High performance DNS server configuration?
/dev/rob0
rob0 at gmx.co.uk
Thu Sep 15 13:41:25 UTC 2016
On Thu, Sep 15, 2016 at 02:20:16PM +0300, Pekka Jalonen wrote:
> I'm looking solution for very high performance DNS server.
>
> Background information;
> We are running centos-release-6-8.el6.centos.12.3.x86_64
>
> Hardware is Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz with 32 GB
> memory and SSD disks (with raid controller).
>
> We have local bind running at same box (bind, caching) with default
> configuration.
Ask on a CentOS list if you don't wish to provide the configuration
in use. We don't all know what "default" means there.
> Server is mail server with ~+150 K users.
>
> Problem is procmail + postfix with rbl's (zen.spamhaus.org and
> others).
Hmm, procmail, why? Is that doing DNS lookups? Sounds ugly.
Are you using postscreen(8)? If not, why not? I would strongly
suggest upgrading to a recent Postfix version (the "ghettoforge" RPM
repo might be an easy way to do this), then implement postscreen.
> Really big problem are spam botnet's and some day we can get over
> 5-6 million messages per day or even more.
>
> Procmail/postfix is doing every check per msg at localdns (localdns
> => rbl's) server and average check time is 1-2 sec per message and
> it's too much.
>
> We are getting very fancy error messages etc ...
> named[10008]: error (connection refused) resolving
> 'ns1.actcorp.co.in/A/IN': 162.251.82.251#53
> named[10008]: error (connection refused) resolving
> 'www.sleekgroup.co.uk/A/IN': 104.155.71.90#53
If your queries are refused, you can't fix that with tweaks to your
named.conf(5). For some reason the destination server has been
configured not to allow your queries. That condition will still
exist after any changes you make to your system.
> named[10008]: error (unexpected RCODE SERVFAIL) resolving
> 'sunbatheda.megabulkmessage223.com/A/IN': 8.8.8.8#53
--------------------------------------------^^^^^^^
This suggests you are using forwarders. That certainly could be a
problem for DNSBL usage, as many DNSBL providers do limiting on
queries. Remove the forwarders.
> named[10008]: error (host unreachable) resolving
> '40.17.107.150.bl.emailbasura.org/A/IN': 80.38.217.151#53
This is similar to the refused errors in that the condition is
external; if you can't reach that host now, named.conf changes cannot
make that host reachable.
> named[10008]: validating @0x7ff45c04aae0: gansend4.com A: no valid
> signature found
This suggests you have enabled DNSSEC validation. Nothing wrong with
that, but understand what it means: when a signature for a signed
zone fails to verify (or is missing) you get a SERVFAIL.
> ... it's slowing down system of course.
The slow system is not demonstrated to point to named.
> Loads are very high at server when botnets are attacking average is
> about 500 or even more.
>
> Does anyone have ideas how recude server loads because bind is
> problem...
If that is so, how did you determine that? How could we know?
> Thank you for answers or ideas.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
More information about the bind-users
mailing list