Re: bind-9.10.0-P2 memory leak?
At 09:40 PM 9/9/2014, you wrote:
On 9/9/2014 05:05, lcon...@go2france.com wrote:
freebsd 10.0, bind-9.10.0-p2
logging the rss field for named process:
less /var/tmp/bind_rss_history.txt
This never happened with earlier BIND9, and our mx1 uses this recursive
BIND machine for all domain/ptr lookups
I've never seen any bind take over 1GB of RAM.
max-cache-size isn't the solution, only a band-aid
the sawtooth above is from restarting named.
named has halted twice in the past couple weeks, we suspected some kind
of attack, the only trace we had was in syslog with something like swap
space failed, named halted, but with a dedicated DNS box and 3 GB,
there should never be any swapping. I set a watcher for swap used
1%. Got an alert, I saw the named rss to be 1.9GB. restarted bind and
wrote the rss named logging script.
Len
This is a bit worrying for me, as I am running this version on my
master. Do you mind sharing the rss watcher/logging script?
cat /usr/local/bin/bind_rss_history.sh
#!/bin/sh
touch /var/tmp/bind_rss_history.txt
RSS=`ps auxw | awk '/^bind.*named/{print $6}'`
NOW=`date +%Y-%m-%d %H:%M:%S`
echo $NOW $RSS | awk '{printf %10s%10s%11s\n,$1,$2,$3}'
/var/tmp/bind_rss_history.txt
exit 0
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
named 9.10 halted
uname -a FreeBSD rns1..net 10.0-RELEASE named -v BIND 9.10.0-P2 this is a recursive-only NS restricted allowing recursive queries from ournetworks ACL monitor reported port 53 not responding I started it manually, then found this in /var/log/messages, which stared about 18:46 and ran until BIND stopped, followed by my manual start: Aug 20 19:12:23 rns1 kernel: Limiting icmp unreach response from 696 to 200 packets/sec Aug 20 19:12:23 rns1 kernel: Limiting icmp unreach response from 745 to 200 packets/sec Aug 20 19:12:24 rns1 kernel: Limiting icmp unreach response from 727 to 200 packets/sec Aug 20 19:12:25 rns1 kernel: Limiting icmp unreach response from 773 to 200 packets/sec Aug 20 19:12:27 rns1 kernel: Limiting icmp unreach response from 773 to 200 packets/sec Aug 20 19:12:27 rns1 kernel: Limiting icmp unreach response from 765 to 200 packets/sec Aug 20 19:12:28 rns1 kernel: Limiting icmp unreach response from 755 to 200 packets/sec Aug 20 19:12:29 rns1 kernel: Limiting icmp unreach response from 777 to 200 packets/sec Aug 20 19:12:30 rns1 kernel: Limiting icmp unreach response from 830 to 200 packets/sec Aug 20 19:12:32 rns1 kernel: Limiting icmp unreach response from 719 to 200 packets/sec Aug 20 19:12:32 rns1 kernel: Limiting icmp unreach response from 817 to 200 packets/sec Aug 20 19:12:34 rns1 kernel: Limiting icmp unreach response from 729 to 200 packets/sec Aug 20 19:12:34 rns1 kernel: Limiting icmp unreach response from 739 to 200 packets/sec Aug 20 19:12:35 rns1 kernel: Limiting icmp unreach response from 737 to 200 packets/sec Aug 20 19:12:37 rns1 kernel: Limiting icmp unreach response from 796 to 200 packets/sec Aug 20 19:12:37 rns1 kernel: Limiting icmp unreach response from 811 to 200 packets/sec Aug 20 19:12:38 rns1 kernel: Limiting icmp unreach response from 796 to 200 packets/sec Aug 20 19:12:39 rns1 kernel: Limiting icmp unreach response from 874 to 200 packets/sec Aug 20 19:12:40 rns1 kernel: Limiting icmp unreach response from 769 to 200 packets/sec Aug 20 19:12:42 rns1 kernel: Limiting icmp unreach response from 839 to 200 packets/sec Aug 20 19:12:42 rns1 kernel: Limiting icmp unreach response from 815 to 200 packets/sec Aug 20 19:12:43 rns1 kernel: Limiting icmp unreach response from 749 to 200 packets/sec Aug 20 19:12:44 rns1 kernel: Limiting icmp unreach response from 820 to 200 packets/sec Aug 20 19:12:45 rns1 named[80366]: starting BIND 9.10.0-P2 -t /var/named -u bind -c /usr/local/etc/namedb/named.conf The is the 2nd time in 10 days named as just halted. Len ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
forward only not
FreeBSD 7.2-RELEASE
BIND 9.6.0-P1
resolv.conf:
nameserver 127.0.0.1
machine is postfix MX relay-only gateway
on a separate machines, zen.dnsbld.domain.net on IPs 10.1.60.1 10.1.60.2,
rbldnsd is running a local copy of zen.spamhaus
nmap shows 10.1.60.1 and 10.1.60.2 with port 53 UDP open.
dig @10.1.60.1 or .2 d.c.b.a.zen.dnsbld.domain.net works.
named.conf:
zone zen.dnsbld.domain.net { type forward; forwarders { 10.1.60.1 ; 10.1.60.2
; }; forward only; };
and no other forwarding statements.
named query logging shows client 127.0.0.1 (postfix/postscreen) sending queries
to 127.0.0.1
tshark capture shows the BIND machine sending queries to the NSs authoritative
for domain.net, rather than forwarding to the above forwarders.
The above situation on 3 different MXs. The weirdest is that when we fired up
private zen and forwarding on the 3 MXs, they all worked immediately,
perfectly, for about 24 hours, millions of queries, then within a few minutes,
they all stopped working with the zen servers, and haven't worked since.
stop/start postfix and named has not effect.
What is overriding the zone forwarding?
Len
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: forward only not
-- Original Message --
From: Len Conrad lcon...@go2france.com
Reply-To: lcon...@go2france.com
Date: Wed, 29 Sep 2010 15:58:13 +0200
FreeBSD 7.2-RELEASE
BIND 9.6.0-P1
resolv.conf:
nameserver 127.0.0.1
machine is postfix MX relay-only gateway
on a separate machines, zen.dnsbld.domain.net on IPs 10.1.60.1 10.1.60.2,
rbldnsd is running a local copy of zen.spamhaus
nmap shows 10.1.60.1 and 10.1.60.2 with port 53 UDP open.
dig @10.1.60.1 or .2 d.c.b.a.zen.dnsbld.domain.net works.
named.conf:
zone zen.dnsbld.domain.net { type forward; forwarders { 10.1.60.1 ;
10.1.60.2 ; }; forward only; };
and no other forwarding statements.
named query logging shows client 127.0.0.1 (postfix/postscreen) sending
queries to 127.0.0.1
tshark capture shows the BIND machine sending queries to the NSs authoritative
for domain.net, rather than forwarding to the above forwarders.
The above situation on 3 different MXs. The weirdest is that when we fired up
private zen and forwarding on the 3 MXs, they all worked immediately,
perfectly, for about 24 hours, millions of queries, then within a few minutes,
they all stopped working with the zen servers, and haven't worked since.
stop/start postfix and named has not effect.
What is overriding the zone forwarding?
fixed, was typo in the forward zone name. They typo was inconsequential and
worked for one day, until someone removed the NS delegation records for the zen
zone from the domain.net auth servers.
Len
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
caching of server fail BIND9
We just had a problem where a BIND9 running on our postfix MX 451-rejected-as-unknown-domain all msgs from @sender.domain for 9 days. rndc flush allowed the domain to be resolved immediately and its messages accepted. When the BIND reports server fail, rather than a negative answer with neg-TTL, how long is SRV FAIL cached in BIND9? RFC2308 says no longer than 5 minutes. We do not know whether unknown domain's NS was really SRV FAIL for 9 days. Len ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
blockhole'd IP receiving referral?
bind 9.6.1-P1
named-checkconf /etc/namedb/named.conf
... ok
(in global options)
options {
allow-recursion { mynets; };
blackhole { !mynets; };
};
dig'ging from a !mynets IP receives a referral to rather than time-out/silence.
dig'ging from a mynets IP receives an answer.
Len
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
FWD: 9.6.1-P1 zone parser false errors
I may have missed other responses. Anbody have any idea of what's going on below? thanks Len uname -a Linux ns1.abcxyz.net 2.4.20-31.9smp #1 SMP Tue Apr 13 17:40:10 EDT 2004 i686 i686 i386 GNU/Linux old BIND: /usr/sbin/named-checkzone -v 9.2.1 /usr/sbin/named-checkzone abcxyz.com /var/named/db.abcxyz.com zone abcxyz.com/IN: loaded serial 2009102902 OK == current BIND: /usr/local/sbin/named-checkzone -v 9.6.1-P1 /usr/local/sbin/named-checkzone abcxyz.com /var/named/db.abcxyz.com zone abcxyz.com/IN: abcxyz.com/MX 'aspmx.l.google.com' (out of zone) is a CNAME 'mail-yx0-f102.google.com' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'alt1.aspmx.l.google.com' (out of zone) is a CNAME 'mail-bw0-f39.google.com' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'alt2.aspmx.l.google.com' (out of zone) is a CNAME 'fk-in-f114.1e100.net' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'aspmx2.googlemail.com' (out of zone) is a CNAME 'mu-in-f27.1e100.net' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'aspmx3.googlemail.com' (out of zone) is a CNAME 'mail-pz0-f6.google.com' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'aspmx4.googlemail.com' (out of zone) is a CNAME 'mail-ew0-f7.google.com' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'aspmx5.googlemail.com' (out of zone) is a CNAME 'mail-yx0-f8.google.com' (illegal) zone abcxyz.com/IN: loaded serial 2009102902 All the google domain names are canonical, not CNAMEs. no views, /etc/hosts is fine, no NIS in use. Old Linux is broken? thanks Len ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
9.6.1-P1 zone parser false errors
uname -a Linux ns1.abcxyz.net 2.4.20-31.9smp #1 SMP Tue Apr 13 17:40:10 EDT 2004 i686 i686 i386 GNU/Linux old BIND: /usr/sbin/named-checkzone -v 9.2.1 /usr/sbin/named-checkzone abcxyz.com /var/named/db.abcxyz.com zone abcxyz.com/IN: loaded serial 2009102902 OK == current BIND: /usr/local/sbin/named-checkzone -v 9.6.1-P1 /usr/local/sbin/named-checkzone abcxyz.com /var/named/db.abcxyz.com zone abcxyz.com/IN: abcxyz.com/MX 'aspmx.l.google.com' (out of zone) is a CNAME 'mail-yx0-f102.google.com' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'alt1.aspmx.l.google.com' (out of zone) is a CNAME 'mail-bw0-f39.google.com' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'alt2.aspmx.l.google.com' (out of zone) is a CNAME 'fk-in-f114.1e100.net' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'aspmx2.googlemail.com' (out of zone) is a CNAME 'mu-in-f27.1e100.net' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'aspmx3.googlemail.com' (out of zone) is a CNAME 'mail-pz0-f6.google.com' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'aspmx4.googlemail.com' (out of zone) is a CNAME 'mail-ew0-f7.google.com' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'aspmx5.googlemail.com' (out of zone) is a CNAME 'mail-yx0-f8.google.com' (illegal) zone abcxyz.com/IN: loaded serial 2009102902 All the google domain names are canonical, not CNAMEs. no views, /etc/hosts is fine, no NIS in use. Old Linux is broken? thanks Len ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
maverick named logging
Redhat release 9 BIND 9.5.0-P2, compiled from source named.conf has it /* logging */ ... commented out. rndc status version: 9.5.0-P2 number of zones: 81 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 8/0/1000 tcp clients: 0/100 server is up and running named is still clogging up /var/log/messages with lines like: Jan 23 09:03:31 www named[4274]: client 208.14.218.12#54918: query Jan 23 09:03:28 www named[4274]: unexpected RCODE (REFUSED) Jan 23 09:05:38 www named[4274]: too many timeouts resolving Jan 23 09:05:39 www named[4274]: lame server resolving Jan 23 09:06:09 www named[4274]: FORMERR resolving Where and what is telling named to log to syslog? Thanks, Len ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
