Named Log Entries – Are Any Of These A Problem?

Home » CentOS » Named Log Entries – Are Any Of These A Problem?
CentOS 4 Comments

Hello everyone –

I run bind version 9.8.2 on CentOS 6.5. The daily logwatch run sends me the following items. Are any of these a real problem?

===========checkhints: extra NS ‘A.ROOT-SERVERS.NET’ in hints: 170 Time(s)
checkhints: extra NS ‘B.ROOT-SERVERS.NET’ in hints: 170 Time(s)
checkhints: extra NS ‘C.ROOT-SERVERS.NET’ in hints: 170 Time(s)
checkhints: extra NS ‘D.ROOT-SERVERS.NET’ in hints: 170 Time(s)
checkhints: extra NS ‘E.ROOT-SERVERS.NET’ in hints: 170 Time(s)
checkhints: extra NS ‘F.ROOT-SERVERS.NET’ in hints: 170 Time(s)
checkhints: extra NS ‘G.ROOT-SERVERS.NET’ in hints: 170 Time(s)
checkhints: extra NS ‘H.ROOT-SERVERS.NET’ in hints: 170 Time(s)
checkhints: extra NS ‘I.ROOT-SERVERS.NET’ in hints: 170 Time(s)
checkhints: extra NS ‘J.ROOT-SERVERS.NET’ in hints: 170 Time(s)
checkhints: extra NS ‘K.ROOT-SERVERS.NET’ in hints: 170 Time(s)
checkhints: extra NS ‘L.ROOT-SERVERS.NET’ in hints: 170 Time(s)
checkhints: extra NS ‘M.ROOT-SERVERS.NET’ in hints: 170 Time(s)
checkhints: unable to find root NS ‘ns1.dnslibre.info’ in hints: 147
Time(s)
checkhints: unable to find root NS ‘ns1.opennic.glue’ in hints: 170 Time(s)
checkhints: unable to find root NS ‘ns10.opennic.glue’ in hints: 170
Time(s)
checkhints: unable to find root NS ‘ns2.dnslibre.info’ in hints: 147
Time(s)
checkhints: unable to find root NS ‘ns2.opennic.glue’ in hints: 170 Time(s)
checkhints: unable to find root NS ‘ns3.opennic.glue’ in hints: 170 Time(s)
checkhints: unable to find root NS ‘ns4.opennic.glue’ in hints: 170 Time(s)
checkhints: unable to find root NS ‘ns5.opennic.glue’ in hints: 170 Time(s)
checkhints: unable to find root NS ‘ns6.opennic.glue’ in hints: 170 Time(s)
checkhints: unable to find root NS ‘ns7.opennic.glue’ in hints: 170 Time(s)
checkhints: unable to find root NS ‘ns8.opennic.glue’ in hints: 170 Time(s)
checkhints: unable to find root NS ‘ns9.opennic.glue’ in hints: 147 Time(s)
clients-per-query decreased to 10: 2 Time(s)
(repeated many time with various numbers)
==================
The hints file DOES contain two entries for each of the ROOT-SERVERS. One is the ipv4 address and the other is the ipv6 address. I use the hints file downloaded from http://www.internic.net/domain/named.root .

The hints file does NOT contain any entries for the opennic.glue or dnslibre.info servers. However, when I run “rndc -all”, the output shows that bind has entries for those servers. The names will resolve and answer ping.

I searched all over trying to find information on the clients-per-query setting. My named.conf file does not contain an entry for clients-per-query.
Is there some detailed documentation on this setting? What does it really do?

Three more notes: 1) I see no problems in daily operation. All web browsing works as does resolution for local machines. 2) This bind server does not get queries from outside my local network. 3) I use OpenNIC as the “forwarders”
servers. I used to use OpenDNS until they stopped handling Yahoo email correctly.

Thanks – Bill Gee

4 thoughts on - Named Log Entries – Are Any Of These A Problem?

  • Time(s)

    Host ns1.opennic.glue not found: 3(NXDOMAIN)

    Host ns9.opennic.glue not found: 3(NXDOMAIN)

    Seems your set-up is wrong.

  • Hmmm… I think you are right, but I have no idea exactly WHAT is wrong.
    Can you add some details?

    Address resolution and ping works for me on all of the opennic.glue servers.
    That seems only logical since my DNS has entries for them.

    ============[bgee@main2 temp2]$ ping -c 3 ns1.opennic.glue PING ns1.opennic.glue (185.19.105.30) 56(84) bytes of data.
    64 bytes from dns.geek.id.au (185.19.105.30): icmp_seq=1 ttlA time3 ms
    64 bytes from dns.geek.id.au (185.19.105.30): icmp_seq=2 ttlA time1 ms
    64 bytes from dns.geek.id.au (185.19.105.30): icmp_seq=3 ttlA time1 ms

    — ns1.opennic.glue ping statistics –

  • Hello everyone –

    Update on this: I did some more searching and discovered that OpenNIC is intended to replace the normal top-level DNS servers. It’s not just a simple
    forwarder. I changed my forwarders to AlternateDNS.

    After two days I no longer get either of the checkhints messages shown below.
    The hints file has not changed – it still contains both A and AAAA records, but there is no longer any message about extra entries. “Rndc dumpdb -all” shows that the opennic.glue entries have been flushed. Dig will resolve names like ns2.opennic.glue, but ping fails.

    That leaves the log messages about changing the clients-per-query. More searching finally found me some documentation on the entry. The log messages do not indicate a problem – they are just named doing some self-tuning.

    Just in case, I added

    clients-per-query 20
    max-clients-per-query 30

    to the options section of my named.conf file. I still get some messages about named changing clients-per-query, but I am going to just ignore them for now.

    Bill Gee