High recursive client counts

Mark Andrews marka at isc.org
Thu Mar 27 22:26:41 UTC 2014 

In message <53349E66.8050405 at ksu.edu>, "Lawrence K. Chen, P.Eng." writes:
> 
> 
> On 03/26/14 04:02, Sam Wilson wrote:
> > In article <mailman.2530.1395774135.20661.bind-users at lists.isc.org>,
> >  Jason Brandt <jbrandt at fsmail.bradley.edu> wrote:
> > 
> >> For now, I've disabled DNS inspection on our firewall, as it is an ancient
> >> Cisco firewall services module, and that seems to have stabilized things,
> >> but it's only been 30 minutes or so.  Until I get a few days in, I'll keep
> >> researching.
> > 
> > We used to run DNS inspection on our FWSMs.  We didn't notice any issues 
> > with DNS resolution per se, but we did find that turning it off dropped 
> > the FWSM CPU from ~70% to less than 30%.  We're not aware of any issues 
> > that using DNS inspection might have caused.
> > 
> > Sam
> > 
> 
> I had to get our DNS servers exempted from our Procera, as it was interfering
> DNSSEC.  The security analyst said it considered some of the large encrypted
> UDPs as P2P.
> 
> So, every few days (less during busy times), a recursive caching query server
> would stop answering....where restarting it would make it work again.  It was
> to the point where I had our monitoring system restart bind as needed.
> 
> Eventually, my manager asked about all strange notifications.  Where he then
> pushed it up to the CISO to get the analyst to make the change to stop
> interfering with DNS.
> 
> They had done a test a few months earlier, and said we didn't complain then.
> I went back through the logs, and found that it had been interfering
> then...but the weekend test wasn't enough to cause any servers to stop responding.
> 
> I didn't think to see what the client counts were.  Though another time when
> the Procera had stopped passing any traffic, the counts did get really high
> before they stopped working.
> 
> Need to work on figuring out how to have it resolve local domains when
> Internet connection is down.

Slave the local zones is the simplest solution.
 
> -- 
> Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
> For: Enterprise Server Technologies (EST) -- & SafeZone Ally
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list