BIND dns high performance caching

binddomain-name-systemnamed-confnameserver

I'm running bind on a small server used for resolving lots of domains, my main goal is fast resolving of domains and low memory usage.

I want to use something like local zone with the nameservers of all TLDs dig . axfr @g.root-servers.net.

What is happening right now is when cache limit is hit, bind stops caching and for every resolve root server dns is hit. Is there any way to use the axfr output and tell bind to get the NS info for tld from there?

Example of axfr zone

I've tried to add "." master zone with the axfr output but it doesn't work.

zone "." IN {
    type master;
    file "axfrOutput.ca";
};

current named.conf

options {
    listen-on port 53 { 127.0.0.1; };
    listen-on-v6 port 53 { ::1; };
    directory       "/var/named";
    dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { localhost; };
    max-cache-size 100m;
    cleaning-interval 1;    // clean cache every 1 minutes
    max-cache-ttl 120;        // limit cached record to a 60s TTL
    max-ncache-ttl 120;       // limit cache neg. resp. to a 60s TTL
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";
};

zone "." IN {
     type hint;
     file "named.ca";
};

Best Answer

High performance and low memory usage + short cache time are conflicting requirements.

However, what should happen when hitting the max-cache-size limit is that it should start (prematurely) evicting entries from the cache (LRU).

Forcing shorter TTLs (max-cache-ttl) sacrifices performance in favor of quicker convergence. (Probably a bad idea as this will throw out things that are used a lot and would otherwise have high priority in the LRU scheme.)

cleaning-interval is obsolete and has no effect in modern BIND versions.


If you have very high load and want to specifically optimize queries to the root zone you could have your own slave zone for . instead of the normal hint zone.

ICANN provides AXFR access to the root zone as well as some other zones.

Related Topic