High performance DNS server configuration?

/dev/rob0 rob0 at gmx.co.uk
Thu Sep 15 13:41:25 UTC 2016 

On Thu, Sep 15, 2016 at 02:20:16PM +0300, Pekka Jalonen wrote:
> I'm looking solution for very high performance DNS server.
> 
> Background information;
> We are running centos-release-6-8.el6.centos.12.3.x86_64
> 
> Hardware is Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz with 32 GB 
> memory and SSD disks (with raid controller).
> 
> We have local bind running at same box (bind, caching) with default 
> configuration.

Ask on a CentOS list if you don't wish to provide the configuration 
in use.  We don't all know what "default" means there.

> Server is mail server with ~+150 K users.
> 
> Problem is procmail + postfix with rbl's (zen.spamhaus.org and 
> others).

Hmm, procmail, why?  Is that doing DNS lookups?  Sounds ugly.

Are you using postscreen(8)?  If not, why not?  I would strongly 
suggest upgrading to a recent Postfix version (the "ghettoforge" RPM 
repo might be an easy way to do this), then implement postscreen.

> Really big problem are spam botnet's and some day we can get over 
> 5-6 million messages per day or even more.
> 
> Procmail/postfix is doing every check per msg at localdns (localdns 
> => rbl's) server and average check time is 1-2 sec per message and 
> it's too much.
> 
> We are getting very fancy error messages etc ...
> named[10008]: error (connection refused) resolving
> 'ns1.actcorp.co.in/A/IN': 162.251.82.251#53
> named[10008]: error (connection refused) resolving
> 'www.sleekgroup.co.uk/A/IN': 104.155.71.90#53

If your queries are refused, you can't fix that with tweaks to your 
named.conf(5).  For some reason the destination server has been 
configured not to allow your queries.  That condition will still 
exist after any changes you make to your system.

> named[10008]: error (unexpected RCODE SERVFAIL) resolving
> 'sunbatheda.megabulkmessage223.com/A/IN': 8.8.8.8#53
--------------------------------------------^^^^^^^

This suggests you are using forwarders.  That certainly could be a 
problem for DNSBL usage, as many DNSBL providers do limiting on 
queries.  Remove the forwarders.

> named[10008]: error (host unreachable) resolving
> '40.17.107.150.bl.emailbasura.org/A/IN': 80.38.217.151#53

This is similar to the refused errors in that the condition is 
external; if you can't reach that host now, named.conf changes cannot 
make that host reachable.

> named[10008]: validating @0x7ff45c04aae0: gansend4.com A: no valid
> signature found

This suggests you have enabled DNSSEC validation.  Nothing wrong with 
that, but understand what it means: when a signature for a signed 
zone fails to verify (or is missing) you get a SERVFAIL.

> ... it's slowing down system of course.

The slow system is not demonstrated to point to named.

> Loads are very high at server when botnets are attacking average is
> about 500 or even more.
> 
> Does anyone have ideas how recude server loads because bind is 
> problem...

If that is so, how did you determine that?  How could we know?

> Thank you for answers or ideas.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the bind-users mailing list