On Thu, Sep 15, 2016 at 02:20:16PM +0300, Pekka Jalonen wrote: > I'm looking solution for very high performance DNS server. > > Background information; > We are running centos-release-6-8.el6.centos.12.3.x86_64 > > Hardware is Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz with 32 GB > memory and SSD disks (with raid controller). > > We have local bind running at same box (bind, caching) with default > configuration.
Ask on a CentOS list if you don't wish to provide the configuration in use. We don't all know what "default" means there. > Server is mail server with ~+150 K users. > > Problem is procmail + postfix with rbl's (zen.spamhaus.org and > others). Hmm, procmail, why? Is that doing DNS lookups? Sounds ugly. Are you using postscreen(8)? If not, why not? I would strongly suggest upgrading to a recent Postfix version (the "ghettoforge" RPM repo might be an easy way to do this), then implement postscreen. > Really big problem are spam botnet's and some day we can get over > 5-6 million messages per day or even more. > > Procmail/postfix is doing every check per msg at localdns (localdns > => rbl's) server and average check time is 1-2 sec per message and > it's too much. > > We are getting very fancy error messages etc ... > named[10008]: error (connection refused) resolving > 'ns1.actcorp.co.in/A/IN': 162.251.82.251#53 > named[10008]: error (connection refused) resolving > 'www.sleekgroup.co.uk/A/IN': 104.155.71.90#53 If your queries are refused, you can't fix that with tweaks to your named.conf(5). For some reason the destination server has been configured not to allow your queries. That condition will still exist after any changes you make to your system. > named[10008]: error (unexpected RCODE SERVFAIL) resolving > 'sunbatheda.megabulkmessage223.com/A/IN': 8.8.8.8#53 --------------------------------------------^^^^^^^ This suggests you are using forwarders. That certainly could be a problem for DNSBL usage, as many DNSBL providers do limiting on queries. Remove the forwarders. > named[10008]: error (host unreachable) resolving > '40.17.107.150.bl.emailbasura.org/A/IN': 80.38.217.151#53 This is similar to the refused errors in that the condition is external; if you can't reach that host now, named.conf changes cannot make that host reachable. > named[10008]: validating @0x7ff45c04aae0: gansend4.com A: no valid > signature found This suggests you have enabled DNSSEC validation. Nothing wrong with that, but understand what it means: when a signature for a signed zone fails to verify (or is missing) you get a SERVFAIL. > ... it's slowing down system of course. The slow system is not demonstrated to point to named. > Loads are very high at server when botnets are attacking average is > about 500 or even more. > > Does anyone have ideas how recude server loads because bind is > problem... If that is so, how did you determine that? How could we know? > Thank you for answers or ideas. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
