BIND9 Latency

[Tom Smith]

James Gray wrote:
> On 27/09/2006, at 4:58 AM, Tom Smith wrote:
>
>   
>> The problem is that it seems to time out quite frequently when  
>> resolving
>> non-local domain names--that is, it times out when resolving Internet
>> domain name... It always works when resolving internal names. The only
>> way I've found, so far, to resolve this is to restart the bind9  
>> service.
>>
>> There are no errors in any of the logs (that I can find) and there  
>> don't
>> appear to be any other anomalies occurring when the problem crops up.
>>
>> Can anyone offer any suggestions as to what might be going on or  
>> ways of
>> tracking down this problem?
>>     
>
> Have you specified a forwarding name server in the /etc/named.conf  
> file?  You might also be hitting some firewall issues, so you might  
> want to play with the source address/port that bind uses.
>   

I haven't specified any forwarding servers--the intent was for it to be 
a caching server.

As for the firewall, I don't believe there are any issues here. As I 
mentioned, it works great right after it's restarted then quits working 
some time later (it varies in the amount of time). I also have servers 
like this (using a different distribution) at four other offices with 
the same firewall and these offices work with out problem.

> Another thing I've seen with bind servers that can cause these  
> symptoms is accidentally imposing a non-recursive restriction to  
> internal users.  It's a good thing to restrict recursive queries to  
> trusted/LAN hosts - otherwise anyone can point their resolver at your  
> DNS server and get it to resolve anything.  Non-recursive queries to  
> untrusted hosts will mean they can ask your DNS server anything about  
> the domains it is master/slave for, but any other domain will result  
> in a "ask someone else" response :)
>   

Well, I'm using the default installation of Bind--however that's 
configured. What I added were zones for my corporate office and for the 
local office--everything else is at its default.

Also, these servers aren't publically accessible--they're on private 
networks.

> Failing all that, maybe run the named daemon in the foreground with  
> debugging turned on.  This will stop it forking to the background and  
> show you all manner of info about what is happenning with queries,  
> forwards, and zone synchronisation.  Dumping the output to a log file  
> is helpful too (use a shell redirect, then "tail -f <logfile>" from  
> another terminal).
>   

This I will try--hadn't thought to do it.

>   
>> Thanks in advance for your help!
>>     
>
> I could probably help more if I saw your /etc/named.conf file  
> (sanitised of sensitive info of course).
>   

Here you go... named.conf and named.conf.options.

##### /etc/bind/named.conf: #####

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in 
/etc/bind/named.conf.local

include "/etc/bind/named.conf.options";

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };

// From the release notes:
//  Because many of our users are uncomfortable receiving undelegated 
answers
//  from root or top level domains, other than a few for whom that behaviour
//  has been trusted and expected for quite some length of time, we have now
//  introduced the "root-delegations-only" feature which applies 
delegation-only
//  logic to all top level domains, and to the root domain.  An 
exception list
//  should be specified, including "MUSEUM" and "DE", and any other top 
level
//  domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { "DE"; "MUSEUM"; };

include "/etc/bind/named.conf.local";

##### /etc/bind/named.conf.options: #####

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you might need to uncomment the query-source
        // directive below.  Previous versions of BIND always asked
        // questions using port 53, but BIND 8.1 and later use an 
unprivileged
        // port by default.

        // query-source address * port 53;

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        auth-nxdomain no;    # conform to RFC1035

};