Measuring DNS Performance & Graphing Logs

Zayed_Mahmud · May 19, 2015, 5:34pm

Hello!
This is my first message to NANOG's mailing list. I hope someone can help
me.

I was wondering which tool(s) can I use to measure the performance of my 3
DNS servers (1 primary, 1 secondary, 1 solely cacheDNS)? From the stats I
would like to know if my DNS server is serving as it should be or if any of
it's options are set inappropriately and others alike.

I looked for a while but could not find any. Any help would be highly
appreciated. I am running bind9 on UNIX platform.

Question 2) I would also like to know how can I graph my DNS logs? And how
can I integrate it to my CACTI server as well? I couldn't find any suitable
plugin. Any suggestion?

Christopher_Morrow · May 20, 2015, 2:32am

http://docs.cacti.net/usertemplate%3Ahost%3Abind9.7

http://forums.cacti.net/about6332.html

those are like result 1 and 5 of "cacti graph dns server" in the googles...
(the second is even the 1st result in a bingz search)

Andrew_Smith · May 20, 2015, 7:47am

Smokeping (http://oss.oetiker.ch/smokeping/) can graph DNS response latency
via dig.

ThousandEyes (https://www.thousandeyes.com/) has some commercial options
for monitoring DNS server responsiveness, and zone performance from
different vantage points throughout the globe.

Denis_F · May 20, 2015, 8:22am

I was wondering which tool(s) can I use to measure the performance of my 3
DNS servers (1 primary, 1 secondary, 1 solely cacheDNS)? From the stats I
would like to know if my DNS server is serving as it should be or if any of
it's options are set inappropriately and others alike.

Perhaps Dsc: A DNS Statistics Collector (used by AS112) can help.

Denis

Zayed_Mahmud · May 21, 2015, 11:15am

Thanks a lot to Denis Fondras, Zachary, Andrew Smith, Christopher Morrow
for your valuable advice.

I've tried cacti but failed to get desired logs. i've also tried bind
graph...but it consumes too much memory in the long run.

can u suggest some suitable tools that i can measure the performance of the
dns servers? like what shud b active and what shud not be in general safe
dns server practice and check against my own settings or whatever the tool
can query, something like nmap. this would be really helpful. i just need
to make a report about my dns servers for my boss...and i'm clueless what
to point out and what not to or how to evaluate it's performance. i'm
running bind9 under unix environment.

thanks in advance.

Joe_Abley2 · May 21, 2015, 12:13pm

Hi Zayed,

I think you're more likely to get good answers to your BIND-specific questions on the bind-users mailing list. See:

https://lists.isc.org/mailman/listinfo/bind-users

BIND9 has the capability to produce a vast variety and volume of logs, and dealing with logs in general is something that there are solutions for. Maybe look at logstash/elasticsearch as a starting point. Other BIND9 users on the bind-users list will no doubt have advice about what types logs they think are important.

Recent releases of BIND9 can export a variety of statistics in XML and JSON formats using HTTP. Pulling those out and sending them to cacti/graphite/whatever is also a fairly non-DNS-specific problem to have.

Advice for tuning a BIND9 recursive resolver's cache can be found in a tech note published by ISC; if that's not especially relevant to modern releases (I seem to think it was published some time ago) you could again look to the bind-users list for advice. For authority-only servers, your main concern is whether you have enough RAM to hold all your zone data. If you do, and if your server was built this decade and has no hardware faults, chances are you're good.

Deciding whether your servers struggling to keep up with the load of the software you're running on it is another problem that is not specific to the DNS. Check with whoever provides your operating system for advice; look in to system statistics collection using things like collectd and publish somewhere you can record data and identify long-term trends so you know what looks normal (since until you know what normal looks like, you can't tell what a problem looks like).

You can use commercial services like catchpoint and thousandeyes to check that your authoritative nameservers are suitably responsive. You can use non-commercial services like Atlas to do the same thing.

If you've connected your nameservers to the network in such a way that there's a stateful firewall between the server and its clients, the report to your boss could be very brief and accurate; something like "service expected to fail at any time; explosion imminent" would do it.

Joe

Faisal_Imtiaz1 · May 21, 2015, 12:50pm

Zayed,

What issues did you run into when trying to monitor Bind with Cacti ?

here is a nice write up on this: http://gregsowell.com/?p=4763

If you don't find yourself getting far with this, then you can always use the Captain James T. Kirk's way of solving "Kobayashi Maru" ........ (Use powerdns instead of bind, powerdns has stats built in).

Regards.

Faisal Imtiaz
Snappy Internet & Telecom

Charles_N_Wyble2 · May 21, 2015, 4:00pm

I've tried cacti but failed to get desired logs. i've also tried bind
graph...but it consumes too much memory in the long run.

How constrained are your servers? What is "too much memory"? What logs are you looking for?
Have you tried looking at the syslog? What is your level of experience with system/network
administration? (Not trying to be insulting, genuinely curious).

can u suggest some suitable tools that i can measure the performance of the
dns servers?

What sort of performance? What metrics are you trying to track? Please provide more details about exactly what you want.
That will help us give you very specific suggestions. (We provide advice for free, have very busy schedules, the more specific
you are the better).

Deploy smokeping as has already been referenced in this thread. Zenoss also has graphing/monitoring of DNS. (I stay away from cacti/nagios personally for small deployments). Cati/Nagios are PHENOMANAL tools if you have a fully programmatic/automated deployment process that can populate cacti/nagios automatically.

like what shud b active and what shud not be in general safe

dns server practice

As with the vast majority of widely deployed software packages (Microsoft,debian,cisco etc), the vendor provides support/documentation right on their website:

I always recommend to people that they spend about 70% of implementation time on reading the docs/understanding/researching terms/concepts they don't know for the system they are deploying, 20% on testing, 10% on actual go live.

I've seen way too many operators rush to deploy something and thoroughly break a production network.

and check against my own settings or whatever the tool

can query, something like nmap.

I recommend openvas.org if you want a tool for internal use (it's free, very comparable to Nessus). Not that Nessus isn't a good product, it's just a pain to deal with the licensing system etc (requires too much sysadmin time to maintain at least in my deployment).

this would be really helpful. i just need

to make a report about my dns servers for my boss...and i'm clueless what
to point out and what not to or how to evaluate it's performance. i'm
running bind9 under unix environment.

What are the requirements of the report?

Jared_Mauch · May 21, 2015, 4:17pm

At the recent DNS-OARC meeting there was an interesting discussion about a new tool called DNSDIST. It’s part of PowerDNS and there is also a independent tar one can fetch.

What is interesting about it is it can report on a lot of data about the performance of your DNS servers. Some people use a load balancer, and this will do that but be application aware and can easily route certain types of queries to another server. (e.g.: arpa requests to dedicated servers, same as domains that may be used/abused).

It provides realtime graphs of CPU usage and query rates as well as average response times.

You can set query rate limits and it will balance as you specify. This is useful as many people who know/use Linux have seen the issues with UDP kernel performance. If you’re not aware, do this:

UDP:

iperf -s -u
iperf -u -c localhost -b 25000m

eg:
[ 3] 0.0-10.0 sec 4.50 GBytes 3.87 Gbits/sec 0.000 ms 84054/3374408 (2.5%)

vs

TCP:

iperf -s
iperf -c localhost
[ 3] 0.0-10.0 sec 56.1 GBytes 48.2 Gbits/sec

- Jared

Alejandro_Acosta · August 8, 2015, 8:24pm

Hello Zayed,
  I noticed you have already received some answers regarding how to
integrate it to Cacti.
  Regarding the tools to measure DNS performance I usually use two:
resperf and dnsperf, both are from Nominum and can be found here:
https://nominum.com/measurement-tools/
  Some years ago I posted this in Spanish:
http://blog.acostasite.com/2010/02/realizar-estudios-de-performance-sobre.html,
probably it can help you:

Regards,

Alejandro,

Dustin_Jurman · August 10, 2015, 12:32am

There is also a windows utility from Steve Gibson.

https://www.grc.com/dns/benchmark.htm

Dustin

Fakrul_Alam_Pappu · August 10, 2015, 11:09am

You can also try librenms (http://www.librenms.org/) which has associated
agent to monitor bind (
http://librenms.readthedocs.org/Extensions/Agent-Setup/index.html?highlight=bind
)