BIND and/or IPFW weirdness
Blake Swensen
blake at pyramus.com
Mon Apr 21 13:48:37 PDT 2003
I have two systems (RELENG_4_3 vintage). Both are running BIND
8.4.3-REL and both are running IPFW. One is acting as master DNS and the
other is acting as slave for IP4 zones (about 65 domain names) outside
our firewall. I also have an internal DNS server resolving our private
addresses.
Last week the named on the slave server started to peg systat's pig load
to about 88%. After confirming that this wasn't a DOS attack with my
ISP, I am still unable to get the DNS to calm down.... now the process
load has extended to the master and systat is reporting about 90% load.
Cannot determine why these systems are being hammered -- this is causing
latency and other problems on the network -- like our internal server
not forwarding requests. And our ISP claims that we are getting
excessive packet collisions in our DMZ.
The firewall on the master is used as the default route for internal
workstations and networks. The firewall on the slave is used for
incoming HTTP, FTP and SSH requests and as the gateway for our server farm.
Any ideas as to where I should start looking for a solution to this problem?
Here are the named.conf(just the options portion... no zones) for both
computers and the firewall.rules. Please be kind if it seems like I
don't know what I am doing.
SLAVE:BIND
options {
directory "/etc/namedb";
dump-file "s/named_dump.db";
forwarders {
xx.xx.xxx.xxx; // my master server
216.99.225.30;
216.99.225.31;
};
transfers-per-ns 2;
listen-on {
xx.xx.xxx.xxx; //my outside IF address
};
query-source address xx.xx.xxx.xxx; // my outside IF address too
};
SLAVE:FIREWALL.RULES
fwcmd=/sbin/ipfw
outif=dc0
inif=dc1
${fwcmd} -f flush
${fwcmd} add allow ip from any to any via lo0
${fwcmd} add deny ip from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any
${fwcmd} add divert natd all from any to any via ${outif}
${fwcmd} add allow icmp from any to xx.xx.xxx.xxx via ${outif}
${fwcmd} add allow icmp from any to 10.10.1.1 via ${inif}
${fwcmd} add pass all from 10.10.1.0/24 to any
${fwcmd} add pass all from xx.xx.xxx.0/24 to any
${fwcmd} add allow ip from xx.xx.xxx.xxx to any
${fwcmd} add allow ip from any to xx.xx.xxx.xxx
${fwcmd} add allow ip from any to 10.10.1.0/24
${fwcmd} add allow ip from 10.10.1.0/24 to any
MASTER:BIND
options {
directory "/etc/namedb";
transfers-out 5;
forwarders {
209.116.241.10;
216.99.255.31;
216.99.233.253;
};
dump-file "s/named_dump.db";
allow-transfer {
localhost;
xx.xx.xxx.xxx; //my address
xx.xx.xxx.xxx; // my slave's address
};
listen-on {
xx.xx.xxx.xxx; // my outside IF address
};
query-source address xx.xx.xxx.xxx; my outside IF address too
};
MASTER:FIREWALL.RULES
fwcmd=/sbin/ipfw
outif=dc0
inif=ep0
${fwcmd} -f flush
${fwcmd} add allow ip from any to any via lo0
${fwcmd} add deny ip from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any
${fwcmd} add divert natd all from any to any via ${outif}
#${fwcmd} add allow icmp from any to any via ${outif}
#${fwcmd} add allow icmp from any to xx.xx.xxx.xxx via ${outif}
#${fwcmd} add allow icmp from 10.10.0.0/16 to 10.10.1.254 via ${inif}
${fwcmd} add pass all from 10.10.0.0/16 to any
${fwcmd} add pass all from xx.xx.xxx.0/24 to any
${fwcmd} add allow ip from xx.xx.xxx.xxx to any
${fwcmd} add allow ip from any to xx.xx.xxx.xxx
${fwcmd} add allow ip from any to 10.10.0.0/16
${fwcmd} add allow ip from 10.10.0.0/16 to any
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Internet Rescue Company - http://www.pyramus.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Blake R. Swensen Pyramus Online, Inc.
2080 SE Oak Grove Blvd. Suite 11
Milwaukie, Oregon 97267
800-327-5101
vox:503-353-0455
fax:503-353-0453
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"We measure success by the success of our clients"
More information about the freebsd-isp
mailing list