DNS High CPU Loads, any ideas why??

Fri May 19 11:27:20 UTC 2000

You might want to try turning up the debugging levels first and see what
syslog/messages logs show.

Second you might want to perform a named dump and see what kind of inormation the
nameserver is serving.  Are yuou using any wildcard records?  Their might be some
sort of lookup loop as this can happen when these kinds of records are done
wrong.

You might want to look for suspicious ports or open files also, a good program
for this is lsof.  See if the CPU load is being induced by some other resource
filling up such as file descriptors or memmory (use top or vmstat).

As a last resort, if i hadnt found anything obvious by then, i'd fire up tcpdump,
snoop, ethereal, or ntop and take a look at some samples of your traffic when the
problem is occurring.

Howard Leadmon wrote:

>    Several weeks ago for whatever reason, I found out my two main DNS
> servers started using 100% CPU and became sluggish at responding to it's
> requests.  The DNS was running on a couple dual CPU Sparc 10's and 20's
> I had at the office, but prior to this they were only using maybe 10-15%
> CPU tops.  I replaced my primary server with a modern day Intel PII based
> machine running under BSD, but even that box is now running 70% CPU at
> most times.
>
>  Whats strange is at times the DNS servers will only use a couple % of
> the CPU for some period of time, and then just change and peg the processor
> for days at a time.  I can't find any logical reason why it will be running
> along at say 3-5% CPU on the box for a day or two, then jump to 70%+ for
> days out of the blue.
>
>  This almost stinks of some type of DoS attack, and I added router filters
> to block all outside packets to the general public to all but UPD on port 53.
> I was using BIND-8.2.2p5, and even tried the new RC3 of 8.2.3, but the same
> results.  When I look at IP traffic load on the switch ports going to the
> nameservers, things seem OK with peak traffic at may 100kbps, so not like
> some major UDP smurf hitting the servers either.
>
>  I guess I am wondering has my DNS loading just gotten to the point that I
> need boxes like Intel SMP 700mhz PC's just to do my DNS, or has someone
> found a way to make my life miserable by DoSing my DNS servers.  Has anyone
> run into this problem before??  Also anyone have any good ideas on how to
> try and figure out whats up with this before I go crazy??   I have enough
> DNS knowledge to run a good nameserver, but as for trying to track this one
> down I will admit I am a bit lost, so any hints, pointers, or suggestions
> would be most appreciated...
>
> ---
> Howard Leadmon - howardl at abs.net - http://www.abs.net
> ABSnet Internet Services - Phone: 410-361-8160 - FAX: 410-361-8162