Reliability and performance on a simple caching BIND9 server for uncached queries
Khoury Brazil
khoury.brazil at gmail.com
Sat Mar 12 01:59:36 UTC 2011
Hi,
I've noticed some speed and reliability issues with my BIND9 boxes
relating to uncached external queries. External queries that return NX
seem to be the worst offenders in these tests and are what I've
focused on during my testing. I've confirmed it using a simple
benchmarking tool called DNS Benchmark and some simple testing on my
part. DNS Benchmark points out that my BIND9 boxes "aren't reliable"
because "lookup requests that are dropped and ignored by nameservers
cause significant delays in Internet access" to quote the software.
DNS Benchmark compares your name servers against external name servers
and it shows my boxes as 86% reliable compared to the general list
(which includes the level 3 servers, Cox, Symantec, etc) which are,
for the most part at 100%. I'm guessing this has to do with the
software timing out.
Doing a simple test using nslookup doing uncached external lookups (on
ubuntu and one windows client):
No delay using nslookup or dig directly from my bind boxes to the
external name servers. This indicates to me that the bottle neck
doesn't exist between my internal and ISP's name servers.
No delay when using nslookup or dig from a client machine on my
network to the external name servers. This indicates to me that the
client isn't the issue.
A long delay with ubuntu clients looking up against my internal BIND
boxes; Timeouts with Windows and nslookup (due to its shorter
timeout).
Internal queries are fast using all of the above tests (the BIND box
forwards to different internal name servers that are authoritative for
our internal name space). This indicates to me that it isn't my bind
boxes being slow in general.
Is it normal to see slow responses when querying for uncached
non-existent domains? I've noticed that other external queries could
be faster, but these are really bad. When I query my internal bind
boxes that are authoritative for my internal domain directly they
respond instantly for NX domains. I don't admin those though so have
no insight into their configuration beyond the fact that they run on
some nix flavor and are BIND* boxes.
Thanks for any insight.
More information about the bind-users
mailing list