named takes 200% CPU

Hello,

I am running opensuse 11.0 on Intel Quad computer. A month ago I have installed DNS service on it.

Since then I have a following problem - sometimes named starts eating 200% of CPU and that causes LAN to hang down. Everything goes normal after named restart.

Could you help me to resolve this problem.
Thank you for your time.

SDA

Test your named config, using this tool from a terminal window

named-checkconf

Also see: man named-checkconf

thank you for quick reply

I used this util and found no problems. Could it be a result of outside attacks? I see a lot of connection attempts in /var/log/messages.

Thanks
SDA

If you do not want your dns server queried from the outside you should either firewall it and/or declare allowed subnets in your named.conf

How did you install DNS on it? Did you get the latest update with security fixes?

Hello,

thank you for your replies.

I have named BIND 9.5.0-P2 installed and configured via YAST. I think it is not the best idea to install bind from official website since it will not be configurable via yast which could be quite helpfull.

The problem remains - several days of normal work, than named hangs with 200% CPU usage and no internet in internal network. I firewalled named in the Firewall settings for External Zone though it did not help.

Could you suggest something?
Thanks
SDA

Here is the output from /var/log/messages

Jan 21 22:52:16 abs named[837]: client 192.168.168.66#7200: RFC 1918 response from Internet for 66.168.168.192.in-addr.arpa
Jan 21 22:57:56 abs named[837]: unexpected RCODE (SERVFAIL) resolving ‘ns1.uunet.co.ke/A/IN’: 196.7.0.139#53
Jan 21 22:58:27 abs named[837]: client 192.168.168.102#45623: RFC 1918 response from Internet for 102.168.168.192.in-addr.arpa
Jan 21 22:58:43 abs named[837]: client 192.168.168.103#18368: RFC 1918 response from Internet for 103.168.168.192.in-addr.arpa
Jan 21 23:05:16 abs named[837]: client 192.168.168.5#13718: RFC 1918 response from Internet for 5.168.168.192.in-addr.arpa
Jan 21 23:09:59 abs named[837]: lame server resolving ‘secdns.starhub.net.sg’ (in ‘starhub.net.sg’?): 203.116.1.93#53
Jan 21 23:19:20 abs named[837]: client 192.168.168.12#46288: RFC 1918 response from Internet for 12.168.168.192.in-addr.arpa
Jan 21 23:20:36 abs named[837]: client 192.168.168.7#21625: RFC 1918 response from Internet for 7.168.168.192.in-addr.arpa
Jan 21 23:22:16 abs named[837]: client 192.168.168.66#20029: RFC 1918 response from Internet for 66.168.168.192.in-addr.arpa

HERE IS HANGS
THEN I RESTART THE SERVER IN THE MORNING

Jan 22 12:38:42 abs named[15278]: starting BIND 9.5.0-P2 -t /var/lib/named -u named
Jan 22 12:38:42 abs named[15278]: found 4 CPUs, using 4 worker threads
Jan 22 12:38:42 abs named[15278]: loading configuration from ‘/etc/named.conf’
Jan 22 12:38:42 abs named[15278]: the working directory is not writable
Jan 22 12:38:42 abs named[15278]: no IPv6 interfaces found
Jan 22 12:38:42 abs named[15278]: listening on IPv4 interface lo, 127.0.0.1#53
Jan 22 12:38:42 abs named[15278]: listening on IPv4 interface lo, 127.0.0.2#53
Jan 22 12:38:42 abs named[15278]: listening on IPv4 interface eth1, 195.208.219.98#53
Jan 22 12:38:42 abs named[15278]: listening on IPv4 interface eth0, 192.168.168.8#53
Jan 22 12:38:42 abs named[15278]: default max-cache-size (33554432) applies
Jan 22 12:38:42 abs named[15278]: automatic empty zone: 0.IN-ADDR.ARPA
Jan 22 12:38:42 abs named[15278]: automatic empty zone: 127.IN-ADDR.ARPA
Jan 22 12:38:42 abs named[15278]: automatic empty zone: 254.169.IN-ADDR.ARPA
Jan 22 12:38:42 abs named[15278]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Jan 22 12:38:42 abs named[15278]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Jan 22 12:38:42 abs named[15278]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jan 22 12:38:42 abs named[15278]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jan 22 12:38:42 abs named[15278]: automatic empty zone: D.F.IP6.ARPA
Jan 22 12:38:42 abs named[15278]: automatic empty zone: 8.E.F.IP6.ARPA
Jan 22 12:38:42 abs named[15278]: automatic empty zone: 9.E.F.IP6.ARPA
Jan 22 12:38:42 abs named[15278]: automatic empty zone: A.E.F.IP6.ARPA
Jan 22 12:38:42 abs named[15278]: automatic empty zone: B.E.F.IP6.ARPA
Jan 22 12:38:42 abs named[15278]: default max-cache-size (33554432) applies: view _bind
Jan 22 12:38:42 abs named[15278]: command channel listening on 127.0.0.1#953
Jan 22 12:38:42 abs named[15278]: zone 0.0.127.in-addr.arpa/IN: loaded serial 42
Jan 22 12:38:42 abs named[15278]: zone localhost/IN: loaded serial 42
Jan 22 12:38:42 abs named[15278]: zone abs.cmm.msu.ru/IN: abs.cmm.msu.ru/MXmail.abs.cmm.msu.ru’ has no address records (A or AAAA)
Jan 22 12:38:42 abs named[15278]: zone abs.cmm.msu.ru/IN: loaded serial 2010011902
Jan 22 12:38:42 abs named[15278]: running

/var/lib/named/etc/named.conf

Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany.

All rights reserved.

Author: Frank Bodammer, Lars Mueller <lmuelle@suse.de>

/etc/named.conf

This is a sample configuration file for the name server BIND 9. It works as

a caching only name server without modification.

A sample configuration for setting up your own domain can be found in

/usr/share/doc/packages/bind/sample-config.

A description of all available options can be found in

/usr/share/doc/packages/bind/misc/options.

options {

    # The directory statement defines the name server's working directory

    directory "/var/lib/named";

    # Write dump and statistics file to the log subdirectory.  The
    # pathenames are relative to the chroot jail.

    dump-file "/var/log/named_dump.db";
    statistics-file "/var/log/named.stats";

    # The forwarders record contains a list of servers to which queries
    # should be forwarded.  Enable this line and modify the IP address to
    # your provider's name server.  Up to three servers may be listed.

    #forwarders { 192.0.2.1; 192.0.2.2; };

    # Enable the next entry to prefer usage of the name server declared in
    # the forwarders section.

    #forward first;

    # The listen-on record contains a list of local network interfaces to
    # listen on.  Optionally the port can be specified.  Default is to
    # listen on all interfaces found on your system.  The default port is
    # 53.

    #listen-on port 53 { 127.0.0.1; };

    # The listen-on-v6 record enables or disables listening on IPv6
    # interfaces.  Allowed values are 'any' and 'none' or a list of
    # addresses.

    listen-on-v6 { any; };

    # The next three statements may be needed if a firewall stands between
    # the local server and the internet.

    #query-source address * port 53;
    #transfer-source * port 53;
    #notify-source * port 53;

    # The allow-query record contains a list of networks or IP addresses
    # to accept and deny queries from. The default is to allow queries
    # from all hosts.

    #allow-query { 127.0.0.1; };

    # If notify is set to yes (default), notify messages are sent to other
    # name servers when the the zone data is changed.  Instead of setting
    # a global 'notify' statement in the 'options' section, a separate
    # 'notify' can be added to each zone definition.

    notify no;

};

To configure named’s logging remove the leading ‘#’ characters of the

following examples.

#logging {

# Log queries to a file limited to a size of 100 MB.

channel query_logging {

file “/var/log/named_querylog”

versions 3 size 100M;

print-time yes; // timestamp log entries

};

category queries {

query_logging;

};

# Or log this kind alternatively to syslog.

channel syslog_queries {

syslog user;

severity info;

};

category queries { syslog_queries; };

# Log general name server errors to syslog.

channel syslog_errors {

syslog user;

severity error;

};

category default { syslog_errors; };

# Don’t log lame server messages.

category lame-servers { null; };

#};

The following zone definitions don’t need any modification. The first one

is the definition of the root name servers. The second one defines

localhost while the third defines the reverse lookup for localhost.

zone “.” in {
type hint;
file “root.hint”;
};

zone “localhost” in {
type master;
file “localhost.zone”;
};

zone “0.0.127.in-addr.arpa” in {
type master;
file “127.0.0.zone”;
};

Include the meta include file generated by createNamedConfInclude. This

includes all files as configured in NAMED_CONF_INCLUDE_FILES from

/etc/sysconfig/named

include “/etc/named.conf.include”;
logging {
category default { log_syslog; };
channel log_syslog { syslog; };
};
zone “abs.cmm.msu.ru” in {
allow-transfer { any; };
file “master/abs.cmm.msu.ruX”;
type master;
};

You can insert further zone records for your own domains below or create

single files in /etc/named.d/ and add the file names to

NAMED_CONF_INCLUDE_FILES.

See /usr/share/doc/packages/bind/README.SUSE for more details.

Did you also update the other components needed by bind? That is:

bind-libs
bind-utils
bind-chrootenv

I think the first is the critical one. In 11.2 I found that when bind-libs was a patch level behind, named would spin its wheels and become unusable. Once I brought everything up to the same patch level, it was fine. The package dependencies should prevent this but apparently they were not strict enough.

Thanks for replying.

All packages youve mentioned were up to date and had the same version numbers - 9.5.0-P2. Though Ive reinstalled them once again and restarted the served. Will see how it goes.

Does anyone else have other suggestions?

Thanks.

Probably you should clean dns cache periodicaly.

Here you can find some details about that
DNS BIND - Operations Statements

also here is my sample named.conf and it works fine for me

options {
directory “/var/cache/bind”;
//ifthere is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See US-CERT Vulnerability Note VU#800113

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders.
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

    // forwarders {
    //      0.0.0.0;
    // };

    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
    allow-recursion { any; };
    max-ncache-ttl 200;
    max-cache-ttl 2000;
    max-cache-size 2000m;
    recursive-clients 4000;
    notify no;
    cleaning-interval 10;
    recursion yes;

};