High recursive client counts
Mark Andrews
marka at isc.org
Thu Mar 27 22:26:41 UTC 2014
In message <53349E66.8050405 at ksu.edu>, "Lawrence K. Chen, P.Eng." writes:
>
>
> On 03/26/14 04:02, Sam Wilson wrote:
> > In article <mailman.2530.1395774135.20661.bind-users at lists.isc.org>,
> > Jason Brandt <jbrandt at fsmail.bradley.edu> wrote:
> >
> >> For now, I've disabled DNS inspection on our firewall, as it is an ancient
> >> Cisco firewall services module, and that seems to have stabilized things,
> >> but it's only been 30 minutes or so. Until I get a few days in, I'll keep
> >> researching.
> >
> > We used to run DNS inspection on our FWSMs. We didn't notice any issues
> > with DNS resolution per se, but we did find that turning it off dropped
> > the FWSM CPU from ~70% to less than 30%. We're not aware of any issues
> > that using DNS inspection might have caused.
> >
> > Sam
> >
>
> I had to get our DNS servers exempted from our Procera, as it was interfering
> DNSSEC. The security analyst said it considered some of the large encrypted
> UDPs as P2P.
>
> So, every few days (less during busy times), a recursive caching query server
> would stop answering....where restarting it would make it work again. It was
> to the point where I had our monitoring system restart bind as needed.
>
> Eventually, my manager asked about all strange notifications. Where he then
> pushed it up to the CISO to get the analyst to make the change to stop
> interfering with DNS.
>
> They had done a test a few months earlier, and said we didn't complain then.
> I went back through the logs, and found that it had been interfering
> then...but the weekend test wasn't enough to cause any servers to stop responding.
>
> I didn't think to see what the client counts were. Though another time when
> the Procera had stopped passing any traffic, the counts did get really high
> before they stopped working.
>
> Need to work on figuring out how to have it resolve local domains when
> Internet connection is down.
Slave the local zones is the simplest solution.
> --
> Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
> For: Enterprise Server Technologies (EST) -- & SafeZone Ally
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list