BIND dns high performance caching

Question

I'm running bind on a small server used for resolving lots of domains, my main goal is fast resolving of domains and low memory usage.

I want to use something like local zone with the nameservers of all TLDs dig . axfr @g.root-servers.net.

What is happening right now is when cache limit is hit, bind stops caching and for every resolve root server dns is hit. Is there any way to use the axfr output and tell bind to get the NS info for tld from there?

Example of axfr zone

I've tried to add "." master zone with the axfr output but it doesn't work.

zone "." IN {
    type master;
    file "axfrOutput.ca";
};

current named.conf

options {
    listen-on port 53 { 127.0.0.1; };
    listen-on-v6 port 53 { ::1; };
    directory       "/var/named";
    dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { localhost; };
    max-cache-size 100m;
    cleaning-interval 1;    // clean cache every 1 minutes
    max-cache-ttl 120;        // limit cached record to a 60s TTL
    max-ncache-ttl 120;       // limit cache neg. resp. to a 60s TTL
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";
};

zone "." IN {
     type hint;
     file "named.ca";
};

If you don't need IPv6 resolution, [DNSCache](http://cr.yp.to/djbdns/blurb/cache.html) is lightweight and fast. — Johnny, Jul 21 '15 at 15:47
Why do you want to cache the entire root zone anyway? There are over a thousand delegated zones in it these days, and I'm pretty sure your users only access a small fraction of them. — Calle Dybedahl, Jul 22 '15 at 07:58

score 11 · Accepted Answer · edited May 01 '19 at 12:05

11

High performance and low memory usage + short cache time are conflicting requirements.

However, what should happen when hitting the max-cache-size limit is that it should start (prematurely) evicting entries from the cache (LRU).

Forcing shorter TTLs (max-cache-ttl) sacrifices performance in favor of quicker convergence. (Probably a bad idea as this will throw out things that are used a lot and would otherwise have high priority in the LRU scheme.)

cleaning-interval is obsolete and has no effect in modern BIND versions.

If you have very high load and want to specifically optimize queries to the root zone you could have your own slave zone for . instead of the normal hint zone.

ICANN provides AXFR access to the root zone as well as some other zones.

edited May 01 '19 at 12:05

Smar

131
8

answered Jul 21 '15 at 11:02

Håkan Lindqvist

33,741
5
65
90

+1 for slave instead of master – Nick Jul 21 '15 at 11:25
Yeah, I didn't go into detail about it but there's just no reason to take on the responsibility of separately updating the zone contents or, for that matter, dealing with any formatting differences that will lead to the zone not loading (eg double `SOA`s in `AXFR` data). – Håkan Lindqvist Jul 21 '15 at 11:33

BIND dns high performance caching

1 Answers1