BIND 9.3.2 Memory Leak?
Ender Alexander Mujica Díaz
emujica at cantv.net
Wed Jul 26 17:27:41 UTC 2006
Hello,
We are not using the view clause because we do not have multiples views
in our DNSs. We are using de *options* clause and inside it there is
the * max-cache-size *statement in bytes.
http://www.zytrax.com/books/dns/ch7/options.html
The *options* clause group together statements that have global scope -
the statemnts apply to all zones or views unless overridden by the same
statement in a view or zone clause. Only one options clause should be
defined in a named.conf file. The options clause can take a serious list
of statements. Full list of statements
<http://www.zytrax.com/books/dns/ch7/statements.html>.
options Clause Syntax
options {
// statements
};
----------------------------------------------------
Here is a sample for the options parameter
options {
directory "/var/named";
allow-transfer {
ww1.xx1.yy1.zz1;
ww2.xx2.yy2.zz2;
ww3.xx3.yy3.zz3
ww3.xx3.yy3.zz
};
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
//listen-on {
aa.bb.cc.dd;
//
//};
* // This is the 80% from 2GB in bytes
max-cache-size 1717986918;*
// This is the max recursive cliente
recursive-clients 20000;
//this is the max tcpclients
tcp-clients 200;
pid-file "/var/run/named/named.pid";
};
----------------------------------------------------------
from: http://www.zytrax.com/books/dns/ch7/view.html
DNS BIND view Clause
This section describes the view clause available in BIND 9.x. The *view*
clause allows BIND to provide different functionality based on the hosts
accessing it. The view statement can take a serious number of statements
shown below. Full list of statements
<http://www.zytrax.com/books/dns/ch7/statements.html>. A view clause
matches (is invoked) when either or both of its match-clients
<http://www.zytrax.com/books/dns/ch7/view.html#match-clients> and
match-destinations
<http://www.zytrax.com/books/dns/ch7/view.html#match-destinations>
statements match and when the match-recursive-only
<http://www.zytrax.com/books/dns/ch7/view.html#match-recursive-only>
condition is met. If either or both of match-clients and
match-destinations are missing they default to *any* (all hosts match).
All zones supported by each view clause must be defined with the view
clause allowing a view to respond uniquely for each zone if required.
*view Clause Syntax*
view "view_name" [class] {
[ *match-clients* { address_match_list } ; ]
[ *match-destinations* { address_match_list } ; ]
[ *match-recursive-only* { yes | no } ; ]
// view statements
// zone clauses
};
*view_name* (a quoted string) is the arbitrary but unique name of this
view. A view clause matches (is invoked) when either or both of its
match-clients
<http://www.zytrax.com/books/dns/ch7/view.html#match-clients> and
match-destinations
<http://www.zytrax.com/books/dns/ch7/view.html#match-destinations>
statements match and when the match-recursive-only
<http://www.zytrax.com/books/dns/ch7/view.html#match-recursive-only>
condition is met. If either or both of match-clients and
match-destinations are missing they default to *any* (all hosts match).
The zones <http://www.zytrax.com/books/dns/ch7/zone.html> that will be
serviced by this *view* must be contained within this view.
The classic example quoted is an alternate implementation of a *split*
or *stealth* DNS configuration on a single server so we will follow in
well trodden steps (see also stealth examples
<http://www.zytrax.com/books/dns/ch6#stealth>):
'split' DNS using views
view "trusted" {
match-clients { 192.168.23.0/24; }; // our network
recursion yes;
zone "example.com" {
type master;
// private zone file including local hosts
file "internal/master.example.com <http://www.zytrax.com/books/dns/ch6/mydomain-internal.html>";
};
// add required zones
};
view "badguys" {
match-clients {"any"; }; // all others hosts
// recursion not supported
recursion no;
};
zone "example.com" {
type master;
// public only hosts
file "external/master.example.com <http://www.zytrax.com/books/dns/ch6/mydomain-external.html>";
};
// add required zones
};
*Notes:*
1. Depending on the required level of security the above
configuration may be deemed vulnerable. If the file system is
compromised then simple inspection of 'named.conf' will allow
penetration of the 'veil of privacy'.
2. *view* is class dependent but the default class is IN (or 'in' -
not case dependent) and has been omitted.
3. The zone files defined in each view do not need to be the same.
4. The required zone files
<http://www.zytrax.com/books/dns/ch7/index.html#required> may
differ in each view e.g. there is no need to provide localhost
zones in the "badguys" view.
5. The zone files for "example.com" are different allowing 'hiding'
of non-public hosts in the "trusted" view.
6. Recursion has been removed in the "badguys" view for performance
and security reasons.
7. 'slave' servers for each zone will see a single 'zone' based on
their IP address i.e. "trusted" or "badguys". However if you
multi-home or 'alias' the IP address on the 'slave' server you can
get both views.
-----------
Joel Nimety wrote:
> Ender Alexander Mujica Díaz wrote:
>
>> Here you can find all about max-cache-size.
>>
>> http://www.zytrax.com/books/dns/ch7/hkpng.html#max-cache-size
>>
>
> I'm not quit sure how to interpret the statement "In a server with
> multiple views, the limit applies separately to the cache of each view".
> If I set max-cache-size in global options what does this mean?
>
> 1) The cache of all views combined cannot exceed max-cache-size
>
> Or
>
> 2) Each view has max-cache-size
>
>
>> We have this parameter in 80% of the physical memory
>>
>> http://cr.yp.to/djbdns/blurb/cache.html
>>
>>
>> Ender Alexander Mujica Díaz wrote:
>>
>
>
More information about the bind-users
mailing list