Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #15934
| Path | csiph.com!news.samoylyk.net!newsfeed.xs3.de!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail |
|---|---|
| From | John Thurston <john.thurston@alaska.gov> |
| Newsgroups | comp.protocols.dns.bind |
| Subject | Re: Request for review of performance advice |
| Date | Wed, 8 Jul 2020 08:39:00 -0800 |
| Lines | 184 |
| Approved | bind-users@lists.isc.org |
| Message-ID | <mailman.651.1594226326.942.bind-users@lists.isc.org> (permalink) |
| References | <3A0A6DF0-828F-49A5-83DF-8118FD663522@isc.org> <91f17eba-864a-0429-8379-7351b4e7213f@alaska.gov> |
| NNTP-Posting-Host | lists.isc.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=utf-8; format=flowed |
| Content-Transfer-Encoding | 8bit |
| X-Trace | usenet.stanford.edu 1594226360 2055 149.20.1.60 (8 Jul 2020 16:39:20 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| To | bind-users@lists.isc.org |
| Return-Path | <john.thurston@alaska.gov> |
| X-Original-To | bind-users@lists.isc.org |
| Delivered-To | bind-users@lists.isc.org |
| ARC-Seal | i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WUp4RnbnVfuWM9FlRLhBFRhohzLLimnwB8QevpMfkiuLZ+lc7bAJDqIBOYYSemAyia1XE4ixipBjylQfkiBss/W3Rh05oclvlCaOXrqhKN62IrcePgQd8PGK+7DAkuKKfZnwdpCpLtBAdzXdPuaUJuG1ACu0xRDseQfCL2jzG0N1JKvnYYnxeu0kOPV5ENR5PB06wbW0a1ySaWOFTDkXFCF59JCjuolflmVmKpZRdQ1cSXDaRdFvcgwLI/Es3m8Y12XuBXgOlHci1+4X/lU0dtgOOeIHFjmV+kkyDhepsGacNbo+AjW0TUxQmk39jjxM28HJ/gCSZS196IbiC7HXbQ== |
| ARC-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ovurgHn3iwYbsKwkfQIev3y9CgdL3ZGY5Nf1JKLfbuo=; b=ChTvdrHRd9VzCV4SuizH+5Ve+lSwPzOExk6vTyW8Icjfkm6XZGHLyp3txqIsC/0wkQP5lLQj9tUzNhfHxw/Qu8enSfm7ntIBzg6KcRLcTG1N+gDnekbC9OV1aXrvMakZbXH8lsWqdVnGew2lAkYqCHXmhSyYocvava00C23uDsZZezZ90kXExp3/395/GeIdELHk1yeuo81Xsk4IcW+qdE4Qs3JnSA1lOts4qsw+zMwq2kVOR8arh2QV9+xsBSk63q2hNYgfQR2UAyULpdUtgcqavpe3i7WcLRRwLKt+Q6M082JWARoHDi7rhztMWenjtm4wZR5nGik6hwU4Y8makQ== |
| ARC-Authentication-Results | i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=alaska.gov; dmarc=pass action=none header.from=alaska.gov; dkim=pass header.d=alaska.gov; arc=none |
| Authentication-Results | lists.isc.org; dkim=none (message not signed) header.d=none;lists.isc.org; dmarc=none action=none header.from=alaska.gov; |
| User-Agent | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 |
| In-Reply-To | <3A0A6DF0-828F-49A5-83DF-8118FD663522@isc.org> |
| Content-Language | en-US |
| X-ClientProxiedBy | MWHPR10CA0008.namprd10.prod.outlook.com (2603:10b6:301::18) To DM6PR09MB5432.namprd09.prod.outlook.com (2603:10b6:5:26b::12) |
| X-MS-Exchange-MessageSentRepresentingType | 1 |
| X-Originating-IP | [24.237.31.154] |
| X-MS-PublicTrafficType | |
| X-MS-Office365-Filtering-Correlation-Id | f36986c1-98e4-4aa1-f857-08d8235d6c13 |
| X-MS-TrafficTypeDiagnostic | DM6PR09MB3403: |
| X-Microsoft-Antispam-PRVS | <DM6PR09MB3403D2F1AAA20319B865785C8F670@DM6PR09MB3403.namprd09.prod.outlook.com> |
| X-MS-Oob-TLC-OOBClassifiers | OLM:9508; |
| X-Forefront-PRVS | 04583CED1A |
| X-MS-Exchange-SenderADCheck | 1 |
| X-Microsoft-Antispam | BCL:0; |
| X-Microsoft-Antispam-Message-Info | GC2mfzM0DT8lXHLFt7pE+9PtlVUu4YOLtHI3nB6IvrNVvZPkHbC420OpDQ9V/DWXZkRS/Y52low6AZ7NR/OfE6yxgM9GTnk08sjOsm8+u0cAXez00d5mF3Tq17b7tEOWQlSFCIr5YCY+u7spfAePFIZ1agQdU6oiowqPdbDaqq6e9ALoXM98isbia2UwMverLI5/+AhRL5JFVQfVrXLg+212wAqgQHYtFfpKqT1hczJHlgXTernmRnPH6nwHpt05IYha9ATifv3K6URanLwE7XjvTDc9aBPzObU9bZFxSnhkamhL9gyghGmH29EReZDI3FRR4rAOcU1AZ0i5ZOXvMiG7UPbNiQPDy1thS+LCGPXwoVHX52m0Y+HAA4v4oJRu0y+aidl2cry7PhUxACjibC3gOIUG6beIyZRcZwsZmkwfcdG5U/sVqLybfdcZNdQhK0EkB/VMl3KsbPICdzV7IA== |
| X-Forefront-Antispam-Report | CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR09MB5432.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(376002)(366004)(346002)(39860400002)(396003)(136003)(66556008)(66476007)(5660300002)(44832011)(956004)(66946007)(2616005)(86362001)(31696002)(966005)(478600001)(66574015)(31686004)(26005)(8936002)(36756003)(6916009)(186003)(16526019)(8676002)(6486002)(53546011)(83380400001)(2906002)(316002)(52116002)(16576012)(43740500002); DIR:OUT; SFP:1101; |
| X-MS-Exchange-AntiSpam-MessageData | XCje70rLEJ/TvIKKGCSn2zE4Qtw3wtm/tJ6Ts2a1v7lAJK3IXaebHdUTqmeP2NN11+ngk3sOwPmFzuPOUp1H7rRp0X98OtNCu+F0A2FaLYmc0m9RRL3jlLzN6X0vxJTvyAmHdKf3aUr0PpfkZ3Wz4UpEB7wfPmu5NiO87D5GvsjvXDe5AhbYPu7l36Im6Kk0Qbmv6qezqtxbng2i2OF6Qvwl6rhZpTm4pr7e8Lw8HZqphcrjE16WNDPP2KGNcVvAVHhEugguzP2zu7y2urJKdPZd+cuYkMLbnp3TwNofqULAf+SAbPmAJPE7XGfRlHfk+11tzIKosgr7ZkxVbxo4gHMGmTCCszLjbBYZZDxbaSDjVHX7s9MJSh/YrTgpzyEQl/A57md64BB0bQ6hDhTMHzlIoyXcy8eLLELhGFrjR0n2fIMxPby5l9cjBWLwXLMyfAUm5HctciQR/K9mp4o2ZL6RbIq2w/Q9mpvkwIf+GyQ= |
| X-OriginatorOrg | alaska.gov |
| X-MS-Exchange-CrossTenant-Network-Message-Id | f36986c1-98e4-4aa1-f857-08d8235d6c13 |
| X-MS-Exchange-CrossTenant-AuthSource | DM6PR09MB5432.namprd09.prod.outlook.com |
| X-MS-Exchange-CrossTenant-AuthAs | Internal |
| X-MS-Exchange-CrossTenant-OriginalArrivalTime | 08 Jul 2020 16:39:02.6527 (UTC) |
| X-MS-Exchange-CrossTenant-FromEntityHeader | Hosted |
| X-MS-Exchange-CrossTenant-Id | 20030bf6-7ad9-42f7-9273-59ea83fcfa38 |
| X-MS-Exchange-CrossTenant-MailboxType | HOSTED |
| X-MS-Exchange-CrossTenant-UserPrincipalName | q1zqsoLTCtdBtJQNE8O+4hfvU3g9DRkalv+aXEidCVSxuAEa1L6BI08atpbKkH4tDXyUTFmConTcZKZhKwe7glcNCaZJjU9tMURhbaHia0k= |
| X-MS-Exchange-Transport-CrossTenantHeadersStamped | DM6PR09MB3403 |
| X-Proofpoint-Virus-Version | vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-08_15:2020-07-08, 2020-07-08 signatures=0 |
| X-Proofpoint-Spam-Details | rule=outbound_notspam policy=outbound score=0 malwarescore=0 suspectscore=0 lowpriorityscore=0 spamscore=0 adultscore=0 bulkscore=0 mlxlogscore=999 phishscore=0 priorityscore=1501 cotscore=-2147483648 mlxscore=0 clxscore=1011 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2007080108 |
| X-Spam-Status | No, score=-0.7 required=5.0 tests=KAM_SHORT, MSGID_FROM_MTA_HEADER,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.2 |
| X-Spam-Checker-Version | SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org |
| X-BeenThere | bind-users@lists.isc.org |
| X-Mailman-Version | 2.1.29 |
| Precedence | list |
| List-Id | BIND Users Mailing List <bind-users.lists.isc.org> |
| List-Unsubscribe | <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe> |
| List-Archive | <https://lists.isc.org/pipermail/bind-users/> |
| List-Post | <mailto:bind-users@lists.isc.org> |
| List-Help | <mailto:bind-users-request@lists.isc.org?subject=help> |
| List-Subscribe | <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe> |
| X-Mailman-Original-Message-ID | <91f17eba-864a-0429-8379-7351b4e7213f@alaska.gov> |
| X-Mailman-Original-References | <3A0A6DF0-828F-49A5-83DF-8118FD663522@isc.org> |
| Xref | csiph.com comp.protocols.dns.bind:15934 |
Show key headers only | View raw
On 7/7/2020 5:57 PM, Victoria Risk wrote: > A while ago we created a KB article with tips on how to improve your > performance with our Kea dhcp server. The tips were fairly obvious to > our developers and this was pretty successful. We would like to do > something similar for BIND, provide a dozen or so tips for how to > maximize your throughput with BIND. However, as usual, everything is > more complicated with BIND. This is an excellent idea. If it comes to fruition, I ask there be some guidance offered on when such optimizations are useful. I've seen places where such a guide-sheet is followed when the guidelines were suitable for a business with 10X or 100X the traffic the customer sees. That is, a configuration which benefits an organization seeing 100,000 qps may be excessively complex (or brittle) for one seeing 100 qps. -- Do things because you should, not just because you can. John Thurston 907-465-8591 John.Thurston@alaska.gov Department of Administration State of Alaska > > Can those of you who care about performance, who have worked to improve > your performance, share some of your suggestions that have the most > impact? Please also comment if you think any of these ideas below are > stupid or dangerous. I have combined advice for resolvers and for > authoritative servers, I hope it is clear which is which... > > The ideas we have fall into four general categories: > > System design > 1a) Use a load balancerto specialize your resolvers and maximize your > cache hit ratio. A load balancer is traditionally designed to spread > the traffic out evenly among a pool of servers, but it can also be used > to concentrate related queries on one server to make its cache as hot as > possible. For example, if all queries for domains in .info are sent to > one server in a pool, there is a better chance that an answer will be in > the cache there. > > 1b) If you have a large authoritative system with many servers, consider > dedicating some machines to propagate transfers. These machines, called > transfer servers, would not answer client queries, but just send > notifies and process IXFR requests. > > 1c) Deploy ghost secondaries. If you store copies of authoritative > zones on resolvers (resolvers as undelegated secondaries), you can avoid > querying those authoritative zones. The most obvious uses of this would > be mirroring the root zone locally or mirroring your own authoritative > zones on your resolver. > > we have other system design ideas that we suspect would help, but we are > not sure, so I will wait to see if anyone suggests them. > > OS settings and the system environment > 2a) Run on bare metal if possible, not on virtual machines or in the > cloud. (any idea how much difference this makes? the only reference we > can cite is pretty out of date - > https://indico.dns-oarc.net/event/19/contributions/234/attachments/217/411/DNS_perf_OARC_Apr_14.pdf > <https://urldefense.com/v3/__https://indico.dns-oarc.net/event/19/contributions/234/attachments/217/411/DNS_perf_OARC_Apr_14.pdf__;!!J2_8gdp6gZQ!7sRXGLQDm9waSVfgufc44e2-G1iYoLGoT_iBOLgmPYx3xAW8jKIAFbCB5OVJYYfEBpbu8w$> > ) > > 2b) Consider using with-tuning-large. (https://kb.isc.org/docs/aa-01314 > <https://urldefense.com/v3/__https://kb.isc.org/docs/aa-01314__;!!J2_8gdp6gZQ!7sRXGLQDm9waSVfgufc44e2-G1iYoLGoT_iBOLgmPYx3xAW8jKIAFbCB5OVJYYdvKmJFZQ$>) > This is a compile time option, so not something you can switch on and > off during production. > > 2c) Consider which R/W lock choice you want to use - > https://kb.isc.org/docs/choosing-a-read-write-lock-implementation-to-use-with-named > <https://urldefense.com/v3/__https://kb.isc.org/docs/choosing-a-read-write-lock-implementation-to-use-with-named__;!!J2_8gdp6gZQ!7sRXGLQDm9waSVfgufc44e2-G1iYoLGoT_iBOLgmPYx3xAW8jKIAFbCB5OVJYYftHIt-qg$> > For the highest tested query rates (> 100,000 queries per second), > pthreads read-write locks with hyper-threading /enabled/seem to be the > best-performing choice by far. > > 2d) Pay attention to your choice of NIC cards. We have found wide > variations in their performance. (Can anyone suggest what specifically > to look for?) > > 2e) Make sure your socket send buffers are big enough. (not sure if this > is obsolete advice, do we need to tell people how to tell if their > buffers are causing delays?) > > 2f) When the number of CPUs is very large (32 or more), the increase in > UDP listeners may not provide any performance improvement and might > actually reduce throughput slightly due to the overhead of the > additional structures and tasks. We suggest trying different values of > -U to find the optimal one for your production environment. > > > named Features > 3a) Minimize logging. Query logging is expensive (can cost you 20% or > more of your throughput) so don’t do it unless you are using the logs > for something. Logging with dnstap is lower impact, but still fairly > expensive. Don’t run in debug mode unless necessary. > > 3b) Use named.conf option minimal-responses yes; to reduce the amount of > work that named needs to do to assemble the query response as well as > reducing the amount of outbound traffic > > 3c) Disable synth-from-dnssec. While this seemed like a good idea, it > turns out, in practice it does not improve performance. > > 3d) Tune your zone transfers. (https://kb.isc.org/docs/aa-00726 > <https://urldefense.com/v3/__https://kb.isc.org/docs/aa-00726__;!!J2_8gdp6gZQ!7sRXGLQDm9waSVfgufc44e2-G1iYoLGoT_iBOLgmPYx3xAW8jKIAFbCB5OVJYYe98KMFqg$>) > > When tuning the behavior of the primary, there are several factors that > you can control: > > - The rate of notifications of changes to secondary servers > (serial-query-rate and notify-delay) > > - Limits on concurrent zone transfers (transfers-out, tcp-clients, > tcp-listen-queue, reserved-sockets) > > - Efficiency/management options (max-transfer-time-out, > max-transfer-idle-out, transfer-format) > > The most important options to focus on are transfers-out, > serial-query-rate, tcp-clients and tcp-listen-queue. > > 4e) If you use RPZ, consider using qnane-wait-recurse. We have had > issues with RPZ transfers impacting query performance in resolvers. In > general, more smaller RPZ zones will transfer faster than a few very > large RPZ zones. > > 4f) Consider enabling prefetch on your resolver, unless you are running > 9.10 (which is EOL) https://kb.isc.org/docs/aa-01122 > <https://urldefense.com/v3/__https://kb.isc.org/docs/aa-01122__;!!J2_8gdp6gZQ!7sRXGLQDm9waSVfgufc44e2-G1iYoLGoT_iBOLgmPYx3xAW8jKIAFbCB5OVJYYcf-H7ZBg$> > > Fix your transport network. > Transport network issues cause BIND to keep retrying, which is a > performance drain. > 4a) Disable (in some cases, completely remove in order to prevent > ongoing interference) outbound firewalls/packet-filters (particularly > that maintain state on connections). These are a frequent cause of > problems in the DNS that can cause your DNS server to do a lot of extra > work. > > 4b) Set an appropriate MTU for your network. Ensure that your network > infrastructure supports EDNS and large UDP responses up to 4096. Ensure > that your network infrastructure allows transit for and reassembly of > fragmented UDP packets (these will be large query responses if you are > DNSSEC signing) > > 4c) Ensure that your network infrastructure allows DNS over TCP. > > 4d) Check for, and eliminate any incomplete IPv6 interface set-up (what > can go wrong here is that BIND thinksthat it can use IPv6 authoritative > servers, but actually the sends silently fail, leaving named waiting > unnecessarily for responses) > > Any further suggestions, corrections or warnings are very welcome. > > Thank you! > Vicky > > --------- > > Victoria Risk > Product Manager > Internet Systems Consortium > vicky@isc.org <mailto:vicky@isc.org> > > > > > > > _______________________________________________ > Please visit https://urldefense.com/v3/__https://lists.isc.org/mailman/listinfo/bind-users__;!!J2_8gdp6gZQ!7sRXGLQDm9waSVfgufc44e2-G1iYoLGoT_iBOLgmPYx3xAW8jKIAFbCB5OVJYYflfQafZw$ to unsubscribe from this list > > ISC funds the development of this software with paid support subscriptions. Contact us at https://urldefense.com/v3/__https://www.isc.org/contact/__;!!J2_8gdp6gZQ!7sRXGLQDm9waSVfgufc44e2-G1iYoLGoT_iBOLgmPYx3xAW8jKIAFbCB5OVJYYd9ITf9ow$ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://urldefense.com/v3/__https://lists.isc.org/mailman/listinfo/bind-users__;!!J2_8gdp6gZQ!7sRXGLQDm9waSVfgufc44e2-G1iYoLGoT_iBOLgmPYx3xAW8jKIAFbCB5OVJYYflfQafZw$ >
Back to comp.protocols.dns.bind | Previous | Next | Find similar
Re: Request for review of performance advice John Thurston <john.thurston@alaska.gov> - 2020-07-08 08:39 -0800
csiph-web