The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

named taking up allot of CPU

Discussion in 'General Discussion' started by mm1250, Apr 15, 2008.

  1. mm1250

    mm1250 Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Hello,

    I am in TOP and I noticed today that the "named" process has been on top of the list when it comes to CPU%. This is odd becuaes it never use to be a resource hog. I want to know if this is normal. Usualy mySQL is always the number 1 CPU% but named is always around 4-6% CPU now. I know this was never like this for the whole year I had this server. Is there a way to check if something is wrong. I already restarted the DNS service BTW.
     
  2. morefood2001

    morefood2001 Active Member

    Joined:
    Mar 18, 2008
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    I have noticed this too. I also notice that it hogs 50MB of memory at idle when it really should only need ~10MB to resolve the 15 domains that I have on the server.

    Any ideas why this might be hogging so much?
     
  3. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    named/bind will not normally become a hog unless its working or being attacked. So its possible you are doing recursive lookups for outsiders and thats putting on a load OR you are being attacked somehow.

    First, find out what version of named you are running, you can do this in WHM in the service status or you can restart named in WHM and or /scripts/restartsrv_named and tail the messages log to see what output from named (BIND) comes up, if you are running an old one you would need to update if its one of the exploitable versions.

    As to memory, named will grow as it works. We have some stand-alone name servers and when we boot them named starts at 19meg of ram and after a few weeks it will be much larger, right now its at 254 megs. Most of the time this growth is due to cache growth on large volume of queries.

    Another important thing to to is make sure you are NOT doing recursive lookups for others, if you are familiar with looking at your named.conf file see if you have a "allow-recursion" line with only your local IPs or others that you want to allow lookups for. Its quite common for spammers and other attackers to find a machine that is openly recursive and then use it to do dns lookups for their dirty work.
     
    #3 nyjimbo, Apr 15, 2008
    Last edited: Apr 15, 2008
  4. mm1250

    mm1250 Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Hello ny,

    Thanks for the reply.

    I checked and i'm on 9.2.4 version of BIND. Regarding the recrussive lookups. How do I check to see if it is enabled or not? Or how can I tell if i'm getting attacked/
     
  5. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    9.2.4 is kinda old and can be exploited with denial-of-service attacks so you should find out why you are still using it. Normally UPCP will try to update bind and you probably should be in the 9.3.x versions by now.

    As to the recursion, I really dont want to get you into something you might not understand and risk screwing up, but if you know where your named.conf file is (usually /var/named/etc/namedb but it can vary) you might want to check the options section to see if the allow-recursion is there if no then look at this thread:

    http://forums.cpanel.net/showthread.php?t=15922&highlight=open+dns+servers
     
  6. morefood2001

    morefood2001 Active Member

    Joined:
    Mar 18, 2008
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Recursive lookups are disabled except for the local server ips and localhost. 13MB at startup sounds about right for what named should be. I'm beginning to wonder if I have a bug or something. I am using BIND 9.3.3rc2 with 15 domains.

    Thanks
    Phil
     
  7. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Well named/bind caches and grows in memory not just for your local domain names, any dns work you do that is cached will increase the size in memory. Its possible you are doing more lookups than you used to, maybe for checking stuff in EXIM or some other functions.
     
  8. morefood2001

    morefood2001 Active Member

    Joined:
    Mar 18, 2008
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    I probably should have added that this is a new cpanel install that is not even 2 weeks old yet. Its on a centos 5 server with 15 domains.

    On startup, named takes approximately 50MB, which doesn't seem right since I have seen bind start up with only 10MB on other servers ran by other people. Would this be a configuration error?

    Thanks,
    Phil
     
  9. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    You could enable logging in the named.conf, restart named, let it run for 10 minutes, stop it, disable logging and then restart named and then go check the logs. Debug logging can tell you something about its startup that might give you some clues.
     
Loading...

Share This Page