BIND 9.10 fast only on alias IP

Ict Security ict.security.job at gmail.com
Mon May 20 18:16:47 UTC 2019 

Dear Mukund,

thank you for the excellent reply, really.

In fact, it is very strange.
In the same machine, and same Bind daemon, when incoming queries
increase and bottlenecks become visible, is i try to query an alias IP
it respond immediately.

Bind doesn't seem to be the problem but, as you said, something in
networking/socket/stack environments.
Using "netstat -su", i noticed an appreciable number of UDP packet
receive errors:

netstat -su
IcmpMsg:
    InType0: 180
    InType3: 7409507
    InType8: 103791
    InType11: 20541
    OutType0: 103791
    OutType3: 2839671
    OutType8: 185
Udp:
    774530039 packets received
    11779662 packets to unknown port received.
    3602407 packet receive errors
    776247231 packets sent
    3588125 receive buffer errors
    0 send buffer errors
    InCsumErrors: 14279

Do you think they could be related to UDP dropped packets?

I think i have already tuned some parameters (nf_conntrack, rmem_max,
wmem_max, ecc)
and i have totally removed connection tracking using "raw" queue on
local iptables.

How could i increase the number of socket on a single IP address,
since Bind is working perfectly on the secondary address,
when the first one is stucked?

Thank you again, very best regards!
FC

Il giorno lun 20 mag 2019 alle ore 15:03 Mukund Sivaraman
<muks at mukund.org> ha scritto:
>
> On Mon, May 20, 2019 at 10:06:09AM +0200, Ict Security wrote:
> > Dear guys,
> >
> > i am experiencing a very strange beahviour of Bind under busy peak time.
> >
> > With a quite important number of incoming DNS queries, response are
> > really, really slow;
> > sometimes they even stuck.
> >
> > If i try to query, in those busy moments, an alias secondary IP
> > address of the same machine, the response is really immediate!
> >
> > I have disabled connection tracking and raised up nf_conntrack_max.
> > In system logs, i do not see any limitations or buffer full.
> >
> > Do i need to balance incoming connection on more alias IP?
> > Or shall i change some other parameters which i am not aware at the moment?
>
> It's not possible to say exactly what's going on without more detailed
> info. It's possible that named has reached its query performance limit
> and so the recv queue is at its max capacity for that listening
> socket. Possibly queries are getting dropped due to this. In that case,
> increasing the recv queue is unlikely to help and possibly just cause
> bloat. See what "netstat -lu" or "ss -lu" tells you, and load of the
> system.
>
> Possibly you can attempt to mitigate this by tuning various knobs, e.g.,
> disable excessive logging and query logging, increase the number of UDP
> listeners and worker threads to match your CPU count, etc. There isn't
> much that can be improved on 9.10 I'm afraid.
>
> You may want to try BIND 9.12+ that has performance optimizations.
>
>                 Mukund

More information about the bind-users mailing list