmod ug-s {} \;
# Remove world access:
chmod -R o-w * /bind.9.3.2/usr
7. Set up devices for communication, console, syslog, etc.
cd /bind.9.3.2/dev
mknod tcp c 42 0
mknod udp c 41 0
mknod log c 21 5
mknod null c 13 2
mknod zero c 13 12
chgrp sys null zero
chmod 666 null
mknod conslog c 21 0
mknod syscon c 0 0
chmod 620 syscon
chgrp tty syscon
chgrp sys conslog
On Solaris 8, provide access to /dev/random, by
cd /bind.9.3.2/dev
mknod random c 35 0
chgrp sys random
chmod 644 random
More information about the bind-users
mailing list