From owner-freebsd-isp@FreeBSD.ORG Mon Apr 21 13:48:36 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CFB1837B401 for ; Mon, 21 Apr 2003 13:48:36 -0700 (PDT) Received: from stella.pyramus.com (ns2.pyramus.com [67.92.212.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C24E43FD7 for ; Mon, 21 Apr 2003 13:48:20 -0700 (PDT) (envelope-from blake@pyramus.com) Received: from pyramus.com (dark-star.pyramus.com [10.10.1.7]) by stella.pyramus.com (8.11.6/8.9.3) with ESMTP id h3LKnOX98569 for ; Mon, 21 Apr 2003 13:49:29 -0700 (PDT) (envelope-from blake@pyramus.com) Message-ID: <3EA45775.5060707@pyramus.com> Date: Mon, 21 Apr 2003 13:41:25 -0700 From: Blake Swensen User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3b) Gecko/20030210 X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD ISP List Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: BIND and/or IPFW weirdness X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2003 20:48:37 -0000 I have two systems (RELENG_4_3 vintage). Both are running BIND 8.4.3-REL and both are running IPFW. One is acting as master DNS and the other is acting as slave for IP4 zones (about 65 domain names) outside our firewall. I also have an internal DNS server resolving our private addresses. Last week the named on the slave server started to peg systat's pig load to about 88%. After confirming that this wasn't a DOS attack with my ISP, I am still unable to get the DNS to calm down.... now the process load has extended to the master and systat is reporting about 90% load. Cannot determine why these systems are being hammered -- this is causing latency and other problems on the network -- like our internal server not forwarding requests. And our ISP claims that we are getting excessive packet collisions in our DMZ. The firewall on the master is used as the default route for internal workstations and networks. The firewall on the slave is used for incoming HTTP, FTP and SSH requests and as the gateway for our server farm. Any ideas as to where I should start looking for a solution to this problem? Here are the named.conf(just the options portion... no zones) for both computers and the firewall.rules. Please be kind if it seems like I don't know what I am doing. SLAVE:BIND options { directory "/etc/namedb"; dump-file "s/named_dump.db"; forwarders { xx.xx.xxx.xxx; // my master server 216.99.225.30; 216.99.225.31; }; transfers-per-ns 2; listen-on { xx.xx.xxx.xxx; //my outside IF address }; query-source address xx.xx.xxx.xxx; // my outside IF address too }; SLAVE:FIREWALL.RULES fwcmd=/sbin/ipfw outif=dc0 inif=dc1 ${fwcmd} -f flush ${fwcmd} add allow ip from any to any via lo0 ${fwcmd} add deny ip from any to 127.0.0.0/8 ${fwcmd} add deny ip from 127.0.0.0/8 to any ${fwcmd} add divert natd all from any to any via ${outif} ${fwcmd} add allow icmp from any to xx.xx.xxx.xxx via ${outif} ${fwcmd} add allow icmp from any to 10.10.1.1 via ${inif} ${fwcmd} add pass all from 10.10.1.0/24 to any ${fwcmd} add pass all from xx.xx.xxx.0/24 to any ${fwcmd} add allow ip from xx.xx.xxx.xxx to any ${fwcmd} add allow ip from any to xx.xx.xxx.xxx ${fwcmd} add allow ip from any to 10.10.1.0/24 ${fwcmd} add allow ip from 10.10.1.0/24 to any MASTER:BIND options { directory "/etc/namedb"; transfers-out 5; forwarders { 209.116.241.10; 216.99.255.31; 216.99.233.253; }; dump-file "s/named_dump.db"; allow-transfer { localhost; xx.xx.xxx.xxx; //my address xx.xx.xxx.xxx; // my slave's address }; listen-on { xx.xx.xxx.xxx; // my outside IF address }; query-source address xx.xx.xxx.xxx; my outside IF address too }; MASTER:FIREWALL.RULES fwcmd=/sbin/ipfw outif=dc0 inif=ep0 ${fwcmd} -f flush ${fwcmd} add allow ip from any to any via lo0 ${fwcmd} add deny ip from any to 127.0.0.0/8 ${fwcmd} add deny ip from 127.0.0.0/8 to any ${fwcmd} add divert natd all from any to any via ${outif} #${fwcmd} add allow icmp from any to any via ${outif} #${fwcmd} add allow icmp from any to xx.xx.xxx.xxx via ${outif} #${fwcmd} add allow icmp from 10.10.0.0/16 to 10.10.1.254 via ${inif} ${fwcmd} add pass all from 10.10.0.0/16 to any ${fwcmd} add pass all from xx.xx.xxx.0/24 to any ${fwcmd} add allow ip from xx.xx.xxx.xxx to any ${fwcmd} add allow ip from any to xx.xx.xxx.xxx ${fwcmd} add allow ip from any to 10.10.0.0/16 ${fwcmd} add allow ip from 10.10.0.0/16 to any -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Internet Rescue Company - http://www.pyramus.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Blake R. Swensen Pyramus Online, Inc. 2080 SE Oak Grove Blvd. Suite 11 Milwaukie, Oregon 97267 800-327-5101 vox:503-353-0455 fax:503-353-0453 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "We measure success by the success of our clients"