Re: BIND9 Latency
- From: Tom Smith <tom71713-ubuntu@xxxxxxxxx>
- Date: Wed, 27 Sep 2006 11:08:11 -0700
James Gray wrote:
On 27/09/2006, at 4:58 AM, Tom Smith wrote:
The problem is that it seems to time out quite frequently when
resolving
non-local domain names--that is, it times out when resolving Internet
domain name... It always works when resolving internal names. The only
way I've found, so far, to resolve this is to restart the bind9
service.
There are no errors in any of the logs (that I can find) and there
don't
appear to be any other anomalies occurring when the problem crops up.
Can anyone offer any suggestions as to what might be going on or
ways of
tracking down this problem?
Have you specified a forwarding name server in the /etc/named.conf
file? You might also be hitting some firewall issues, so you might
want to play with the source address/port that bind uses.
I haven't specified any forwarding servers--the intent was for it to be
a caching server.
As for the firewall, I don't believe there are any issues here. As I
mentioned, it works great right after it's restarted then quits working
some time later (it varies in the amount of time). I also have servers
like this (using a different distribution) at four other offices with
the same firewall and these offices work with out problem.
Another thing I've seen with bind servers that can cause these
symptoms is accidentally imposing a non-recursive restriction to
internal users. It's a good thing to restrict recursive queries to
trusted/LAN hosts - otherwise anyone can point their resolver at your
DNS server and get it to resolve anything. Non-recursive queries to
untrusted hosts will mean they can ask your DNS server anything about
the domains it is master/slave for, but any other domain will result
in a "ask someone else" response :)
Well, I'm using the default installation of Bind--however that's
configured. What I added were zones for my corporate office and for the
local office--everything else is at its default.
Also, these servers aren't publically accessible--they're on private
networks.
Failing all that, maybe run the named daemon in the foreground with
debugging turned on. This will stop it forking to the background and
show you all manner of info about what is happenning with queries,
forwards, and zone synchronisation. Dumping the output to a log file
is helpful too (use a shell redirect, then "tail -f <logfile>" from
another terminal).
This I will try--hadn't thought to do it.
Thanks in advance for your help!
I could probably help more if I saw your /etc/named.conf file
(sanitised of sensitive info of course).
Here you go... named.conf and named.conf.options.
##### /etc/bind/named.conf: #####
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };
// From the release notes:
// Because many of our users are uncomfortable receiving undelegated
answers
// from root or top level domains, other than a few for whom that behaviour
// has been trusted and expected for quite some length of time, we have now
// introduced the "root-delegations-only" feature which applies
delegation-only
// logic to all top level domains, and to the root domain. An
exception list
// should be specified, including "MUSEUM" and "DE", and any other top
level
// domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { "DE"; "MUSEUM"; };
include "/etc/bind/named.conf.local";
##### /etc/bind/named.conf.options: #####
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an
unprivileged
// port by default.
// query-source address * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
};
--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
- References:
- BIND9 Latency
- From: Tom Smith
- Re: BIND9 Latency
- From: James Gray
- BIND9 Latency
- Prev by Date: Re: Dapper: 100% CPU when idle SOLVED???
- Next by Date: Re: Ubuntu on Dell PowerEdge 2850
- Previous by thread: Re: BIND9 Latency
- Next by thread: Re: Dell 700m VGA output
- Index(es):
Relevant Pages
|
|
