named 100% utilization
we are having a problem with bind that has been happening for about a
week. one of named's threads goes to 100% and then named stops
responding to any dns requests. I have logging turned on and dont see
anything out of the ordinary. It's not crashing. Any recommendations on
where to start
administrator@nc1:~$ named -version
BIND 9.18.18-0ubuntu0.22.04.2-Ubuntu (Extended Support Version)
administrator@nc1:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.4 LTS
Release: 22.04
Codename: jammy
Config files:
administrator@nc1:/etc/bind$ cat named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
administrator@nc1:/etc/bind$ cat named.conf.options
logging {
channel default_file {
file "/var/log/named/default.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel general_file {
file "/var/log/named/general.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel database_file {
file "/var/log/named/database.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel security_file {
file "/var/log/named/security.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel config_file {
file "/var/log/named/config.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel resolver_file {
file "/var/log/named/resolver.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-in_file {
file "/var/log/named/xfer-in.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-out_file {
file "/var/log/named/xfer-out.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel notify_file {
file "/var/log/named/notify.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel client_file {
file "/var/log/named/client.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel unmatched_file {
file "/var/log/named/unmatched.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel queries_file {
file "/var/log/named/queries.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel network_file {
file "/var/log/named/network.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel update_file {
file "/var/log/named/update.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dispatch_file {
file "/var/log/named/dispatch.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dnssec_file {
file "/var/log/named/dnssec.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel lame-servers_file {
file "/var/log/named/lame-servers.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };
};
options {
directory "/var/cache/bind";
version "Go Away 0.0.7";
notify no;
empty-zones-enable no;
auth-nxdomain yes;
forwarders { 8.8.8.8; 8.8.4.4; };
allow-transfer { none; };
dnssec-validation no;
listen-on-v6 { none; };
listen-on port 53 { 192.168.10.11; 127.0.0.1; ::1; };
minimal-responses yes;
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};
administrator@nc1:/etc/bind$ cat n
Re: named 100% utilization
> BIND 9.18.18-0ubuntu0.22.04.2-Ubuntu (Extended Support Version)
I would start here - ISC provides packages for RedHat, Fedora, Debian and
Ubuntu with latest upstream version.
There's little point in debugging a version that's old and doesn't contain all
the bugfixes.
If you can reproduce the issue with latest 9.18 version, you'll need to install
debug symbols
and it's possible to use `perf record` to capture the data where named spends
time, but
even simple eu-stack -p can give you hints if you take couple snapshots.
Cheers,
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 30. 4. 2024, at 16:09, Peter Carlson wrote:
>
> we are having a problem with bind that has been happening for about a week.
> one of named's threads goes to 100% and then named stops responding to any
> dns requests. I have logging turned on and dont see anything out of the
> ordinary. It's not crashing. Any recommendations on where to start
> administrator@nc1:~$ named -version
> BIND 9.18.18-0ubuntu0.22.04.2-Ubuntu (Extended Support Version)
> administrator@nc1:~$ lsb_release -a
> No LSB modules are available.
> Distributor ID:Ubuntu
> Description:Ubuntu 22.04.4 LTS
> Release:22.04
> Codename:jammy
> Config files:
> administrator@nc1:/etc/bind$ cat named.conf
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> administrator@nc1:/etc/bind$ cat named.conf.options
> logging {
> channel default_file {
> file "/var/log/named/default.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> };
> channel general_file {
> file "/var/log/named/general.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> };
> channel database_file {
> file "/var/log/named/database.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> };
> channel security_file {
> file "/var/log/named/security.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> };
> channel config_file {
> file "/var/log/named/config.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> };
> channel resolver_file {
> file "/var/log/named/resolver.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> };
> channel xfer-in_file {
> file "/var/log/named/xfer-in.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> };
> channel xfer-out_file {
> file "/var/log/named/xfer-out.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> };
> channel notify_file {
> file "/var/log/named/notify.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> };
> channel client_file {
> file "/var/log/named/client.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> };
> channel unmatched_file {
> file "/var/log/named/unmatched.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> };
> channel queries_file {
> file "/var/log/named/queries.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> };
> channel network_file {
> file "/var/log/named/network.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> };
> channel update_file {
> file "/var/log/named/update.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> };
> channel dispatch_file {
> file "/var/log/named/dispatch.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> };
> channel dnssec_file {
> file "/var/log/named/dnssec.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> };
> channel lame-servers_file {
> file "/var/log/named/lame-servers.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> };
>
> category default { default_file; };
> category general { general_file; };
> category database { database_file; };
> category security { security_file; };
> category config { config_file; };
> category resolver { resolver_file; };
> category xfer-in { xfer-in_file; };
> category xfer-out { xfer-out_file; };
> category notify { notify_file; };
> category client { client_file; };
> category unmatched { unmatched_file; };
> category queries { queries_file; };
> category network { network_file; };
> category update { update_file; };
> category dispatch { dispatch_file; };
> category dnssec { dnssec_file; };
> category lame-servers { lame-servers_file; };
> };
>
> options {
> d
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On Mon, Apr 29, 2024 at 11:40 PM Walter H. wrote: > > On 29.04.2024 22:19, Lee wrote: > > On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users > > wrote: > > > > something that I replied to and got this in response: > > > > Error Icon > > Message blocked > > Your message to Walter.H@[..snip..] has been blocked. See technical > > details below for more information. > > > > The response from the remote server was: > > 554 5.7.1 : Client host rejected: Use IPv4 > > > > > For explanation: this is MY mail server, which blocks IPv6 connections from > > Outlook.com > Gmail.com > ... > > as these are the biggest SPAM senders Which is fine .. your server, your rules. But maybe what isn't so fine is me replying only to the list and still getting a 'rejected: Use IPv4' msg. I don't know how the mailing list works; I'm a bit surprised that I can reply only to the list, get the Client host rejected msg and somehow you can still get the msg?? Anyway.. best regards Lee -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On Tue, Apr 30, 2024 at 2:40 AM Mark Andrews wrote: > > And it has been fixed. Yay! No more error messages in the log because of them :-) Thanks for your help Lee -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
> On 1 May 2024, at 03:32, Lee wrote: > > On Mon, Apr 29, 2024 at 11:40 PM Walter H. wrote: >> >> On 29.04.2024 22:19, Lee wrote: >>> On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users >>> wrote: >>> >>> something that I replied to and got this in response: >>> >>> Error Icon >>> Message blocked >>> Your message to Walter.H@[..snip..] has been blocked. See technical >>> details below for more information. >>> >>> The response from the remote server was: >>> 554 5.7.1 : Client host rejected: Use IPv4 >>> >>> >> For explanation: this is MY mail server, which blocks IPv6 connections from >> >> Outlook.com >> Gmail.com >> ... >> >> as these are the biggest SPAM senders > > Which is fine .. your server, your rules. > But maybe what isn't so fine is me replying only to the list and still > getting a 'rejected: Use IPv4' msg. I don't know how the mailing list > works; I'm a bit surprised that I can reply only to the list, get the > Client host rejected msg and somehow you can still get the msg?? Presumably ISC sent the list message over IPv6 to them and the rejection rules kicked in. ISC sends email over IPv6 and they accept email over IPv6. This is what happens when you put something into the rejection rules which has zero relationship whether something is spam or ham. I just find it interesting that someone using mx01.ipv6help.de as a MX would be so interested in punishing IPv6 use. > Anyway.. best regards > Lee > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
