Re: Need to improve named performance

Sat, 10 Nov 2012 17:45:12 -0800 

Hello Alan -
I will do an upgrade as soon as I get chance - a bit tied up right now. But in any case, since I posted this I've done some query logging for a bit and find that I'm getting an average of about 60 queries per second. All the dns queries are coming in via udp - the connections I mentioned are likewise udp. As I mentioned before, netstat shoes the udp Recv-Q filling up on the two IPs on that server that are taking the requests. 

There's a basic firewall setup on the server, only ports I need are open:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
tcp dpt:10022
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
tcp dpt:5900
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
tcp dpt:5901
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
tcp dpt:8550
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with 
icmp-host-prohibited


As far as recursing goes:

/usr/sbin/rndc recursing
rndc: 'recursing' failed: permission denied

Any ideas are welcome....

Ed


On 11/10/2012 3:46 PM, Alan Clegg wrote:


On Nov 10, 2012, at 1:39 PM, Ed LaFrance<e...@connexinternet.com>
wrote:


When I check the router above this server I'll see 200 - 500
legitimate connections to this server at any given time.


Having sent my snarky "update" e-mail, I now ask... you say later in
the mail that you are doing about 20 queries per second (which I
agree should be handled by any hardware with more oomph than a
Z-80).

I'm curious as to what these "200-500 legitimate connections" are.
Are they TCP?  If so, are you seeing lots of TCP connections hanging
around?  Do you have some firewall in the midst of this that might be
messing around with TCP connections?

If you do a "rndc recursing", what do you get?

If you are only doing 20-30 transactions per second, the stats on the
UDP counts would have taken a long time to get there... something
doesn't add up.

AlanC

--
(800) 362-7579 ext 1

+-------------------------------------------------------+
+ Colocation    Dedicated Servers   IPv4 & IPv6 Transit +
+-------------------------------------------------------+
Connex Internet Services, Inc.     direct: (916) 265-1568
11230 Gold Express Dr #310-313        fax: (916) 880-5663
Gold River, CA 95670            http://connexinternet.com
+-------------------------------------------------------+
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to