BIND 9.10 fast only on alias IP
Mukund Sivaraman
muks at mukund.org
Mon May 20 13:03:16 UTC 2019
On Mon, May 20, 2019 at 10:06:09AM +0200, Ict Security wrote:
> Dear guys,
>
> i am experiencing a very strange beahviour of Bind under busy peak time.
>
> With a quite important number of incoming DNS queries, response are
> really, really slow;
> sometimes they even stuck.
>
> If i try to query, in those busy moments, an alias secondary IP
> address of the same machine, the response is really immediate!
>
> I have disabled connection tracking and raised up nf_conntrack_max.
> In system logs, i do not see any limitations or buffer full.
>
> Do i need to balance incoming connection on more alias IP?
> Or shall i change some other parameters which i am not aware at the moment?
It's not possible to say exactly what's going on without more detailed
info. It's possible that named has reached its query performance limit
and so the recv queue is at its max capacity for that listening
socket. Possibly queries are getting dropped due to this. In that case,
increasing the recv queue is unlikely to help and possibly just cause
bloat. See what "netstat -lu" or "ss -lu" tells you, and load of the
system.
Possibly you can attempt to mitigate this by tuning various knobs, e.g.,
disable excessive logging and query logging, increase the number of UDP
listeners and worker threads to match your CPU count, etc. There isn't
much that can be improved on 9.10 I'm afraid.
You may want to try BIND 9.12+ that has performance optimizations.
Mukund
More information about the bind-users
mailing list