Recursive queries fail if query source port is not fixed

Vinny Abello vinny at tellurian.com
Fri Aug 22 04:16:47 UTC 2008 

> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Hans F. Nordhaug
> Sent: Saturday, August 16, 2008 3:49 AM
> To: [bind-users]
> Subject: Re: Recursive queries fail if query source port is not fixed
>
> * Steven Stromer <filter at stevenstromer.com> [2008-08-15]:
> > I doubt that this is at all pertinent, but I was experiencing similar
> > behavior once I patched a client a few weeks ago and took them off
> > port 53. Recursive requests were failing three out of every four
> > times they were made, yet digs with trace worked. The company uses a
> > crappy Netgear firewall that I can't wait to trash. However, the fix
> > ended up coming from turning off tcp and udp flood protection on the
> > firewall. In this case the firewall was located between a DMZ area
> > and the company LAN, with the recursive nameserver located in the
> > DMZ, so the network was probably slightly different...
>
> This is exactly our network setup!
>
> > However, the  symptoms sound so familiar that I thought I'd mention
> > it. Maybe your  Cisco router is interpreting all the randomized UDP
> > activity as a  flood. Apologies if this is off track with your issue
> > - good luck  finding a fix!
>
> I'll test this on Monday and report back - thx a lot for the
> suggestion.
>
> Hans
>
> PS! I wasn't at work yesterday so I haven't been able to test the
> suggestions I got on Thursday. I'll report back here when/if I find a
> solution.

I don't know if anyone experiencing these types of problems are running a Cisco PIX version 6.3, but there is a bug even in the latest 6.3(5) GD code which will cause 100% CPU load which is triggered by the port randomization of the DNS queries in recent versions of BIND. For those that don't have CCO access, a summary of the details are as follows:

CSCsc61300 Bug Details
 CPU increases with high volume of DNS requests using same four-tuple
Symptom:

A PIX firewall is experiencing high CPU levels.

Condition:

Certain DNS traffic causes the PIX to inefficiently track DNS activity. This
results in a large processing load on the PIX.

Workaround:

There are no workarounds.

Solution:

Upgrade to PIX software version 6.3.5(105) or higher. Alternatively, users can
upgrade to PIX software version 7.0.

-------

So you need to obtain 6.3.5(105) or higher from Cisco TAC or go to 7.x instead. I saw this on a Cisco list I'm on and thought of a lot of the people having odd firewall issues and thought I'd share. Hope this helps someone!

-Vinny

More information about the bind-users mailing list