[Pdns-users] PowerDNS on FreeBSD: CPU Hungry?

[Aaron Gifford]

Hi,

I've got a FreeBSD server that I wanted to move to PowerDNS.  The server
sits on two IP addresses, one IP for recursive-only clients to talk to, and
the other a legacy server IP that has to support both authoritative queries
for zones hosted on the server, and also legacy recursive clients that
haven't yet reconfigured to talk to the recursive-only IP.

I set up PowerDNS on the authoritative IP and PowerDNS recursor on the
recursive IP and used some fun IP packet filtering and rewriting/translating
to send traffic from IP networks that contained recursive clients to the
recursor IP.

This worked quite well except for the obvious issue: If there were any
queries from the recursive client IP space that were expecting an
authoritative reply (i.e. perhaps one of the client IPs was running their
own DNS server and that server was looking for authoritative answers for one
of the zones my DNS server is authoritative for), then those queries would
be rewritten/redirected by the filtering/translating I was using and the
response would appear as a lame server.

During all of this, PowerDNS worked beautifully, not cracking the slightest
sweat, the server's CPU idling 93-97% and handling hundreds of queries per
second.

Since PowerDNS can specify a recursor in pdns.conf and has the ability
built-in to handle recursive queries, I thought I would give it a try.  I
put the recursive server's IP in pdns.conf (recursor=) and listed the
networks I wanted to allow recursive queries as well (allow-recursion=).

Now it was time for the big test.  I disabled the filter/translator so IP
traffic (mixed recursive and authoritative-only queries) would hit PowerDNS.

Things immediately slowed down.  Painfully slow.  And CPU usage climbed to
70-80%.  The test queries I did, those that didn't time out, worked, so
PowerDNS was in fact answering correctly for authoritative domains as well
as talking to the recursor and handling recursive queries.

I reread the PowerDNS documentation including the bit about the
allow-recursion-override setting.  I worried that perhaps a query for a
nonexistent record in an authoritative zone might be looping back-and-forth
between PowerDNS on one IP and the recursor on the other, so I set
allow-recursion-override as mentioned in the docs.  That didn't affect
things at all.  Queries were slower than molasses in Antarctica.

I shortly reenabled the packet filter/translator and almost instantly the
load dropped and DNS responses were quick once more.

Has anyone else encountered this sort of behavior (slow, CPU-hungry) under
FreeBSD running the latest PowerDNS & Recursor available in the FreeBSD
ports collection when running both a server and recursor, particularly if
each is configured to use a different IP address on the host?  Have I
overlooked something obvious?

Oh, I'm running FreeBSD 6.2-STABLE on a box with a dual-core XEON processor
and two gigs RAM.  The FreeBSD ports version of PowerDNS running is 2.9.21,
and PowerDNS Recursor version 3.1.4.

Puzzled, and wondering,

Aaron out.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20070719/cb86506a/attachment.html>