Performance Tuning RHEL 5 and Bind

Kevin Darcy kcd at
Tue Oct 22 19:29:58 UTC 2013

Are these queries mostly for names in an Active Directory domain? The 
default for Active Directory is for *every* Domain Controller to 
register NS records at the apex of the AD domain. Pretty soon, for any 
reasonably-sized AD infrastructure, all of those NSes cause *all* 
queries for *any* name in the domain to trigger a TCP retry (because the 
Answer + Authority Sections overflow 512 bytes), if EDNS0 is not in 
effect. I sat down with our AD folks a few years ago and impressed upon 
them how important it is to be selective about which Domain Controllers 
are registered at the apex. They appreciated the negative consequences 
of being awash in TCP retries, and it's been managed for some time now 
(at least for our *main* AD domain; don't get me started on the business 
partner that still has 92 NS records at the apex of their AD domain. Sigh)

Sounds like you might need to have the same discussion with your AD 
guys, if in fact AD is a factor here. Even if the users aren't 
*consciously* looking up AD-related names, if the AD domain is in the 
Suffix Search List and your users' shortname addiction is out of 
control, the combination of the two, along with excess NS records at the 
apex, can ultimately result in a lot of bogus TCP retries. Sometimes you 
can alleviate this with careful ordering or pruning of elements in the 
Suffix Search List.

A lot of folks think that query logging is a drain on resources, and 
anyone who is serious about DNS performance would never turn it on. 
Those folks must not work in a large, chaotic enterprise :-) I find 
query logging and associated data-mining tools I've developed over the 
years, invaluable to track down broken and/or obsolete query traffic and 
eliminate it at the source. This saves me *much* more performance than 
the query logging itself, as well as being valuable for security 
forensics, incident avoidance (e.g. before I delete this name from DNS, 
let me check whether anyone is still looking it up) and a plethora of 
other useful stuff.

                                 - Kevin

On 10/19/2013 9:34 PM, brett smith wrote:
> When all the Windows PC's are switched to our resolver, bind stops responding.
> rndc querylog shows queries coming thru, I changed  tcp-clients from
> 1000 to 10000 but DNS seems lagging, so we switched back to the
> original Windows Domain resolver. Besides increasing open files
> tuning, what TCP / sysctl or named.conf settings can be set to
> optimize / speed up DNS queries? Because it seems that Windows clients
> use TCP instead of UDP when looking at netstat on the server.
> Thanks. Brett.
> On Sat, Oct 19, 2013 at 3:20 AM,  <sthaug at> wrote:
>>> I need to build a pair DNS cache servers to support 5000+ clients (
>>> PC's and Servers ).  I have been looking for some guides on tuning
>>> BIND and the OS for Enterprise performance rather than the defaults.
>>> The version of bind is bind-9.8.2.
>> 5000 clients is such a low number that I don't think you need to worry
>> about tuning at all.
>> Steinar Haug, Nethelp consulting, sthaug at
> _______________________________________________
> Please visit to unsubscribe from this list
> bind-users mailing list
> bind-users at

More information about the bind-users mailing list