Need to improve named performance
Ed LaFrance
edl at connexinternet.com
Sun Nov 11 01:44:08 UTC 2012
Hello Alan -
I will do an upgrade as soon as I get chance - a bit tied up right now.
But in any case, since I posted this I've done some query logging for a
bit and find that I'm getting an average of about 60 queries per second.
All the dns queries are coming in via udp - the connections I mentioned
are likewise udp. As I mentioned before, netstat shoes the udp Recv-Q
filling up on the two IPs on that server that are taking the requests.
There's a basic firewall setup on the server, only ports I need are open:
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:10022
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW
udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:5900
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:5901
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:8550
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-prohibited
As far as recursing goes:
/usr/sbin/rndc recursing
rndc: 'recursing' failed: permission denied
Any ideas are welcome....
Ed
On 11/10/2012 3:46 PM, Alan Clegg wrote:
>
> On Nov 10, 2012, at 1:39 PM, Ed LaFrance<edl at connexinternet.com>
> wrote:
>
>> When I check the router above this server I'll see 200 - 500
>> legitimate connections to this server at any given time.
>
> Having sent my snarky "update" e-mail, I now ask... you say later in
> the mail that you are doing about 20 queries per second (which I
> agree should be handled by any hardware with more oomph than a
> Z-80).
>
> I'm curious as to what these "200-500 legitimate connections" are.
> Are they TCP? If so, are you seeing lots of TCP connections hanging
> around? Do you have some firewall in the midst of this that might be
> messing around with TCP connections?
>
> If you do a "rndc recursing", what do you get?
>
> If you are only doing 20-30 transactions per second, the stats on the
> UDP counts would have taken a long time to get there... something
> doesn't add up.
>
> AlanC
--
(800) 362-7579 ext 1
+-------------------------------------------------------+
+ Colocation Dedicated Servers IPv4 & IPv6 Transit +
+-------------------------------------------------------+
Connex Internet Services, Inc. direct: (916) 265-1568
11230 Gold Express Dr #310-313 fax: (916) 880-5663
Gold River, CA 95670 http://connexinternet.com
+-------------------------------------------------------+
More information about the bind-users
mailing list