Hi,
I recently came across this statistic:
http://www.solvedns.com/dns-comparison/2016/04
about nameserver response-times.
I realized that the best I could do was 90msec, on our colocated server without a real firewall in front.
The namservers with our ISGs in front come with about 100 to 120msec response-time (we're trying to reduce this by modifying some settings on the ISG).
I was curious if it was possible to further reduce the response-times - either by configuration-settings in BIND itself, or FreeBSD sysctls.
The servers all run FreeBSD 10.3p2-amd64.
Our own servers are HP DL 380G9, 6-core, bge(4)-NIC, 16GB RAM, UFS
The rented server in the colocation is an E3-1245V2 (QC), 16GB RAM, zfsroot, em(4)-NIC.
I've enabled cc_htcp in loader.conf (also the dns accept-filter).
I've enabled the following settings in sysctl.conf:
(they're mostly from calomel.org).
Anyone got any more ideas?
Switching out a NIC isn't that easy in this case.
I recently came across this statistic:
http://www.solvedns.com/dns-comparison/2016/04
about nameserver response-times.
I realized that the best I could do was 90msec, on our colocated server without a real firewall in front.
The namservers with our ISGs in front come with about 100 to 120msec response-time (we're trying to reduce this by modifying some settings on the ISG).
I was curious if it was possible to further reduce the response-times - either by configuration-settings in BIND itself, or FreeBSD sysctls.
The servers all run FreeBSD 10.3p2-amd64.
Our own servers are HP DL 380G9, 6-core, bge(4)-NIC, 16GB RAM, UFS
The rented server in the colocation is an E3-1245V2 (QC), 16GB RAM, zfsroot, em(4)-NIC.
I've enabled cc_htcp in loader.conf (also the dns accept-filter).
I've enabled the following settings in sysctl.conf:
Code:
kern.ipc.shm_use_phys=1
kern.ipc.somaxconn=16384
kern.maxfiles=131072
kern.maxfilesperproc=104856
kern.threads.max_threads_per_proc=4096
net.inet.tcp.fast_finwait2_recycle=1
net.inet.tcp.finwait2_timeout=15000
net.inet.tcp.msl=5000
machdep.panic_on_nmi=0
net.inet6.ip6.auto_flowlabel=0
security.bsd.see_other_gids=0
security.bsd.see_other_uids=0
net.inet.ip.portrange.hifirst=10000
security.bsd.unprivileged_proc_debug=0
net.inet.ip.redirect=0
net.inet6.ip6.redirect=0
net.inet.icmp.drop_redirect=1
net.inet6.icmp6.rediraccept=0
security.bsd.hardlink_check_uid=1
security.bsd.hardlink_check_gid=1
kern.coredump=0
kern.nodump_coredump=1
net.inet.ip.random_id=1
net.inet.ip.check_interface=1
net.inet.tcp.blackhole=1
net.inet.udp.blackhole=1
security.bsd.unprivileged_read_msgbuf=0
net.inet.tcp.cc.algorithm=htcp
net.inet.tcp.cc.htcp.adaptive_backoff=1
net.inet.tcp.cc.htcp.rtt_scaling=1
net.inet.tcp.syncache.rexmtlimit=1
(they're mostly from calomel.org).
Anyone got any more ideas?
Switching out a NIC isn't that easy in this case.