In message <512e97aa.2020...@argontech.net>, "Marco C. Coelho" writes: > Just so the list has the same answer, > > Mark Andrews was right. > This server was being hammered so hard that logging the rejects was > killing the performance. > adding: > logging { > category default { null; }; > //category lame-servers { null; }; > }; > > to named.conf fixed the performance issues.
That was a bit of over kill. I said kill the security category not every category. When you do that you are driving blind. category security { null; }; > mc > > On 2/27/2013 5:18 PM, Mark Andrews wrote: > > I suspect this is just logging. send the security channel to null; > > for a while. Once your server gets off the I'm a recursive reflector > > lists you can turn it on again. > > > > In message <512e7940.7060...@argontech.net>, "Marco C. Coelho" writes: > >> I discovered my bind 9 server was being used in a DDOS attack so I > >> decided (late) to block outside networks from making recursive > >> requests. The problem is every time I enable this, the time for DNS > >> queries goes from 0-1ms to 2000-6000ms or just times out completely. > >> The options section is below. I've commented it out so as to enable my > >> network to run. > >> > >> There are thousands of my clients that need recursion from this server. > >> It is also authoritative for many domains. > >> > >> There is a semi busy mail server on this same box that uses DNS as well. > >> > >> I googled this to death with no real suggestions. I've tried it with > >> ACL and without. > >> > >> Any suggestions would be appreciated. > >> > >> Marco > >> > >> acl "internal" { > >> 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; "localnets"; "localhost"; > >> }; > >> > >> options { > >> directory "/var/named"; > >> /* > >> * If there is a firewall between you and nameservers you want > >> * to talk to, you might need to uncomment the query-source > >> * directive below. Previous versions of BIND always asked > >> * questions using port 53, but BIND 8.1 uses an unprivileged > >> * port by default. > >> */ > >> // query-source address * port 53; > >> recursive-clients 1000; > >> recursion yes; > >> //allow-query { any; }; > >> //allow-recursion { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; > >> "localnets"; "localhost"; }; > >> //allow-recursion { "internal"; }; > >> //allow-query-cache { 24.202.224.0/20; 127.0.0.0/8; 10.0.0.0/8; > >> "localnets"; "localhost"; }; > >> listen-on-v6 { none; }; > >> listen-on { 24.202.224.2; }; > >> version "8.2.3-REL"; > >> }; > >> > >> -- > >> Argon Technologies Inc. > >> Marco Coelho, President, CEO > >> POB 875 > >> 4612 Wesley St. > >> Greenville, TX 75402 > >> 903-455-5036 > >> 903-455-2115 Fax > >> > >> _______________________________________________ > >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr > ibe > >> from this list > >> > >> bind-users mailing list > >> bind-users@lists.isc.org > >> https://lists.isc.org/mailman/listinfo/bind-users > > -- > Argon Technologies Inc. > Marco Coelho, President, CEO > POB 875 > 4612 Wesley St. > Greenville, TX 75402 > 903-455-5036 > 903-455-2115 Fax > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users