Re: Strange BIND9 issue

At 7:42 PM -0600 2005-01-11, Will Yardley wrote:

> radon: 04:56pm# while true ; do dig yahoo.com @66.33.216.127 | grep
>Query ; done
> ;; Query time: 790 msec
> ;; Query time: 868 msec
> ;; Query time: 753 msec
> ;; Query time: 798 msec
> ;; Query time: 982 msec
> ;; Query time: 1178 msec
> ;; Query time: 1284 msec
> ;; Query time: 1291 msec
> ;; Query time: 1208 msec
> ;; Query time: 738 msec

You're completely by-passing the local caching BIND nameserver
here. You're going directly the the nameserver specified in the
command line, and the local copy of BIND is not involved at all.
Unless that is the public IP address of your machine, but then
queries to 127.0.0.1 or the public IP address should be going to the
same copy of BIND running on the same machine, and I don't understand
why this would result in the kind of difference you're seeing.

Have you seen this kind of behaviour regardless of which IP
address you query?

> If I restart BIND, queries start responding quickly again. I don't see
> any errors on the interface, and pings (from outside or to the machine
> itself) don't show any packet loss... I don't think a networking problem
> is the issue here.

That's not a valid assumption. Turn on additional debugging
within BIND and you should see what's going on. You can also turn on
additional debugging within dig, and have it tell you if it's doing
retransmits or whatever. If dig is doing retransmits, then your
queries are getting dropped somewhere, and that might be a network
issue.

> recursive-clients 6000;
> tcp-clients 1500;
> max-cache-size 150000000;

Why have you defined these? Why not make the configuration
simpler and disable them. If this fixes your problem, then you know
where to look. If not, then you know to look elsewhere.

Try to eliminate all possible extraneous influences.

> /* only allow queries from internal networks */
> allow-query { dh_known_networks; 127.0.0.0/8; };

Well, that would pretty much kill you from doing queries to the
external IP address.

> zone "cbl.abuseat.org" {
> type forward;
> forwarders { 127.0.0.1 port 54; 66.33.216.129 port 54; };
> };
>
> zone "socks.dnsbl.sorbs.net" {
> type forward;
> forwarders { 127.0.0.1 port 54; 66.33.216.129 port 54; };
> };
>
> [ some other dnsbls, forwarding to rbldnsd running on port 54).

Have you tried disabling them?

> The recursive-clients and tcp-clients setting should be more than
> enough.

Maybe. Maybe not. It's hard to tell, depending on what all else
is happening on your box.

--
Brad Knowles, <brad@stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755

SAGE member since 1995. See <http://www.sage.org/> for more info.