On 30/03/2017 06:35, i.chu...@volga.ttk.ru wrote: > Greetings to everyone! > > I'm an engineer at local ISP and we have to provide 2 DNS servers running > BIND for our clients. We have logs full of various BIND errors but are > unable to gain full understanding of the problem. The main problem is that > the BIND at 213.80.236.18 sometimes stops responding after working fine > for about a week. Then BIND just doesn't return any responses and we have > to restart it. There is a suspicion of a weak (because other services are > running normally) DoS attack but I don't know the right way to determine > if it is so or not. I would be glad if anyone be so kind to help us to > solve this issue. > > The machines have the IPv4 addresses: 217.23.80.4 (BIND version 9.9.4) and > 213.80.236.18 (BIND version 9.9.5-r3) and have to resolve hostnames only > for ISP customers (and refuse to resolve for others) BUT we want to be > able to resolve our specific zones like vtt.net for anybody trying in case > of authoritative nameserver failures
Stopping right here, Recursive lookup and Authoritative services are completely different services - and require different servers (preferably, though you could run multiple incidents of nameservers on a single server - but that can get ugly). Your two recursive servers should remain as recursive servers, only giving replies to your customer base. When you start running DNSSEC, this becomes even more important, a recursive server running as an authoritative server for a zone can not give a proper DNSSEC reply when asked about Zones carried in its config. Rather keep things simple. I would presume that you have multiple authoritative servers for your "vtt.net" domain. If you need more redundancy, add in more authoritative nameservers or better still an AnyCast instance. Even any of your local Authoritative Nameservers should ask your recursive servers when they need to look up information that is not part of the Zones they manage. Enough of the preaching. -oOo- If you were to run IPv6, a number of errors would disappear, otherwise force BIND not to do any IPv6. Adding IPv6 though would be preferable. ;-) Don't think though that any of this is causing your problem. You could always upgrade your version of BIND. On my Gentoo Laptop, I'm running BIND 9.11.0-P3, so you are a bit behind. -- Mark James ELKINS - Posix Systems - (South) Africa m...@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users