Reliability and performance on a simple caching BIND9 server for uncached queries

Mark Andrews marka at isc.org
Sun Mar 13 00:47:51 UTC 2011 

In message <AANLkTikU23PYyJizEddLmMoi7rWVBuXP8WXoUDEowH4B at mail.gmail.com>, Khou
ry Brazil writes:
> Hi,
> 
> I've noticed some speed and reliability issues with my BIND9 boxes
> relating to uncached external queries. External queries that return NX
> seem to be the worst offenders in these tests and are what I've
> focused on during my testing. I've confirmed it using a simple
> benchmarking tool called DNS Benchmark and some simple testing on my
> part. DNS Benchmark points out that my BIND9 boxes "aren't reliable"
> because "lookup requests that are dropped and ignored by nameservers
> cause significant delays in Internet access" to quote the software.
> DNS Benchmark compares your name servers against external name servers
> and it shows my boxes as 86% reliable compared to the general list
> (which includes the level 3 servers, Cox, Symantec, etc) which are,
> for the most part at 100%. I'm guessing this has to do with the
> software timing out.
> 
> Doing a simple test using nslookup doing uncached external lookups (on
> ubuntu and one windows client):
> No delay using nslookup or dig directly from my bind boxes to the
> external name servers. This indicates to me that the bottle neck
> doesn't exist between my internal and ISP's name servers.
> No delay when using nslookup or dig from a client machine on my
> network to the external name servers. This indicates to me that the
> client isn't the issue.
> A long delay with ubuntu clients looking up against my internal BIND
> boxes; Timeouts with Windows and nslookup (due to its shorter
> timeout).
> 
> Internal queries are fast using all of the above tests (the BIND box
> forwards to different internal name servers that are authoritative for
> our internal name space). This indicates to me that it isn't my bind
> boxes being slow in general.
> 
> Is it normal to see slow responses when querying for uncached
> non-existent domains? I've noticed that other external queries could
> be faster, but these are really bad. When I query my internal bind
> boxes that are authoritative for my internal domain directly they
> respond instantly for NX domains. I don't admin those though so have
> no insight into their configuration beyond the fact that they run on
> some nix flavor and are BIND* boxes.
> 
> Thanks for any insight.

Try asking your ISP's nameserver with "dig +dnssec".   I suspect that
your firewall/NAT doesn't handle the larger responses.

> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list