allow-recursion slowing server to crawl
Marco C. Coelho
maillist1 at argontech.net
Wed Feb 27 23:32:58 UTC 2013
Just so the list has the same answer,
Mark Andrews was right.
This server was being hammered so hard that logging the rejects was
killing the performance.
adding:
logging {
category default { null; };
//category lame-servers { null; };
};
to named.conf fixed the performance issues.
mc
On 2/27/2013 5:18 PM, Mark Andrews wrote:
> I suspect this is just logging. send the security channel to null;
> for a while. Once your server gets off the I'm a recursive reflector
> lists you can turn it on again.
>
> In message <512E7940.7060003 at argontech.net>, "Marco C. Coelho" writes:
>> I discovered my bind 9 server was being used in a DDOS attack so I
>> decided (late) to block outside networks from making recursive
>> requests. The problem is every time I enable this, the time for DNS
>> queries goes from 0-1ms to 2000-6000ms or just times out completely.
>> The options section is below. I've commented it out so as to enable my
>> network to run.
>>
>> There are thousands of my clients that need recursion from this server.
>> It is also authoritative for many domains.
>>
>> There is a semi busy mail server on this same box that uses DNS as well.
>>
>> I googled this to death with no real suggestions. I've tried it with
>> ACL and without.
>>
>> Any suggestions would be appreciated.
>>
>> Marco
>>
>> acl "internal" {
>> 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; "localnets"; "localhost";
>> };
>>
>> options {
>> directory "/var/named";
>> /*
>> * If there is a firewall between you and nameservers you want
>> * to talk to, you might need to uncomment the query-source
>> * directive below. Previous versions of BIND always asked
>> * questions using port 53, but BIND 8.1 uses an unprivileged
>> * port by default.
>> */
>> // query-source address * port 53;
>> recursive-clients 1000;
>> recursion yes;
>> //allow-query { any; };
>> //allow-recursion { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
>> "localnets"; "localhost"; };
>> //allow-recursion { "internal"; };
>> //allow-query-cache { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8;
>> "localnets"; "localhost"; };
>> listen-on-v6 { none; };
>> listen-on { 24.202.224.2; };
>> version "8.2.3-REL";
>> };
>>
>> --
>> Argon Technologies Inc.
>> Marco Coelho, President, CEO
>> POB 875
>> 4612 Wesley St.
>> Greenville, TX 75402
>> 903-455-5036
>> 903-455-2115 Fax
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
--
Argon Technologies Inc.
Marco Coelho, President, CEO
POB 875
4612 Wesley St.
Greenville, TX 75402
903-455-5036
903-455-2115 Fax
More information about the bind-users
mailing list