[180080] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Measuring DNS Performance & Graphing Logs

daemon@ATHENA.MIT.EDU (Joe Abley)
Thu May 21 08:13:32 2015

X-Original-To: nanog@nanog.org
From: "Joe Abley" <jabley@hopcount.ca>
To: "Zayed Mahmud" <zayed.mahmud@gmail.com>
Date: Thu, 21 May 2015 08:13:28 -0400
In-Reply-To: <CAAgG=ju0Sc84v47c2rP+koZwEpGUkkJT7XQDTxwtVoYhy2ePfA@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org

Hi Zayed,

I think you're more likely to get good answers to your BIND-specific 
questions on the bind-users mailing list. See:

   https://lists.isc.org/mailman/listinfo/bind-users

BIND9 has the capability to produce a vast variety and volume of logs, 
and dealing with logs in general is something that there are solutions 
for. Maybe look at logstash/elasticsearch as a starting point. Other 
BIND9 users on the bind-users list will no doubt have advice about what 
types logs they think are important.

Recent releases of BIND9 can export a variety of statistics in XML and 
JSON formats using HTTP. Pulling those out and sending them to 
cacti/graphite/whatever is also a fairly non-DNS-specific problem to 
have.

Advice for tuning a BIND9 recursive resolver's cache can be found in a 
tech note published by ISC; if that's not especially relevant to modern 
releases (I seem to think it was published some time ago) you could 
again look to the bind-users list for advice. For authority-only 
servers, your main concern is whether you have enough RAM to hold all 
your zone data. If you do, and if your server was built this decade and 
has no hardware faults, chances are you're good.

Deciding whether your servers struggling to keep up with the load of the 
software you're running on it is another problem that is not specific to 
the DNS. Check with whoever provides your operating system for advice; 
look in to system statistics collection using things like collectd and 
publish somewhere you can record data and identify long-term trends so 
you know what looks normal (since until you know what normal looks like, 
you can't tell what a problem looks like).

You can use commercial services like catchpoint and thousandeyes to 
check that your authoritative nameservers are suitably responsive. You 
can use non-commercial services like Atlas to do the same thing.

If you've connected your nameservers to the network in such a way that 
there's a stateful firewall between the server and its clients, the 
report to your boss could be very brief and accurate; something like 
"service expected to fail at any time; explosion imminent" would do it.


Joe

On 21 May 2015, at 7:15, Zayed Mahmud wrote:

> Thanks a lot to Denis Fondras, Zachary, Andrew Smith, Christopher 
> Morrow
> for your valuable advice.
>
> I've tried cacti but failed to get desired logs. i've also tried bind
> graph...but it consumes too much memory in the long run.
>
> can u suggest some suitable tools that i can measure the performance 
> of the
> dns servers? like what shud b active and what shud not be in general 
> safe
> dns server practice and check against my own settings or whatever the 
> tool
> can query, something like nmap. this would be really helpful. i just 
> need
> to make a report about my dns servers for my boss...and i'm clueless 
> what
> to point out and what not to or how to evaluate it's performance. i'm
> running bind9 under unix environment.
>
> thanks in advance.
>
> On Tue, May 19, 2015 at 11:34 PM, Zayed Mahmud 
> <zayed.mahmud@gmail.com>
> wrote:
>
>> Hello!
>> This is my first message to NANOG's mailing list. I hope someone can 
>> help
>> me.
>>
>> I was wondering which tool(s) can I use to measure the performance of 
>> my 3
>> DNS servers (1 primary, 1 secondary, 1 solely cacheDNS)? From the 
>> stats I
>> would like to know if my DNS server is serving as it should be or if 
>> any of
>> it's options are set inappropriately and others alike.
>>
>> I looked for a while but could not find any. Any help would be highly
>> appreciated. I am running bind9 on UNIX platform.
>>
>> Question 2) I would also like to know how can I graph my DNS logs? 
>> And how
>> can I integrate it to my CACTI server as well? I couldn't find any 
>> suitable
>> plugin. Any suggestion?
>>
>> --
>>
>> --
>> Best Regards,
>>
>> *Zayed Mahmud*
>>
>> *Senior Core & IP Network Team,*
>>
>> *Banglalion Communications Limited, Bangladesh.*
>>
>
>
>
> -- 
>
> -- 
> Best Regards,
> *Zayed Mahmud.*

home help back first fref pref prev next nref lref last post