Performance Tuning RHEL 5 and Bind

Carsten Strotmann cas at
Thu Oct 24 20:05:25 UTC 2013


Kevin Darcy <kcd at> writes:

> Are these queries mostly for names in an Active Directory domain? The
> default for Active Directory is for *every* Domain Controller to
> register NS records at the apex of the AD domain. Pretty soon, for any
> reasonably-sized AD infrastructure, all of those NSes cause *all*
> queries for *any* name in the domain to trigger a TCP retry (because
> the Answer + Authority Sections overflow 512 bytes), if EDNS0 is not
> in effect. I sat down with our AD folks a few years ago and impressed
> upon them how important it is to be selective about which Domain
> Controllers are registered at the apex. They appreciated the negative
> consequences of being awash in TCP retries, and it's been managed for
> some time now (at least for our *main* AD domain; don't get me started
> on the business partner that still has 92 NS records at the apex of
> their AD domain. Sigh)

good point. 

Increasing the EDNS0 UDP size might also be an option (default is 1280
for Windows DNS) ->

It is possible to tell some less critical DC to not register themself in

-- Carsten

More information about the bind-users mailing list