Hi, is there a particular reason, why you have to use bind as resolver? If not, I would try out running a DNS-recursor (PowerDNS-recursor, djbdns, ...) which may offer more performance and maybe less pain in the future ;)
-Florian > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of J Duke > Sent: Sunday, July 27, 2008 12:13 AM > To: misc@openbsd.org > Subject: Performance issues with the DNS patch? > > I wonder is anyone is seeing performance issues with the patched DNS in > the > late snapshots? > I installed the July 22 snapshot on our DNS servers, which handle a > pretty > heavy load of lookups, mostly for anti-spam action. > > It was running at 45% or higher cpu utilization after the July 22 > snapshot > was > installed. > We run a couple of Ironport boxes, that handle about 200k emails per > hour. > They use the OpenBSD DNS servers to look up the sending IPs as a first > defense > against spammers, and drop about 98% of the inbound mail. > With the snapshot installed the traffic went down to 70k per hour and > people started complaining of DNS lookup failures for random sites. > > I moved back to an earlier version of OpenBSD on the DNS server, and > the Ironport traffic went up to normal, and the DNS lookup failures > stopped. > Cpu utilization went back down to around 9%. But I'm vulnerable. > > I realize that the whole fix to this DNS cache poisoning is to have > random > ports and random query ids, and that generating good, strong, random > numbers > costs cpu cycles and time. Has anyone else noticed the performance > hit? > Anything that I can do? Particularly I am open to any suggestions on > commands > that would help identify if that is really the problem, systat, vmstat, > etc. > > The server was beefy enough, and had been doing the job for months > before > the upgrade: > > OpenBSD 4.2-current (GENERIC) #593: Mon Dec 10 13:23:15 MST 2007 > [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC > cpu0: Intel(R) Xeon(TM) CPU 3.20GHz ("GenuineIntel" 686-class) 3.21 GHz > cpu0: > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36 > ,CF > LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT- > ID,CX16,xTPR > real mem = 1073053696 (1023MB) > avail mem = 1029713920 (982MB) > mainbus0 at root > bios0 at mainbus0: AT/286+ BIOS, date 10/20/04, BIOS32 rev. 0 @ > 0xffe90, > SMBIOS > rev. 2.3 @ 0xfa910 (75 entries) > bios0: vendor Dell Computer Corporation version "A00" date 10/20/2004 > bios0: Dell Computer Corporation PowerEdge SC1425 > [...] > em0 at pci2 dev 4 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: irq > 11, > i > address xx:xx:xx:xx:xx:xx > > Thanks for a great OS! And yes, I usually run snapshots, have for > years, > love it, and we buy > plenty of CDs of each version..
