Need to improve named performance

Ed LaFrance edl at connexinternet.com
Sun Nov 11 01:44:08 UTC 2012 

Hello Alan -

I will do an upgrade as soon as I get chance - a bit tied up right now. 
But in any case, since I posted this I've done some query logging for a 
bit and find that I'm getting an average of about 60 queries per second. 
All the dns queries are coming in via udp - the connections I mentioned 
are likewise udp. As I mentioned before, netstat shoes the udp Recv-Q 
filling up on the two IPs on that server that are taking the requests.

There's a basic firewall setup on the server, only ports I need are open:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
tcp dpt:10022
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
tcp dpt:5900
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
tcp dpt:5901
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
tcp dpt:8550
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with 
icmp-host-prohibited

As far as recursing goes:

/usr/sbin/rndc recursing
rndc: 'recursing' failed: permission denied

Any ideas are welcome....

Ed


On 11/10/2012 3:46 PM, Alan Clegg wrote:
>
> On Nov 10, 2012, at 1:39 PM, Ed LaFrance<edl at connexinternet.com>
> wrote:
>
>> When I check the router above this server I'll see 200 - 500
>> legitimate connections to this server at any given time.
>
> Having sent my snarky "update" e-mail, I now ask... you say later in
> the mail that you are doing about 20 queries per second (which I
> agree should be handled by any hardware with more oomph than a
> Z-80).
>
> I'm curious as to what these "200-500 legitimate connections" are.
> Are they TCP?  If so, are you seeing lots of TCP connections hanging
> around?  Do you have some firewall in the midst of this that might be
> messing around with TCP connections?
>
> If you do a "rndc recursing", what do you get?
>
> If you are only doing 20-30 transactions per second, the stats on the
> UDP counts would have taken a long time to get there... something
> doesn't add up.
>
> AlanC
-- 
(800) 362-7579 ext 1

+-------------------------------------------------------+
+ Colocation    Dedicated Servers   IPv4 & IPv6 Transit +
+-------------------------------------------------------+
Connex Internet Services, Inc.     direct: (916) 265-1568
11230 Gold Express Dr #310-313        fax: (916) 880-5663
Gold River, CA 95670            http://connexinternet.com
+-------------------------------------------------------+

More information about the bind-users mailing list