Remove From My Forums

DNS performance question

Question

0

Sign in to vote

Hello,

We are attempting to move our remote infrastructure over to Active Directory in order to make it easier for us to manage our network. In order to do that, we will have to shift all our DNS servers from Linux over to Windows (we are going with Server 2008 R2). As you can imagine, this will require some thorough performance testing, which we’ve done. We decided to move one location over as a test bed in order to let it run for a while. After a couple of months we received a complaint from (hosted customer) that their DNS queries were failing for certain hostnames only from one of our measurement locations which happened to be the one we switched to Windows DNS. The hostnames are (servera.customer.com, serverb.customer.com, serverc.customer.com). The Windows DNS server was returning a “server failed” error message. We decided at that point to switch the DNS at that location back to Linux for the time being since the Linux box had no such problem.

After some investigation, I found a couple of things:

-By disabling a certain flag on the Windows DNS server, the hostnames above are able to resolve successfully. The flag is for EDNS which I set to 0 (disabled) by following the instructions in this article: http://support.microsoft.com/kb/832223 After that change, the nslookups are suddenly successful.

-Even though I have disabled and removed IPv6 from the Windows DNS server system (no IPv6 interfaces show up from an ipconfig command), whenever I perform an nslookup from this server for those hostnames above it performs a AAAA query (IPv6). I’ve read that this is default behavior for Windows but I’m not sure whether or not that’s contributing to the problem. The Linux servers perform A (IPv4) lookups for the same hostnames.

I also performed a DNS performance analysis using our web measurement data (approximately 3000 web pages per hour) comparing BIND on Linux with Windows DNS and found some significant performance differences.

Can you point me to information about DNS performance?

Thursday, December 30, 2010 6:04 PM

Reply

|

Quote

All replies

0

Sign in to vote

Hi,

Thanks for posting here.

How did you query domain name by using nslookup , with any specific parameters?

If you want monitor DNS performance , build in Performance-monitoring utilities is first choice :

Performance-monitoring utilities

You can do performance monitoring for DNS servers using additional service-specific counters that measure DNS server performance. These counters are accessible through System Monitor, which is provided in the Performance snap-in.

When you use System Monitor, you can create charts and graphs of server performance trends over time for any of your DNS servers. These can be further studied and analyzed to determine if additional server tuning is needed.

Through measurement and review of server metrics over a period of time, it is possible to determine performance benchmarks and decide if further adjustments can be made to optimize the system.

Meanwhile, please refer to the link below which provide some suggestions for Morning and Optimizing DNS service :

Monitoring and Optimizing Servers

http://technet.microsoft.com/en-us/library/cc778622(WS.10).aspx

Thanks.

Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Friday, December 31, 2010 5:55 AM

Reply

|

Quote

0

Sign in to vote
Curious, can you share and post the DNS performance difference you've found?

Regarding ENDS0, that is indicative of a firewall blocking EDNS0 traffic.

To explain, DNS query/response traffic uses UDP for the initial connection method. Prior to EDNS0 being implemented by the IETF (back around circa 1999), DNS UDP query response packets were limited to 512 bytes. If the response was larger than 512 bytes, the session reverts to TCP, which it can then provide the response, however causing a slight delay in responses. Since many domain zone have larger than 512 bytes, especially zones with large number of records, such as MX records, the IETF came up with allowing larger UDP packets to 1280 bytes. THis improved efficiency because of a couple of reasons, one that there is no session transport 'changeup' to TCP, and two, UDP is lightweight and allows the app (DNS in this case) to control the transport portion of the session instead of TCP, which is a little heavier.

Please note, this is not a Microsoft implementation, rather it is an industry-wide, vendor neutral implementation that Microsoft implemented into their DNS service realizing it's increased efficiency.

You can test this with nslookup in interactive mode. By default nslookup uses UDP, hence why you are seeing what you are seeing. You can force nslookup to use TCP by setting the 'set vc' switch. Run it as the following and use the 'set vc' switch to force it to use TCP:

C:\Windows\system32>nslookup
Default Server: yourserver.whatever.com
Address: 4.2.2.2

> set vc
> TypeQueryHere <enter>

Also, many firewalls, especially older, legacy firewalls, or ones that have not been updated or conifgured properly to allow it, look at EDNS0 as a spoof and either won't allow it, have to be configured to allow it, or have to be updated to the latest IOS to provide the feature and allow it.

Therefore, that was the basis of my question regarding performance. If your firewall is blocking EDNS0, DNS is losing efficiency and will not properly lookup zone info with large amount of data, such as whatever "website" your customers are complaining about.

In addition, disabling EDNS0 on Windows DNS also reduces efficiency, which I wouldn't suggest. I would rather allow EDNS0 traffic for DNS. I'm not sure which version of BIND is in use, but if it's an older version (and I can't remember which version switched over to use EDNS0), it may be possible that it's only using TCP, or that your firewall has been configured to allow EDNS0 only to and from the BIND servers and not the Microsoft DNS server(s). You would have to check with your networking group for this information.

Here's more specifics on EDNS0. I've provided much info above, but there are more specific in my blog below:

EDNS0 (Extension mechanisms for DNS)
http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx

I hope you found this helpful.

Ace

Late addition: I forgot to post some of my DNS performance related links:

DNS monitoring: If it's slow, everything is slow, Mike Pennacchi, 07.13.2007
Describes how to use Network MOnitor to capture and analyze DNS query traffic
(You might need an account to view this article)
http://searchnetworking.techtarget.com/tip/0,289483,sid7_gci1264140_mem1,00.html

DNS Performance Test by Silverwolf (Youtube Video)
SilverWolf freeware utility for DNS testing. ... queue Network Performance Monitoring: Analyze WAN
http://www.youtube.com/watch?v=CqwzGZvPp_4

Best Practices Analyzer for Domain Name System
Jan 5, 2009 ... Topics in this section can help you bring DNS running on Windows Server® 2008 or Windows Server® 2008 R2 into compliance with best practices ...
http://technet.microsoft.com/en-us/library/dd391963(WS.10).aspx

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.
- Edited by Ace Fekay [MCT]MVP Friday, December 31, 2010 6:09 AM See "Late Addition" above
Friday, December 31, 2010 6:07 AM

Reply

|

Quote

0

Sign in to vote

Thanks for the responses. The question was originally mine so let me add some more information.

Regarding the EDNS0 tips, that is very useful. I will look through our firewall settings and try some of the suggestions mentioned above.

As far as overall DNS server performance goes, the company I work for provides internet and website performance measurement services by using an actual IE browser on distributed, dedicated computers to navigate real websites for performance information. DNS lookup time is one of these performance metrics, and one that our customers monitor very closely. For this test I set up two different DNS servers running on the same hardware, one Windows DNS and one Linux BIND, and used the same clients navigating to the same websites on both servers. I have plenty of data since we are talking about thousands of lookups per hour, and I found two things: average lookup time was consistently higher on the Windows servers and they also returned a much greater percentage of lookup failures. I can't really share the data since it is proprietary, but I was more wondering if anyone else has had the same experience and/or if there are some tweaks I can make to the Windows DNS configuration to increase performance.

Wednesday, January 05, 2011 11:43 PM

Reply

|

Quote

0

Sign in to vote

Hi Dave,

Understanding some of the info is proprietary, I appreciate you sharing what you could. I don't have any additional info to contribute other than insuring that EDNS0 is equally configured between the BIND and WIndows servers. Other than that, not sure. Possibly look at tweaking the server settings (System, Advanced, etc) for background services, and uninstalling any unecessary services or apps, and disable File & Print, disable NetBIOS, Browser, Alerter, and all other unnecessary services.

Disable unnecessary services to improve workstations performance
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/UserTips/Network/Disableunnecessaryservicestoimproveworkstationsperformance.html

Disabling unnecessary Windows services
http://www.computertooslow.com/disable-unnecessary-services.asp

Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Thursday, January 06, 2011 5:11 AM

Reply

|

Quote

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Asked by:

DNS performance question

Question

All replies

Performance-monitoring utilities