Re: [44net] Performance of DNS

44net-request(a)hamradio.ucsd.edu wrote: Jeroen, In general: please read the entire mail before starting to comment on individual paragraphs, so you don't need to ask questions that are answered a few paragraphs down the same mail. The system is running Debian Wheezy, all uptodate, with bind9 version 9.8.4 plus Debian patches. It is not available to the outside no so security worries. What I see is that it does not cache ampr.org addresses very long, but that does not surprise me because the default TTL in the zone is only one hour. Of course everything would perform better when the TTL was the more usual 24hours, but undoubtedly there was a good reason to set this TTL. (lately it was useful for me as I changed the external address of the machine and the update was propagated quickly in DNS, but in general I would think the zone is very static) What I am surprised about is that the measured relative performance of the 7 alternative DNS servers is apparently not kept by bind long enough to be useful. The TTL at that level is 24 hours but I think I have often seen that when doing the same lookups within 24 hours I see lookup delays again. The statistics command you gave does not provide that info, I wonder if there is some bind command to query its measured timers and preferred servers. We have several timeservers on net-44 addresses and I do "ntpq -p -c rv -c mrulist" a couple of times a day now that we are testing and deploying. It was slow every time, of course the cached lookups are gone because the previous try was more than an hour ago, but apparently the DNS preference info was gone too and queries were again sent to slow (for me) servers. After my experimental change with the hardwired forwarders everything works much better. I'm not sure I want to keep it, but it certainly indicates that there *is* a way in which bind could handle it more efficiently. Maybe I am missing some setting, I have experimented with setting a forwarder (and forward first) at top level as well. Probably I should turn off the DNSSEC that has been enabled by default by bind and Debian, that appears to cause a lot of extra overhead too. Rob