[Pdns-users] UDP Connection Table Exhaustion?

[Sten Spans]

On Thu, 2 Jul 2009, Matthew Walster - Gyron wrote:

> Hey there,
>
> Does anyone have any tips and/or tricks for running a medium-scale DNS 
> recursive resolver appropriate to my situation? Medium being bigger than 
> "run it off a DSL router" but smaller than "get a server farm to do it"!

1- make sure you configure a limit for max-cache-entries
    otherwise it will keep growing and consume all memory.
    100k - 500k should cover most regular servers.
2- don't load any iptables modules if at all possible,
    the state tracking causes serious (performance) problems
    on loaded servers.
3- make sure to explicitly configure incoming and outgoing ips,
    preferably different ones. This enables later load-balancing / anycast
    schemes and makes the traffic-flow predictable. If your network
    layout is a bit more complicated (bgp, multiple gateways) then the
    linus arp_announce and arp_filter sysctls should be tweaked to
    make sure that Linux selects the correct source-ips.
4- use allow-from-file to configure the ranges that should be allowed
    to use your nameservers.

This should allow you to handle 5-10k queries on reasonable hardware
with a decent uplink (100mbit). Anything beyond that will require
compilation with a recent compiler and system specific tuning,
binding pdns to a specific cpu and the ethernet driver to another
for example. This kind of tuning should only be done with careful
measurements to test the effect of each change.

-- 
Sten Spans

"There is a crack in everything, that's how the light gets in."
Leonard Cohen - Anthem