On Sat, 26 Jul 2008, J Duke wrote: > I realize that the whole fix to this DNS cache poisoning is to have > random ports and random query ids, and that generating good, strong, > random numbers costs cpu cycles and time. Has anyone else noticed the > performance hit? Anything that I can do? Particularly I am open to any > suggestions on commands that would help identify if that is really the > problem, systat, vmstat, etc.
The additional overhead in the fixed bind is due to the need to manange lots of open sockets. Since bind now randomises source ports, it must open, bind and subsequently manage a UDP socket for each query whereas before it only needed a single socket for its single query port. Future releases of bind will reduce this overhead a little, but a good portion of it is intrinsic. That being said, you probably shouldn't be getting failed queries. Make sure that: 1) You aren't running out of file descriptors in bind (check logs and ulimits against "fstat -p [named-pid]") 2) Your queries are not being firewalled. There are lots of firewalls that implement restrictions on high-numbered UDP ports. If you have such a firewall then you will cause queries to fail and be retried, which will cause additional load on your name server. -current tries hard to avoid well-known ports, but we can't predict every firewall configuration. -d
