> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Hans F. Nordhaug > Sent: Saturday, August 16, 2008 3:49 AM > To: [bind-users] > Subject: Re: Recursive queries fail if query source port is not fixed > > * Steven Stromer <[EMAIL PROTECTED]> [2008-08-15]: > > I doubt that this is at all pertinent, but I was experiencing similar > > behavior once I patched a client a few weeks ago and took them off > > port 53. Recursive requests were failing three out of every four > > times they were made, yet digs with trace worked. The company uses a > > crappy Netgear firewall that I can't wait to trash. However, the fix > > ended up coming from turning off tcp and udp flood protection on the > > firewall. In this case the firewall was located between a DMZ area > > and the company LAN, with the recursive nameserver located in the > > DMZ, so the network was probably slightly different... > > This is exactly our network setup! > > > However, the symptoms sound so familiar that I thought I'd mention > > it. Maybe your Cisco router is interpreting all the randomized UDP > > activity as a flood. Apologies if this is off track with your issue > > - good luck finding a fix! > > I'll test this on Monday and report back - thx a lot for the > suggestion. > > Hans > > PS! I wasn't at work yesterday so I haven't been able to test the > suggestions I got on Thursday. I'll report back here when/if I find a > solution.
I don't know if anyone experiencing these types of problems are running a Cisco PIX version 6.3, but there is a bug even in the latest 6.3(5) GD code which will cause 100% CPU load which is triggered by the port randomization of the DNS queries in recent versions of BIND. For those that don't have CCO access, a summary of the details are as follows: CSCsc61300 Bug Details CPU increases with high volume of DNS requests using same four-tuple Symptom: A PIX firewall is experiencing high CPU levels. Condition: Certain DNS traffic causes the PIX to inefficiently track DNS activity. This results in a large processing load on the PIX. Workaround: There are no workarounds. Solution: Upgrade to PIX software version 6.3.5(105) or higher. Alternatively, users can upgrade to PIX software version 7.0. ------- So you need to obtain 6.3.5(105) or higher from Cisco TAC or go to 7.x instead. I saw this on a Cisco list I'm on and thought of a lot of the people having odd firewall issues and thought I'd share. Hope this helps someone! -Vinny
