Performance Tuning RHEL 5 and Bind

brett smith brett.s9999 at
Wed Oct 23 00:29:01 UTC 2013

 Yes tuning off IPTABLES conn-tracking makes a huge difference. I also followed:

I still see some SYN_SENT from Windows PC's on tcp port 53 on the DNS
cache server.

Thank You, Brett

On Sun, Oct 20, 2013 at 6:27 PM, Stuart Browne
<stuart.browne at> wrote:
>> -----Original Message-----
>> From: at
>> [ at]
>> On Behalf Of brett smith
>> Sent: Sunday, 20 October 2013 12:35 PM
>> To: sthaug at
>> Cc: bind-users at
>> Subject: Re: Performance Tuning RHEL 5 and Bind
>> When all the Windows PC's are switched to our resolver, bind stops
>> responding.
>> rndc querylog shows queries coming thru, I changed  tcp-clients from
>> 1000 to 10000 but DNS seems lagging, so we switched back to the
>> original Windows Domain resolver. Besides increasing open files
>> tuning, what TCP / sysctl or named.conf settings can be set to
>> optimize / speed up DNS queries? Because it seems that Windows clients
>> use TCP instead of UDP when looking at netstat on the server.
>> Thanks. Brett.
>> On Sat, Oct 19, 2013 at 3:20 AM,  <sthaug at> wrote:
>> >> I need to build a pair DNS cache servers to support 5000+ clients (
>> >> PC's and Servers ).  I have been looking for some guides on tuning
>> >> BIND and the OS for Enterprise performance rather than the defaults.
>> >> The version of bind is bind-9.8.2.
>> >
>> > 5000 clients is such a low number that I don't think you need to worry
>> > about tuning at all.
>> >
>> > Steinar Haug, Nethelp consulting, sthaug at
> If my experience with high-throughput through a redhat system is anything to go by, what you are probably hitting is the IPTables conntrack bucket limits.
> The simplest way to avoid this is to bypass connection tracking.
> You can do one of the following:
> - Turn off iptables (probably not a good idea)
> - Turn off conn-tracking and not use the state module, rewriting all rules (nasty)
> - Tell iptables to not conntrack for just udp/53 & tcp/53 (-A -t raw -j NOTRACK -m tcp -p tcp --dport 53 ; -A -t raw -j NOTRACK -m udp -p udp --dport 53)
> We use the 3rd method and it works beautifully.  Just ensure you're 'filter' rules don't force the use of conntrack for that traffic.  See the man page for more details.
> Stuart

More information about the bind-users mailing list