Are these queries mostly for names in an Active Directory domain? The
default for Active Directory is for *every* Domain Controller to
register NS records at the apex of the AD domain. Pretty soon, for any
reasonably-sized AD infrastructure, all of those NSes cause *all*
queries for *any* name in the domain to trigger a TCP retry (because the
Answer + Authority Sections overflow 512 bytes), if EDNS0 is not in
effect. I sat down with our AD folks a few years ago and impressed upon
them how important it is to be selective about which Domain Controllers
are registered at the apex. They appreciated the negative consequences
of being awash in TCP retries, and it's been managed for some time now
(at least for our *main* AD domain; don't get me started on the business
partner that still has 92 NS records at the apex of their AD domain. Sigh)
Sounds like you might need to have the same discussion with your AD
guys, if in fact AD is a factor here. Even if the users aren't
*consciously* looking up AD-related names, if the AD domain is in the
Suffix Search List and your users' shortname addiction is out of
control, the combination of the two, along with excess NS records at the
apex, can ultimately result in a lot of bogus TCP retries. Sometimes you
can alleviate this with careful ordering or pruning of elements in the
Suffix Search List.
A lot of folks think that query logging is a drain on resources, and
anyone who is serious about DNS performance would never turn it on.
Those folks must not work in a large, chaotic enterprise :-) I find
query logging and associated data-mining tools I've developed over the
years, invaluable to track down broken and/or obsolete query traffic and
eliminate it at the source. This saves me *much* more performance than
the query logging itself, as well as being valuable for security
forensics, incident avoidance (e.g. before I delete this name from DNS,
let me check whether anyone is still looking it up) and a plethora of
other useful stuff.
- Kevin
On 10/19/2013 9:34 PM, brett smith wrote:
When all the Windows PC's are switched to our resolver, bind stops responding.
rndc querylog shows queries coming thru, I changed tcp-clients from
1000 to 10000 but DNS seems lagging, so we switched back to the
original Windows Domain resolver. Besides increasing open files
tuning, what TCP / sysctl or named.conf settings can be set to
optimize / speed up DNS queries? Because it seems that Windows clients
use TCP instead of UDP when looking at netstat on the server.
Thanks. Brett.
On Sat, Oct 19, 2013 at 3:20 AM, <sth...@nethelp.no> wrote:
I need to build a pair DNS cache servers to support 5000+ clients (
PC's and Servers ). I have been looking for some guides on tuning
BIND and the OS for Enterprise performance rather than the defaults.
The version of bind is bind-9.8.2.
5000 clients is such a low number that I don't think you need to worry
about tuning at all.
Steinar Haug, Nethelp consulting, sth...@nethelp.no
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
