On 30/03/2017 06:35, i.chu...@volga.ttk.ru wrote:
> Greetings to everyone!
>
> I'm an engineer at local ISP and we have to provide 2 DNS servers running 
> BIND for our clients. We have logs full of various BIND errors but are 
> unable to gain full understanding of the problem. The main problem is that 
> the BIND at 213.80.236.18 sometimes stops responding after working fine 
> for about a week. Then BIND just doesn't return any responses and we have 
> to restart it. There is a suspicion of a weak (because other services are 
> running normally) DoS attack but I don't know the right way to determine 
> if it is so or not. I would be glad if anyone be so kind to help us to 
> solve this issue.
>
> The machines have the IPv4 addresses: 217.23.80.4 (BIND version 9.9.4) and 
> 213.80.236.18 (BIND version 9.9.5-r3) and have to resolve hostnames only 
> for ISP customers (and refuse to resolve for others) BUT we want to be 
> able to resolve our specific zones like vtt.net for anybody trying in case 
> of authoritative nameserver failures

Stopping right here, Recursive lookup and Authoritative services are
completely different services - and require different servers
(preferably, though you could run multiple incidents of nameservers on a
single server - but that can get ugly).

Your two recursive servers should remain as recursive servers, only
giving replies to your customer base. When you start running DNSSEC,
this becomes even more important, a recursive server running as an
authoritative server for a zone can not give a proper DNSSEC reply when
asked about Zones carried in its config.

Rather keep things simple.

I would presume that you have multiple authoritative servers for your
"vtt.net" domain. If you need more redundancy, add in more authoritative
nameservers or better still an AnyCast instance. Even any of your local
Authoritative Nameservers should ask your recursive servers when they
need to look up information that is not part of the Zones they manage.
Enough of the preaching.

                -oOo-

If you were to run IPv6, a number of errors would disappear, otherwise
force BIND not to do any IPv6. Adding IPv6 though would be preferable.  ;-)

Don't think though that any of this is causing your problem. You could
always upgrade your version of BIND. On my Gentoo Laptop, I'm  running
BIND 9.11.0-P3, so you are a bit behind.

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to