External Name Server Timeouts

[Barry Margolin]

In article <du9v4v$2irf$1 at sf1.isc.org>,
 Merton Campbell Crockett <m.c.crockett at adelphia.net> wrote:

> I have an external master name server running BIND 9.3.1 on a SuSE  
> Linux 9.3 system.  Periodically, the name server stops responding to  
> DNS queries from the Internet.  In some instances when this occurs,  
> all external name servers will become unresponsive.
> 
> During these incidents, the external name server appears to remain  
> responsive to DNS requests forwarded from internal name servers.   
> However, it is not clear if the responses to the internal DNS  
> requests are from the external name servers cache or not.  A quick  
> check using tcpdump seems to indicate that the name server is sending  
> DNS requests to the Internet but may not be receiving any responses.
> 
> A "weird" element of these incidents is that they don't appear to  
> impact the ability of internal users to access the Internet, i.e.  
> there are no problem tickets being opened by users claiming to be  
> unable to access external systems.  The problem tickets that are  
> opened are from users on the road, at home, or at customer sites that  
> are unable to establish VPN connections.

This suggests to me that something is blocking incoming packets with 
destination port 53, but allowing incoming packets to the high port 
that's used when BIND sends out recursive queries.

If you run tcpdump during this, do you see any of the normal queries 
reaching the server?

> During the last incident, I noticed that the external name server was  
> being inundated with DNS requests to update the external zone file  
> from an IP address, 196.25.255.194, assigned to an Internet Service  
> Provider in Zaire.  Dynamic updates are not permitted but the name  
> server appears to be going through all the steps needed to perform a  
> dynamic update before rejecting the request.  Log entries indicate  
> that the check for no existing RRset entries succeeded before  
> reporting that the update request was denied.

I suspect this is because it has to determine which zone is being 
updated, so that it can check that zone's "allow-update" setting.  It 
would probably be nice if the code special-cased the situation where NO 
zones allow updating, and skipped all these unnecessary checks.

> 
> I am attempting to eliminate BIND 9 as the cause of the DNS  
> timeouts.  My suspicion is that the DNS timeouts are being caused by  
> the SideWinder G2 firewall that was installed in November.

Maybe some kind of IDS/IPS function of the firewall, throttling incoming 
DNS queries when they get too frequent?

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***