BIND 4 / 8 / 9 performance

Doug Barton DougB at gorean.org
Fri Feb 16 07:28:48 UTC 2001 

John Jetmore wrote:

> My company currently runs BIND 4.9.8 on all of our production servers.

	I understand how things like this happen (believe me), however you have
to impress upon your superiors that the current situation leaves you
vulnerable to any number of direct denial of service attacks, not to
mention the possibility of a network penetration. Capitalize on the
recent publicity regarding this issue. You can find URL's that explain
the issues in pointy-hair speak all over the net. 

> Two of them are our main name servers, the others are all caching servers.
> Currently, one of our main servers is doing ~55 requests/sec, and the
> other is doing ~80 requests/sec.  Because of a high-demand application,
> one of the caching servers does ~85 requests/sec.  Our two main servers
> are authoritative for around 980 domains.

	I vaguely recall a bug in 4.x that caused problems with more than 1k
zones... does anyone else have ammo in this area for John here?

> All but one of our production servers are 4 processor Ultrasparc IIs
> running solaris 2.6.  All but one (not the same one) have 1 gig of ram.
> The other has 2 gigs.

	That's honestly way more machine than you need. I run one of the ns
farms for our company that is authoritative for several orders of
magnitude more domains, and gets many times more queries per second on
similar sun hardware. The load average hovers between .3 and .5, and the
idle cpu is roughly 75%. I have a personal preference for over-spec'ing
machines, since hardware is MUCH cheaper than downtime, especially for a
mission critical system like DNS. Personally, I would upgrade to solaris
2.7 in the process, since 2.6 has some memory management and thread
problems that slowed me down till I upgraded. 

> As these values continue to rise, the toll named is taking on the machines
> begins to rise also.  We are very aware of the need to upgrade to at least
> BIND 8, but we need some data to convince management to release manpower
> to do this. 

	Provided that your config and zone files are currently syntactically
correct, the upgrade should be relatively painless. I suggest that you
get a machine with similar hardware, get a solaris 2.7 installation on
it that feel comfortable with, install bind 8.2.3, duplicate your config
and zone files and get everything up to speed. Then you can swap
machines, system disks, or whatever works for you to get your test box
into production. Once you're happy with your first updated machine,
duplicate the swapout process to replace your other nameserver. 

> Specifically, does anyone have numbers on the performance
> increase realized from a transition from 4 to 8, or from 8 to 9?  Numbers
> in terms of percentage of porocessor used would be most useful, but any
> numbers could be leveraged to give perspective.

	Honestly, performance isn't your goal here (or shouldn't be, since it's
hard to believe that you're hitting any system limits); security is the
approach you want to take. Ask them how much time they think it would
take to recover from a system compromise, vs. the required time for a
necessary security update. That said, solaris 2.7 and bind 8.2.3 should
outperform your current configuration, although the difference should be
hard to measure. 

Good luck,

Doug

More information about the bind-users mailing list