Bind + pf

Barry Finkel b19141 at achilles.ctd.anl.gov
Mon Apr 4 14:37:33 UTC 2005 

"Ytzhak Levy" <ytzhak at bsdmail.com> wrote:

>We have a primary and a secondary nameservers.
>
>The primary is on a windows 2003 (not because me), the secondary is a
>BIND 9.3 on a FreeBSD 5.3 STABLE.
>
>The primary nameserver does'nt work very well (windows...) and somtimes
>has a huge response time to queries (about 3 or 4 seconds).
>
>The secondary nameserver has a good time to queries (to outside as
>well) but sometimes, without apparently reason, stops. Also I notice,
>after tcpdumping, that primary nameserver sends a lot of UDP packets
>which causes a high CPU usage by the bind process (about 50, 70%).  The
>packets are DNS queries, but the traffic is *very* high. As if the
>primary nameserver does'nt reponses any query.
>
>The firewall(pf, on a OpenBSD) permits all traffic from the any port
>from the nameservers to port 53 to any host in the outside. Also permit
>from any = port in the outside to port 53 to nameservers. There is only
>this 2 rules about nameserver and the outside world. I think that is
>enough.
>
>The secondary nameserver was placed in other link with a valid IP
>address only being a resolver and runs fine.
>
>My questions:
>
>1 - does windows dns a interaction problem with bind ?
>2 - do i forgot some addictional rule about the name servers in pf.conf ?
>3 - is this very traffic bettwen primary and secondary nameserver normal ?

I know of no problems with MS W2k DNS interoperability with BIND in
this area.  I have no experience with response times on a W2k DNS
Server, because our W2k+3 DNS Server is a "hidden" master, and very
few machines, if any, query it.  

You say that the MS DNS sends lots of UDP packets to the BIND server.
Have you gotten any sniffer trace on the BIND server to see what is
contained in these packets?  Do you have full logging enables on the
MS DNS Server?  If so, is there anything unusual in the dns.log file?
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list