Re: bind-9.10.0-P2 memory leak?
At 09:40 PM 9/9/2014, you wrote: >On 9/9/2014 05:05, lcon...@go2france.com wrote: >> freebsd 10.0, bind-9.10.0-p2 >> >> logging the rss field for named process: >> >> >> less /var/tmp/bind_rss_history.txt >> >> This never happened with earlier BIND9, and our mx1 uses this recursive >> BIND machine for all domain/ptr lookups >> >> I've never seen any bind take over 1GB of RAM. >> >> max-cache-size isn't the solution, only a band-aid >> >> the sawtooth above is from restarting named. >> >> named has halted twice in the past couple weeks, we suspected some kind >> of attack, the only trace we had was in syslog with something like "swap >> space failed, named halted", but with a dedicated DNS box and 3 GB, >> there should never be any swapping. I set a watcher for "swap used > >> 1%". Got an alert, I saw the named rss to be 1.9GB. restarted bind and >> wrote the rss named logging script. >> >> Len >> > >This is a bit worrying for me, as I am running this version on my >master. Do you mind sharing the rss watcher/logging script? cat /usr/local/bin/bind_rss_history.sh #!/bin/sh touch /var/tmp/bind_rss_history.txt RSS=`ps auxw | awk '/^bind.*named/{print $6}'` NOW=`date "+%Y-%m-%d %H:%M:%S"` echo "$NOW $RSS" | awk '{printf "%10s%10s%11s\n",$1,$2,$3}' >> /var/tmp/bind_rss_history.txt exit 0 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named 9.10 halted
uname -a FreeBSD rns1..net 10.0-RELEASE named -v BIND 9.10.0-P2 this is a recursive-only NS restricted allowing recursive queries from "ournetworks" ACL monitor reported port 53 not responding I started it manually, then found this in /var/log/messages, which stared about 18:46 and ran until BIND stopped, followed by my manual start: Aug 20 19:12:23 rns1 kernel: Limiting icmp unreach response from 696 to 200 packets/sec Aug 20 19:12:23 rns1 kernel: Limiting icmp unreach response from 745 to 200 packets/sec Aug 20 19:12:24 rns1 kernel: Limiting icmp unreach response from 727 to 200 packets/sec Aug 20 19:12:25 rns1 kernel: Limiting icmp unreach response from 773 to 200 packets/sec Aug 20 19:12:27 rns1 kernel: Limiting icmp unreach response from 773 to 200 packets/sec Aug 20 19:12:27 rns1 kernel: Limiting icmp unreach response from 765 to 200 packets/sec Aug 20 19:12:28 rns1 kernel: Limiting icmp unreach response from 755 to 200 packets/sec Aug 20 19:12:29 rns1 kernel: Limiting icmp unreach response from 777 to 200 packets/sec Aug 20 19:12:30 rns1 kernel: Limiting icmp unreach response from 830 to 200 packets/sec Aug 20 19:12:32 rns1 kernel: Limiting icmp unreach response from 719 to 200 packets/sec Aug 20 19:12:32 rns1 kernel: Limiting icmp unreach response from 817 to 200 packets/sec Aug 20 19:12:34 rns1 kernel: Limiting icmp unreach response from 729 to 200 packets/sec Aug 20 19:12:34 rns1 kernel: Limiting icmp unreach response from 739 to 200 packets/sec Aug 20 19:12:35 rns1 kernel: Limiting icmp unreach response from 737 to 200 packets/sec Aug 20 19:12:37 rns1 kernel: Limiting icmp unreach response from 796 to 200 packets/sec Aug 20 19:12:37 rns1 kernel: Limiting icmp unreach response from 811 to 200 packets/sec Aug 20 19:12:38 rns1 kernel: Limiting icmp unreach response from 796 to 200 packets/sec Aug 20 19:12:39 rns1 kernel: Limiting icmp unreach response from 874 to 200 packets/sec Aug 20 19:12:40 rns1 kernel: Limiting icmp unreach response from 769 to 200 packets/sec Aug 20 19:12:42 rns1 kernel: Limiting icmp unreach response from 839 to 200 packets/sec Aug 20 19:12:42 rns1 kernel: Limiting icmp unreach response from 815 to 200 packets/sec Aug 20 19:12:43 rns1 kernel: Limiting icmp unreach response from 749 to 200 packets/sec Aug 20 19:12:44 rns1 kernel: Limiting icmp unreach response from 820 to 200 packets/sec Aug 20 19:12:45 rns1 named[80366]: starting BIND 9.10.0-P2 -t /var/named -u bind -c /usr/local/etc/namedb/named.conf The is the 2nd time in 10 days named as just halted. Len ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forward only not
-- Original Message -- From: "Len Conrad" Reply-To: lcon...@go2france.com Date: Wed, 29 Sep 2010 15:58:13 +0200 >FreeBSD 7.2-RELEASE > >BIND 9.6.0-P1 > >resolv.conf: >nameserver 127.0.0.1 > > >machine is postfix MX relay-only gateway > >on a separate machines, zen.dnsbld.domain.net on IPs 10.1.60.1 & 10.1.60.2, >rbldnsd is running a local copy of zen.spamhaus > >nmap shows 10.1.60.1 and 10.1.60.2 with port 53 UDP open. > >dig @10.1.60.1 or .2 d.c.b.a.zen.dnsbld.domain.net works. > >named.conf: > >zone "zen.dnsbld.domain.net" { type forward; forwarders { 10.1.60.1 ; >10.1.60.2 ; }; forward only; }; > >and no other forwarding statements. > >named query logging shows client 127.0.0.1 (postfix/postscreen) sending >queries to 127.0.0.1 > >tshark capture shows the BIND machine sending queries to the NSs authoritative >for domain.net, rather than forwarding to the above forwarders. > >The above situation on 3 different MXs. The weirdest is that when we fired up >private zen and forwarding on the 3 MXs, they all worked immediately, >perfectly, for about 24 hours, millions of queries, then within a few minutes, >they all stopped working with the zen servers, and haven't worked since. >stop/start postfix and named has not effect. > >What is overriding the zone forwarding? > fixed, was typo in the forward zone name. They typo was inconsequential and worked for one day, until someone removed the NS delegation records for the zen zone from the domain.net auth servers. Len ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
forward only not
FreeBSD 7.2-RELEASE BIND 9.6.0-P1 resolv.conf: nameserver 127.0.0.1 machine is postfix MX relay-only gateway on a separate machines, zen.dnsbld.domain.net on IPs 10.1.60.1 & 10.1.60.2, rbldnsd is running a local copy of zen.spamhaus nmap shows 10.1.60.1 and 10.1.60.2 with port 53 UDP open. dig @10.1.60.1 or .2 d.c.b.a.zen.dnsbld.domain.net works. named.conf: zone "zen.dnsbld.domain.net" { type forward; forwarders { 10.1.60.1 ; 10.1.60.2 ; }; forward only; }; and no other forwarding statements. named query logging shows client 127.0.0.1 (postfix/postscreen) sending queries to 127.0.0.1 tshark capture shows the BIND machine sending queries to the NSs authoritative for domain.net, rather than forwarding to the above forwarders. The above situation on 3 different MXs. The weirdest is that when we fired up private zen and forwarding on the 3 MXs, they all worked immediately, perfectly, for about 24 hours, millions of queries, then within a few minutes, they all stopped working with the zen servers, and haven't worked since. stop/start postfix and named has not effect. What is overriding the zone forwarding? Len ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
caching of "server fail" BIND9
We just had a problem where a BIND9 running on our postfix MX 451-rejected-as-unknown-domain all msgs from @sender.domain for 9 days. "rndc flush" allowed the domain to be resolved immediately and its messages accepted. When the BIND reports "server fail", rather than a negative answer with neg-TTL, how long is SRV FAIL cached in BIND9? RFC2308 says "no longer than 5 minutes". We do not know whether unknown domain's NS was really SRV FAIL for 9 days. Len ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
blockhole'd IP receiving referral?
bind 9.6.1-P1 named-checkconf /etc/namedb/named.conf ... ok (in global options) options { allow-recursion { mynets; }; blackhole { !mynets; }; }; dig'ging from a !mynets IP receives a referral to rather than time-out/silence. dig'ging from a mynets IP receives an answer. Len ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.6.1-P1 zone parser false errors
-- Original Message -- From: Tony Finch Date: Wed, 4 Nov 2009 13:52:10 + >On Mon, 2 Nov 2009, Mark Andrews wrote: >> >> getaddrinfo() is reporting that aspmx.l.google.com's cannonical >> name is mail-yx0-f102.google.com. Somewhere in the resolution path >> aspmx.l.google.com is being treated as a alias for >> mail-yx0-f102.google.com. In the DNS this is done using a CNAME. > >That's the kind of name you get if you do a reverse lookup on an IP >address returned by a lookup of aspmx.l.google.com, e.g. > > $ dig +short -x $(dig +short aspmx.l.google.com) > mail-ew0-f49.google.com. > >I'm not sure why getaddrinfo() would be doing a reverse lookup to >canonicalize a name. My test machines (Solaris, FreeBSD, Linux) don't. ok, the google hits I saw for that error msg also referred to getaddrinfo(), so I guess it's specific to that machine or its setup, but it's redhat enterprise, nothing special or out of date. I'm moving DNS to vmware/freebsd anyway. thanks, Len ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
FWD: 9.6.1-P1 zone parser false errors
I may have missed other responses. Anbody have any idea of what's going on below? thanks Len uname -a Linux ns1.abcxyz.net 2.4.20-31.9smp #1 SMP Tue Apr 13 17:40:10 EDT 2004 i686 i686 i386 GNU/Linux old BIND: /usr/sbin/named-checkzone -v 9.2.1 /usr/sbin/named-checkzone abcxyz.com /var/named/db.abcxyz.com zone abcxyz.com/IN: loaded serial 2009102902 OK == current BIND: /usr/local/sbin/named-checkzone -v 9.6.1-P1 /usr/local/sbin/named-checkzone abcxyz.com /var/named/db.abcxyz.com zone abcxyz.com/IN: abcxyz.com/MX 'aspmx.l.google.com' (out of zone) is a CNAME 'mail-yx0-f102.google.com' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'alt1.aspmx.l.google.com' (out of zone) is a CNAME 'mail-bw0-f39.google.com' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'alt2.aspmx.l.google.com' (out of zone) is a CNAME 'fk-in-f114.1e100.net' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'aspmx2.googlemail.com' (out of zone) is a CNAME 'mu-in-f27.1e100.net' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'aspmx3.googlemail.com' (out of zone) is a CNAME 'mail-pz0-f6.google.com' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'aspmx4.googlemail.com' (out of zone) is a CNAME 'mail-ew0-f7.google.com' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'aspmx5.googlemail.com' (out of zone) is a CNAME 'mail-yx0-f8.google.com' (illegal) zone abcxyz.com/IN: loaded serial 2009102902 All the google domain names are canonical, not CNAMEs. no views, /etc/hosts is fine, no NIS in use. Old Linux is broken? thanks Len ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.6.1-P1 zone parser false errors
-- Original Message -- From: Chris Buxton Date: Fri, 30 Oct 2009 14:13:31 -0700 >I'm unable to reproduce this error. >__ > >$ named-checkzone -v >9.6.1-P1 > >$ named-checkzone abcxyz.com abcxyz.com-hosts >zone abcxyz.com/IN: loaded serial 2009103001 >OK > >$ cat abcxyz.com-hosts >$TTL 1D >@ SOA localhost. hostmaster 2009103001 8H 2H >1W 2H > NS localhost. > MX 10 aspmx.l.google.com. > MX 10 alt1.aspmx.l.google.com. > MX 10 alt2.aspmx.l.google.com. > MX 10 aspmx2.googlemail.com. > MX 10 aspmx3.googlemail.com. > MX 10 aspmx4.googlemail.com. > MX 10 aspmx5.googlemail.com. >__ > >Just to be sure, I re-ran the test with "-i full" in the command line, >with the same result. > >Could it be that, for a brief time, those names were CNAME'd no, this is a hard fault, over 2 days. I do, from the machine, dig abcxyz.com mx and get the google domain names, then in the ADDITIONAL section, I get their A records. I also dig @ns1.google.com and an A record is returned for each MX domain name. no CNAMEs anywhere, except in BIND's confusion. Len ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
9.6.1-P1 zone parser false errors
uname -a Linux ns1.abcxyz.net 2.4.20-31.9smp #1 SMP Tue Apr 13 17:40:10 EDT 2004 i686 i686 i386 GNU/Linux old BIND: /usr/sbin/named-checkzone -v 9.2.1 /usr/sbin/named-checkzone abcxyz.com /var/named/db.abcxyz.com zone abcxyz.com/IN: loaded serial 2009102902 OK == current BIND: /usr/local/sbin/named-checkzone -v 9.6.1-P1 /usr/local/sbin/named-checkzone abcxyz.com /var/named/db.abcxyz.com zone abcxyz.com/IN: abcxyz.com/MX 'aspmx.l.google.com' (out of zone) is a CNAME 'mail-yx0-f102.google.com' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'alt1.aspmx.l.google.com' (out of zone) is a CNAME 'mail-bw0-f39.google.com' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'alt2.aspmx.l.google.com' (out of zone) is a CNAME 'fk-in-f114.1e100.net' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'aspmx2.googlemail.com' (out of zone) is a CNAME 'mu-in-f27.1e100.net' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'aspmx3.googlemail.com' (out of zone) is a CNAME 'mail-pz0-f6.google.com' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'aspmx4.googlemail.com' (out of zone) is a CNAME 'mail-ew0-f7.google.com' (illegal) zone abcxyz.com/IN: abcxyz.com/MX 'aspmx5.googlemail.com' (out of zone) is a CNAME 'mail-yx0-f8.google.com' (illegal) zone abcxyz.com/IN: loaded serial 2009102902 All the google domain names are canonical, not CNAMEs. no views, /etc/hosts is fine, no NIS in use. Old Linux is broken? thanks Len ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
maverick named logging
Redhat release 9 BIND 9.5.0-P2, compiled from source named.conf has it /* logging */ ... commented out. rndc status version: 9.5.0-P2 number of zones: 81 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 8/0/1000 tcp clients: 0/100 server is up and running named is still clogging up /var/log/messages with lines like: Jan 23 09:03:31 www named[4274]: client 208.14.218.12#54918: query Jan 23 09:03:28 www named[4274]: unexpected RCODE (REFUSED) Jan 23 09:05:38 www named[4274]: too many timeouts resolving Jan 23 09:05:39 www named[4274]: lame server resolving Jan 23 09:06:09 www named[4274]: FORMERR resolving Where and what is telling named to log to syslog? Thanks, Len ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users