I have a number of DNS servers, all running bind9 (9.5.1, to be specific) under fedora. 4 of them are slaves, fed by a common master for our public DNS. These are all located on the public gateways of our various offices. One of them has tons of messages in its log files similar to these:
Jul 21 17:26:18 gateway named[3487]: client 10.171.3.8#52500: view internal: error sending response: host unreachable
I wonder where that comes from. The firewall is open on port 53 between the two machines (10.171.3.8 is an internal DNS server located on a Windows Domain Controller). The internal domains do NOT list the gateway as a name server (so there should not be any attempts of replicating the domains), and the gateway does not handle any internal DNS. The clients in these messages vary between the two domain controllers on the internal network and a third internal name server (running bind9 on debian in a different segment of the network). Any pointers are highly welcome.
In response to the first reply:
The issue with this really is that tcpdump doesn't show any problems. Here is an extract from "tcpdump -i any port 53"
09:13:38.283308 IP valine.aminocom.com.61815 > ns-pri.ripe.net.domain: 14075 PTR? 166.225.58.95.in-addr.arpa. (44)
09:13:42.007410 IP gateway-eng.aminocom.com.37047 > alanine.aminocom.com.domain: 35410+ PTR? 12.3.172.10.in-addr.arpa. (42)
At the same time, the DNS log shows:
Jul 22 09:13:38 gateway named[3487]: client 10.171.3.6#61300: view internal: error sending response: host unreachable
Jul 22 09:13:40 gateway named[3487]: client 10.172.3.12#56230: view internal: error sending response: host unreachable
Jul 22 09:13:40 gateway named[3487]: client 10.171.3.8#55221: view internal: error sending response: host unreachable
Jul 22 09:13:49 gateway named[3487]: client 10.171.3.8#51342: view internal: error sending response: host unreachable
So clearly at 09:13:40 there were two unsuccessful attempts to connect to internal machines (10.172.3.12 and 10.171.3.8, both are DNS servers), but nothing in the tcpdump output.
I'd guess this is caused by something along the way sending an ICMP host unreachable when BIND tries to send its response to that IP. If I were you I'd do a tcpdump to see if you can catch who's sending it. Perhaps the firewall isn't configured to allow UDP back from the firewall (the client is probably not using port 53).
First guess would be a routing issue on the DNS server. What happens when you try to ping the client from the server?
C.
You can use PHREL to provide rate limiting on a per host basis to deal with the incoming traffic. After you install the package, set it up to block hosts that send more than 15 pps to port 53, like so: