I wonder is anyone is seeing performance issues with the patched DNS in the
late snapshots?
I installed the July 22 snapshot on our DNS servers, which handle a pretty
heavy load of lookups, mostly for anti-spam action.
It was running at 45% or higher cpu utilization after the July 22 snapshot
was
installed.
We run a couple of Ironport boxes, that handle about 200k emails per hour.
They use the OpenBSD DNS servers to look up the sending IPs as a first
defense
against spammers, and drop about 98% of the inbound mail.
With the snapshot installed the traffic went down to 70k per hour and
people started complaining of DNS lookup failures for random sites.
I moved back to an earlier version of OpenBSD on the DNS server, and
the Ironport traffic went up to normal, and the DNS lookup failures stopped.
Cpu utilization went back down to around 9%. But I'm vulnerable.
I realize that the whole fix to this DNS cache poisoning is to have random
ports and random query ids, and that generating good, strong, random numbers
costs cpu cycles and time. Has anyone else noticed the performance hit?
Anything that I can do? Particularly I am open to any suggestions on
commands
that would help identify if that is really the problem, systat, vmstat, etc.
The server was beefy enough, and had been doing the job for months before
the upgrade:
OpenBSD 4.2-current (GENERIC) #593: Mon Dec 10 13:23:15 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.20GHz ("GenuineIntel" 686-class) 3.21 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR
real mem = 1073053696 (1023MB)
avail mem = 1029713920 (982MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 10/20/04, BIOS32 rev. 0 @ 0xffe90,
SMBIOS
rev. 2.3 @ 0xfa910 (75 entries)
bios0: vendor Dell Computer Corporation version "A00" date 10/20/2004
bios0: Dell Computer Corporation PowerEdge SC1425
[...]
em0 at pci2 dev 4 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: irq 11,
i
address xx:xx:xx:xx:xx:xx
Thanks for a great OS! And yes, I usually run snapshots, have for years,
love it, and we buy
plenty of CDs of each version..
