[clue-tech] Caching-only BIND problems (long winded)

David L. Anselmi anselmi at anselmi.us
Wed Feb 3 18:43:10 MST 2010 

Bruce Ediger wrote:
>           - From a "show int wan0" command:
>           Downstream Data Rate:       384 Kbps
>           Upstream Data Rate:         864 Kbps

Those seem backwards.

>           - dhcpd, so I can assign fixed IP addresses and names to various
>           ethernet addresses.  dhcpd sends 10.0.0.12 as the DNS server, 10.0.0.1
>           as the default route.
>
> I followed the "caching-only" example BIND configuration that comes with Slackware.

But it isn't really caching-only, is it.  How is its zone configured?

> I had some early problems in that not all machines on my LAN used 10.0.0.12
> as a nameserver, so the Cisco 678 NAT would lose outgoing queries from
> 10.0.0.12.  That's why I NAT'ed UDP port 53 permanently to 10.0.0.12 UDP port
> 53.
>
> For a while, a couple of Chinese IP addresses hammered BIND, until I excluded
> everybody but my LAN in /etc/bind.conf:

I wouldn't do that.  It would be better to block all outgoing DNS except for your server.  But 
you'll have to look to make sure you fix all the misconfigured stuff.

Why did client requests confuse NAT?

> One or two out of 10 tabs will get a "Server not found" message, with
> a "Try Again" button.  And they're not obscure sites:
>        "Firefox can't find the server at www.nytimes.com."

We don't care what Firefox says, what does BIND say?  Is the browser actually asking BIND?  Is BIND 
getting the answer after Firefox times out or is it not getting the answer?

> I just tried it again by killing Firefox on the Arch machine, flushing bind's
> cache (rndc flush on the Slackware machine), and restarting Firefox.
>
> 6 out of 50 tabs (!?!) came up with a "Server not found" message.
>
> My control:
> Kill firefox on the Arch machine, change /etc/resolv.conf to say:
> nameserver 4.2.2.2   Restart Firefox.
>
> I only get 1 tab out of 50 failing, and it comes up with a
> "The connection has timed out", not "Server not found".

That's not really a good comparison since you didn't flush the cache at 4.2.2.2.  You might expect 
problems when the cache is empty so you go look and see why there are problems and what you can do 
about it.  If you network is too slow and your load too light to keep the cache filled then switch 
to a cache that is faster/fuller.

> I've considered a bandwidth problem, since I'm on a relatively low-speed DSL line,
> but DNS queries really shouldn't take that much bandwidth, should they?

It probably isn't bandwidth, but latency.  Have you looked?  If 50 tabs cause too much latency then 
don't use 50 tabs (or push the try again button 6 times--they all work then, right?)  In the case of 
Windows, it may be doing something onerous that makes it less forgiving of occasional slow lookups. 
  You'll have to ask a Windows guru about that.

Dave

More information about the clue-tech mailing list