Yes tuning off IPTABLES conn-tracking makes a huge difference. I also followed:
https://access.redhat.com/site/solutions/304713 https://access.redhat.com/site/solutions/168483 I still see some SYN_SENT from Windows PC's on tcp port 53 on the DNS cache server. Thank You, Brett On Sun, Oct 20, 2013 at 6:27 PM, Stuart Browne <stuart.bro...@ausregistry.com.au> wrote: > > >> -----Original Message----- >> From: bind-users-bounces+stuart.browne=ausregistry.com...@lists.isc.org >> [mailto:bind-users-bounces+stuart.browne=ausregistry.com...@lists.isc.org] >> On Behalf Of brett smith >> Sent: Sunday, 20 October 2013 12:35 PM >> To: sth...@nethelp.no >> Cc: bind-users@lists.isc.org >> Subject: Re: Performance Tuning RHEL 5 and Bind >> >> When all the Windows PC's are switched to our resolver, bind stops >> responding. >> rndc querylog shows queries coming thru, I changed tcp-clients from >> 1000 to 10000 but DNS seems lagging, so we switched back to the >> original Windows Domain resolver. Besides increasing open files >> tuning, what TCP / sysctl or named.conf settings can be set to >> optimize / speed up DNS queries? Because it seems that Windows clients >> use TCP instead of UDP when looking at netstat on the server. >> >> Thanks. Brett. >> >> On Sat, Oct 19, 2013 at 3:20 AM, <sth...@nethelp.no> wrote: >> >> I need to build a pair DNS cache servers to support 5000+ clients ( >> >> PC's and Servers ). I have been looking for some guides on tuning >> >> BIND and the OS for Enterprise performance rather than the defaults. >> >> The version of bind is bind-9.8.2. >> > >> > 5000 clients is such a low number that I don't think you need to worry >> > about tuning at all. >> > >> > Steinar Haug, Nethelp consulting, sth...@nethelp.no > > If my experience with high-throughput through a redhat system is anything to > go by, what you are probably hitting is the IPTables conntrack bucket limits. > > The simplest way to avoid this is to bypass connection tracking. > > You can do one of the following: > > - Turn off iptables (probably not a good idea) > - Turn off conn-tracking and not use the state module, rewriting all rules > (nasty) > - Tell iptables to not conntrack for just udp/53 & tcp/53 (-A -t raw -j > NOTRACK -m tcp -p tcp --dport 53 ; -A -t raw -j NOTRACK -m udp -p udp --dport > 53) > > We use the 3rd method and it works beautifully. Just ensure you're 'filter' > rules don't force the use of conntrack for that traffic. See the man page > for more details. > > Stuart _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
