Runaway BIND
OUCH!
I just recovered from bind (8.4.7-1) flooding /var/log/syslog with
several hundred megabytes of messages along the lines of:
> grep "no addrs found for root" syslog | head
Feb 10 19:54:59 creaky named[7652]: sysquery: no addrs found for root
NS (B.GTLD-SERVERS.net)
Feb 10 19:54:59 creaky named[7652]: sysquery: no addrs found for root
NS (C.GTLD-SERVERS.net)
Feb 10 19:54:59 creaky named[7652]: sysquery: no addrs found for root
NS (D.GTLD-SERVERS.net)
When bind goes nuts it repeated cycles through the entire set of root
servers at both ROOT-SERVERS.NET and GTLD-SERVERS.net at the rate of
~550 logs/sec. A typical burst runs for ~75 seconds or so and emits
~42000 messages. In my case the bursts started at 19:54:59 EST
(UTC-5) and affected both master and slave servers. That and the
maturity of bind leads me to suspect some external trigger.
Upon reboot, init would not tolerate a full /var. I was able to
recover with no data loss by:
1. rebooting into /bin/sh
2. manually running fsck
3. moving the morbidly obese syslog to another partition for analysis
4. normal reboot.
The named.conf option set is rather daunting. Can anyone suggest
some options to throttle back the verbosity?
Thx,
--rich
Reply to: