Hello,
A few of the default settings changed from 9.4.x to 9.6.x
The appropriate README files, change logs, and BIND ARM will provide details
about them.
Below are some options and logging configurations you may want to investigate.
Ye Ole Disclaimer: Please be sure to understand what these do and the DNS
environment these alter before making changes.
options suggestions: (set some limits)
allow-query { "file-a"; "file-b"; }; #Employ ACLs to limit who can
query the server
allow-recursion { "file-a"; "file-b"; }; #Employ ACLs to
limit recursion - may or may not be the same files as in the previous statement
blackhole { "file-c"; }; #Employ ACLs to drop abusive queries. Note:
This will affect legitimate responses from any networks listed, too. Keep this
in mind.
recursive-clients X000; #Understand how many recursive clients
the hware should handle at a time
tcp-clients X00; # Understand how many TCP clients should be handled
at a time.
clients-per-query X0 ; #Limit the number of clients-per-query. This
helps to limit bogus queries (especially from malware). We use 10.
max-clients-per-query X0 ; # Same as above. That is, we hard set
to deal with bogus queries from malware. I believe BIND automagically adjusts
this by default.We use 20.
max-cache-size 0 ; #Setting to 0 makes this model older behavior. I
believe 9.5+ new default is 32MB. Setting to 0 is unlimited, if memory serves,
and is what we want in our environment.
logging suggestions: (throw away certain things from logging IF you are not
interested in them)
channel secure_messages { file "/dev/null"; }; #If "null" is not
understood, one can define it using this method.
category security { secure_messages; }; #Fancy way of sending these
logs to the garbage can using the previous definition. Setting ACLs generates a
lot of log chatter. A good thing while one tweaks ACLs to check the logs. Once
ACLs are tweaked, no need to waste CPU and HDD seak time logging data we no
longer need = trash can.
category lame-servers { null; }; #Nice info about lame servers, but
since we can't fix the Internet = toss to the garbage can for now.
category edns-disabled { null; }; #Again, nice info about EDNS, but it
isn't something our environment needs us to act upon at this time = trash can
for now.
HTH.
________________________________
From: Imri Zvik <im...@inter.net.il>
To: bind-users@lists.isc.org
Sent: Wednesday, July 8, 2009 2:24:17 PM
Subject: bind 9.6.1 under perform after running for a couple of hours
Hi,
After a couple of hours, performance of bind 9.6.1 suddenly drops. While the
server remains responsive, the response time increases, the rate of the failed
queries increases, and CPU/load average usage increases. Restarting named
solves the problem.
I cannot find anything useful in the logs, but a quick search in this mailing
list archive shows that other users reported somewhat similar problems with
this version of BIND :(
The operating system is Linux (Linux ns1 2.6.18-128.el5 #1 SMP Wed Dec 17
11:41:38 EST 2008 x86_64 x86_64 x86_64 GNU/Linux) , Red Hat Enterprise Linux
Server release 5.3 (Tikanga).
Output of named –V:
BIND 9.6.1 built with '--enable-threads' '--enable-largefile'
'--prefix=/usr/local'
/usr/local/sbin/named: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV),
for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux
2.6.9, not stripped
It is important to state that we just upgraded from 9.4.3-P2.
Any ideas?_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
