Performance Tuning RHEL 5 and Bind

Stuart Browne stuart.browne at ausregistry.com.au
Sun Oct 20 22:27:01 UTC 2013 


> -----Original Message-----
> From: bind-users-bounces+stuart.browne=ausregistry.com.au at lists.isc.org
> [mailto:bind-users-bounces+stuart.browne=ausregistry.com.au at lists.isc.org]
> On Behalf Of brett smith
> Sent: Sunday, 20 October 2013 12:35 PM
> To: sthaug at nethelp.no
> Cc: bind-users at lists.isc.org
> Subject: Re: Performance Tuning RHEL 5 and Bind
> 
> When all the Windows PC's are switched to our resolver, bind stops
> responding.
> rndc querylog shows queries coming thru, I changed  tcp-clients from
> 1000 to 10000 but DNS seems lagging, so we switched back to the
> original Windows Domain resolver. Besides increasing open files
> tuning, what TCP / sysctl or named.conf settings can be set to
> optimize / speed up DNS queries? Because it seems that Windows clients
> use TCP instead of UDP when looking at netstat on the server.
> 
> Thanks. Brett.
> 
> On Sat, Oct 19, 2013 at 3:20 AM,  <sthaug at nethelp.no> wrote:
> >> I need to build a pair DNS cache servers to support 5000+ clients (
> >> PC's and Servers ).  I have been looking for some guides on tuning
> >> BIND and the OS for Enterprise performance rather than the defaults.
> >> The version of bind is bind-9.8.2.
> >
> > 5000 clients is such a low number that I don't think you need to worry
> > about tuning at all.
> >
> > Steinar Haug, Nethelp consulting, sthaug at nethelp.no

If my experience with high-throughput through a redhat system is anything to go by, what you are probably hitting is the IPTables conntrack bucket limits.

The simplest way to avoid this is to bypass connection tracking.

You can do one of the following:

- Turn off iptables (probably not a good idea)
- Turn off conn-tracking and not use the state module, rewriting all rules (nasty)
- Tell iptables to not conntrack for just udp/53 & tcp/53 (-A -t raw -j NOTRACK -m tcp -p tcp --dport 53 ; -A -t raw -j NOTRACK -m udp -p udp --dport 53)

We use the 3rd method and it works beautifully.  Just ensure you're 'filter' rules don't force the use of conntrack for that traffic.  See the man page for more details.

Stuart

More information about the bind-users mailing list