Re: Significant memory usage

On 7/1/25 23:55, Lee wrote: On Tue, Jul 1, 2025 at 11:14 PM Matthias Fechner wrote: Am 01.07.2025 um 22:23 schrieb Lee: response-policy { zone "rpz.foo"; zone "rpz.bar"; zone "rpz.pgl"; } break-dnssec yes recursive-only no qname-wait-recurse no; should these 3 line

Re: Significant memory usage

On Tue, Jul 1, 2025 at 11:14 PM Matthias Fechner wrote: > > Am 01.07.2025 um 22:23 schrieb Lee: > >response-policy { zone "rpz.foo"; zone "rpz.bar"; zone "rpz.pgl"; } > > break-dnssec yes > > recursive-only no > > qname-wait-recurse no; > > should these 3 lines (break-dnssec

Re: Significant memory usage

> On 2. 7. 2025, at 0:14, OwN-3m-All wrote: > > I wonder if other memory issues users are complaining about are related. I don’t know. You were the first one to actually provided a reproducer and a usable test case. Despite your exaggeration about “countless” reports there were not that many o

Re: Significant memory usage

Am 01.07.2025 um 22:23 schrieb Lee: response-policy { zone "rpz.foo"; zone "rpz.bar"; zone "rpz.pgl"; } break-dnssec yes recursive-only no qname-wait-recurse no; should these 3 lines (break-dnssec , ...) not inside the response-policy block? Otherwise it is applied to the

Re: Server crash on receiving query

Looks like current betas of Tahoe and Sonoma fix this kernel bug! On 7 Nov 2024, at 12:18 am, Ondřej Surý wrote: Since the libuv bug is in the open, I’ll link it here as well: https://github.com/libuv/libuv/issues/4594

Re: Significant memory usage

Thank you Ondrej! I changed my scripts to apply the hosts in this manner moving forward. Everything appears to be working as before, with significantly less memory usage, which is awesome! Still, I think the memory usage for the way I had it setup before shouldn't drastically increase in new ver

Re: Significant memory usage

Good point. As this is local setup, it makes much sense to use qname-wait-recurse no; this saves both time and bandwidth as this is of no concern (from documentation): > No DNS records are needed for a QNAME or Client-IP trigger; the name or IP > address itself is sufficient, so in principle the

Re: Significant memory usage

Ondřej, I usually include *qname-wait-recurse no* after the *response-policy { ... } *block, hoping to avoid issues where SERVFAILs, lame delegations, or firewalled authoritative servers might interfere with RPZ responses. I’m not entirely sure if I’m just being a bit /superstitious/ about tha

Re: Significant memory usage

On Tue, Jul 1, 2025 at 2:33 PM OwN-3m-All wrote: > > No, I'm not asking you to prioritize anything. I'm just saying that > previously valid and memory performant setups are not performing well on the > newest versions of bind (using too much memory). c'est la vie > I created this setup based o

Re: Significant memory usage

Also, 127.0.0.1 (localhost) needs to be returned for these hosts, not a NXDOMAIN response. Would that impact it? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at ht

Re: Significant memory usage

You'll have to experiment a bit (and I mean read the documentation[1]) as I am writing this from top of my head, 1. You need to create RPZ zone like this: $TTL 604800 $ORIGIN adaway.rpz. @ IN SOA localhost. root.localhost. (1 604800 86400 2419200 604800 ) @ IN NS localhost. ad-assets.futurecdn.n

Re: Significant memory usage

No, I'm not asking you to prioritize anything. I'm just saying that previously valid and memory performant setups are not performing well on the newest versions of bind (using too much memory). I created this setup based on guides I found online. So, if this is not the proper way to do it, what

Re: Significant memory usage

Apparently you have 295108 zones, maybe you can try one single rpz zone with all 295108 fqdn's like . 12724[.]xyz IN CNAME . 21736[.[xyz IN CNAME . . instead of one zone per fqdn, and see if the memory footprint changes (both VMEM and RES) Good luck! Carlos Horowicz Planisys On 0

Re: Significant memory usage

Hi, thanks for providing a reproducer. Just to give some rough numbers for the various branches we have (9.18, 9.20 and development): BIND 9.18 (bind-9.18 branch HEAD) $ smem -P name[d] PID User Command Swap USS PSS RSS 450020 ondrej named0 3233560 3234515

Re: Significant memory usage

>> Apologies if I misunderstood your setup. I’ve also encountered memory issues in recent BIND versions — BIND 9.18.33 on Debian 12 is a tremendous beast, capable of handling millions of QPS — but after reducing logging (including DNSTAP) and disabling serve-stale, I saw a significant improvement

Re: Significant memory usage

Hello there, I’m not a BIND developer either, but I was intrigued when you mentioned /millions of zone entries/. Are you referring to millions of individual zones, rather than consolidating entries into a single RPZ zone? Apologies if I misunderstood your setup. I’ve also encountered memory

Re: Significant memory usage

Can we quit pretending that the newest versions of bind aren't memory hogs? We shouldn't have to provide the technical details as to why the newest versions of bind use so much ram. We don't know. We're just end users. However, with millions of zone entries (used as an ad blocking DNS server) l

Re: Is there any method/config to pass through rcode refused

On 01/07/2025 10:05, Neil Nie (NSB) wrote: Hi Neil, I found that bind9 (as forwarder) always overwrite rcode refused to rcode servfail. For one use-case, the dns client wants to get original rcode (like refused). Please advise if there is any config or method to achieve that. A resolver tries

Re: Is there any method/config to pass through rcode refused

Hi Neil. Think about what a resolver is doing. A client asks it a question, usually with the RD bit set, meaning essentially, do whatever you have to do to get me my answer. So the resolver attempts to find that answer, somehow. If it already has it in cache, great. If it doesn't it may recurse,

Is there any method/config to pass through rcode refused

Hi, I found that bind9 (as forwarder) always overwrite rcode refused to rcode servfail. For one use-case, the dns client wants to get original rcode (like refused). Please advise if there is any config or method to achieve that. Thanks, Neil Nie -- Visit https://lists.isc.org/mailman/listinfo