dnsperf DNS Performance Tool Manual

Similar documents
DNS. Some advanced topics. Karst Koymans. (with Niels Sijm) Informatics Institute University of Amsterdam. (version 2.6, 2013/09/19 10:55:30)

Domain Name System :49:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

Use Domain Name System and IP Version 6

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

Table of Contents DNS. How to package DNS messages. Wire? DNS on the wire. Some advanced topics. Encoding of domain names.

The Use of DNS Resource Records

SIDN Server Measurements

Monitoring Techniques for Cisco Network Registrar

Configuring DNS. Finding Feature Information

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

IPv6 and DNS. Secure64

Networking Domain Name System

Understanding Slow Start

DNS at NLnet Labs. Matthijs Mekking

The secret life of a DNS query. Igor Sviridov <sia@nest.org>

NET0183 Networks and Communications

IPv6 and DNS. Secure64

Agenda. Network Services. Domain Names. Domain Name. Domain Names Domain Name System Internationalized Domain Names. Domain Names & DNS

Network Address Translation Commands

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

Some advanced topics. Karst Koymans. Friday, September 11, 2015

DNSSEC in your workflow

K-root TCP load measurements

Application-layer protocols

Computer Networks: Domain Name System

DNS. DNS Fundamentals. Goals of this lab: Prerequisites: LXB, NET

Securing an Internet Name Server

RSSAC Recommendation on Measurements of the Root Server System RSSAC 002

DNS ActiveX Control for Microsoft Windows. Copyright Magneto Software All rights reserved

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

W H I T E P A P E R : T E C H N I C A L. Understanding and Configuring Symantec Endpoint Protection Group Update Providers

Networking Domain Name System

DNS Conformance Test Specification For Client

Acano solution. Virtualized Deployment R1.1 Installation Guide. Acano. February B

Configuring Global Protect SSL VPN with a user-defined port

Domain Name System (DNS) Services

Internet Engineering Task Force. Intended status: Experimental Expires: September 6, 2012 March 5, 2012

The Domain Name System

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

OCS Training Workshop LAB14. Setup

Managing DNS Server Properties

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

netkit lab dns Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version Author(s)

Lightweight DNS for Multipurpose and Multifunctional Devices

PCTV Systems Requirements for using DistanTV mobile

GLBP - Gateway Load Balancing Protocol

Networking Domain Name System

DNS security: poisoning, attacks and mitigation

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

Using IPM to Measure Network Performance

Reverse DNS considerations for IPv6

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Automatic Configuration of Slave Nameservers (BIND only)

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

DNS Resolving using nslookup

dnstap: high speed DNS logging without packet capture Robert Edmonds Farsight Security, Inc.

Load Balancing. Final Network Exam LSNAT. Sommaire. How works a "traditional" NAT? Un article de Le wiki des TPs RSM.

The Domain Name System from a security point of view

Introduction to DNS CHAPTER 5. In This Chapter

Configuration Notes 0215

Security Provider Integration LDAP Server

Predictability of Windows DNS resolver. ing. Roberto Larcher robertolarcher@hotmail.com

EECS 489 Winter 2010 Midterm Exam

DNS Networks - Avoiding BIND Attack

Teldat Router. DNS Client

Dynamic DNS Support for Cisco IOS Software

How To Manage Dns On An Elfiq Link Load Balancer (Link Balancer) On A Pcode (Networking) On Ipad Or Ipad (Netware) On Your Ipad On A Ipad At A Pc Or Ipa

Application and service delivery with the Elfiq idns module

DOMAIN NAME SECURITY EXTENSIONS

Configuration Guide. DHCP Server. LAN client

USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION

Public-Root Name Server Operational Requirements

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Blocking DNS Messages is Dangerous

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

The Root of the Matter: Hints or Slaves

DNS traffic analysis -- Issues of IPv6 and CDN --

Red Hat system-config-bind BIND (Berkeley Internet Name Domain) DNS ( Domain Name System)

Using RADIUS Agent for Transparent User Identification

More Internet Support Protocols

Response Policy Zones for the Domain Name System (DNS RPZ) By Paul Vixie, ISC (et.al.) 2010 World Tour

Configuring Dynamic DNS

Chapter 8 Router and Network Management

NAST. Documentation. Copyright 2013 DENIC eg. Doc. version: 1.9 Doc. status: Final

Final Network Exam 01-02

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010

Hands On Activities: TCP/IP Network Monitoring and Management

System Administration Commands nslookup ( 1M )

Introduction. What is Unbound and what is DNSSEC. Installation. Manual for Unbound on Windows. W.C.A. Wijngaards, NLnet Labs, October 2010

PRODUCT VERSION: LYNC SERVER 2010, LYNC SERVER 2013, WINDOWS SERVER 2008

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Detecting rogue systems

Building a Linux IPv6 DNS Server

Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace

Enterprise Architecture Office Resource Document Design Note - Domain Name System (DNS)

You can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource

bbc Adobe LiveCycle Data Services Using the F5 BIG-IP LTM Introduction APPLIES TO CONTENTS

Transcription:

dnsperf DNS Performance Tool Manual Version 2.0.0 Date February 14, 2012

Copyright 2002-2012, Inc. - All Rights Reserved This software and documentation is subject to and made available pursuant to the terms of the License Agreement, and may be used or copied only in accordance with the terms of that Agreement. This manual, in whole or in part, may not be reproduced, translated or reduced to any machine-readable form without prior written approval from, Incorporated., Incorporated 2000 Seaport Boulevard Suite 400 Redwood City, CA, 94063 USA http://www.nominum.com Centris, Navitas and Vantio are trademarks of, Incorporated. All other trademarks are the property of their respective companies.

1 dnsperf dnsperf is an authoritative-server-specific Domain Name Service (DNS) performance testing tool. It is primarily intended for measuring the performance of authoritative DNS servers, but it can also be used for measuring caching server performance in a closed laboratory environment. For testing caching servers resolving against the live Internet, the resperf program is preferred. We recommend that dnsperf and the name server under test be run on separate machines, so that the CPU usage of dnsperf itself does not slow down the name server. The two machines should be connected with a fast network, preferably a dedicated Gigabit Ethernet segment. Testing through a router or firewall is not advisable. Command Synopsis dnsperf [ -a local_address][ -b bufsize ] [ -c clients ] [ -d datafile ] [ -D ] [ -e ] [ -f family ] [ -h ] [ -l limit ] [ -n runs_through_file ] [ -p port ] [ -q num_queries ] [ -Q max_qps ] [ -s server_addr ] [ -S stats_interval][ -t timeout ] [ -u ] [ -v ] [ -x local_port] [ -y [algorithm:]name:secret] 1

2 Chapter 1: dnsperf Options Option Description -a local_address Specifies the local address form which to send requests. The default is the wildcard address. -b bufsize Sets the size of the socket's send and receive buffers, in kilobytes. -c clients Enables the local server to act as multiple clients and specifies the number of clients represented by this server. The server sends requests from multiple sockets. By default, the local server acts as a single client. -d datafile Specifies the input data file. If not specified, dnsperf reads from standard input. -D Sets the DO (DNSSEC OK) bit in all packets sent, as per RFC 3225. This also enables EDNS 0, which is required for DNSSEC. -e Enables EDNS0, as per RFC 2671, by adding an OPT record to all packets sent. -f family Specifies the address family used for sending DNS packets. The possible values are: inet Use IPv4. inet6 Use IPv6. any Either IPv4 or IPv6 as appropriate. If any (the default value) is specified, dnsperf uses whichever address family is appropriate for the server to which it is sending packets. -h Prints a usage statement and exit. -l limit Specifies a time limit for the run, in seconds. -n runs_through_file Specifies a maximum number of runs through the input file. If no time limit is set, the file is read exactly this many times; if a time limit is set, the file may be read fewer times. -p port Sets the port on which the DNS packets are sent. If not specified, the standard DNS port (53) is used. Table 1-1 dnsperf options

Operational Considerations 3 Option Description -q num_queries Sets the maximum number of outstanding requests. When this value is reached, dnsperf stops sending requests until either responses are received or its requests time out. The default value is 100. -Q max_qps Limits the number of requests per second. -s server Specifies the name or address of the server to which requests will be sent. The default is the loopback address, 127.0.0.1. -t timeout Specifies the request timeout value, in seconds. After timeout is reached, dnsperf will no longer wait for a response to a particular request after this many seconds have elapsed. Default is five seconds. -u Instructs dnsperf to send DNS dynamic update messages, rather than queries. NOTE: The format of the input file is different in this case see Constructing a Dynamic Update Input File on page 5. -v Enables verbose mode, where the command output includes latency measurements and the DNS RCODE of each response. In the output, query time outs are reported with the string "T" (instead of a normal DNS RCODE). An "I" string in the output indicates the query was interrupted. -x local_port Specifies the local port from which to send requests. Default is the wildcard port (0). -y [algorithm:]name:secret Adds a TSIG record (as per RFC 2845) to all packets sent, using the specified TSIG key name, secret, and, optionally, agorithm. The secret is expressed as a base-64 encoded string. If you do not specify an algorithm, the algorithm defaults to hmac-md5. Table 1-1 dnsperf options (continued) Operational Considerations Performance testing at the traffic levels involved is essentially a hard real-time application. At a query rate of 100,000 qps, a 1/100s delay translates into 1000 incoming UDP packets this is far more than most operating systems can buffer.

4 Chapter 1: dnsperf Therefore on the same LAN as the server under test run dnsperf on its own machine, ensuring that: The machine running dnsperf is at least as fast as the server being tested otherwise, it may become a performance bottleneck. There are no other applications running on the machine running dnsperf. Bandwidth dnsperf makes significant demands on bandwidth. The machine running dnsperf and the server under test should be connected by a network segment with Gigabit Ethernet (or greater) capacity. Firewalls Ensure that no stateful firewalls exist between the caching server and the Internet. As a rule, stateful firewalls can t handle the amount of UDP traffic generated by dnsperf, and may skew test results by: Dropping packets. Locking up. Crashing. Configuring the Server The nameserver under test should be configured as an authoritative server, serving one or more zones that are similar in size (and number) to those the server is expected to serve in production. Recursion should be disabled for authoritative servers that support it otherwise, the server s attempts to retrieve glue information from the Internet during testing will slow the server by an unpredictable amount of time. Recursion can be disabled as follows: BIND8 and BIND9 Specify recursion no; in the options block. BIND8 only Specify fetch-glue no; in the options block. The Query Input File You need to construct a dnsperf input file containing a large and realistic set of queries, on the order of ten thousand to a million. The input file contains one line per query, consisting of a domain name and an RR type name separated by a space. The class of the query is implicitly IN. provides a sample query file for ease of testing. The latest query file is available for download at ftp://ftp.nominum.com/pub/nominum/dnsperf/data/.

Configuring the Server 5 When measuring the performance serving non-terminal zones such as the root zone or TLDs, note that such servers spend most of their time providing referral responses, not authoritative answers. Therefore, a realistic input file might consist mostly of queries for type A for names below, not at, the delegations present in the zone. For example, when testing the performance of a server configured to be authoritative for the top-level domain fi, which contains delegations for domains like helsinki.fi and turku.fi, the input file could contain lines like www.turku.fi A www.helsinki.fi A where the www prefix ensures that the server will respond with a referral. Ideally, a realistic proportion of queries for nonexistent domains should be mixed in with those for existing ones, and the lines of the input file should be in a random order. Constructing a Dynamic Update Input File To test dynamic update performance, dnsperf is run with the -u option, and the input file is constructed of blocks of lines describing dynamic update messages. The first line in a block contains the zone name: example.com Subsequent lines contain prerequisites, if any are required. Prerequisites can specify that a name may or may not exist, an RRset may or may not exist, or an RRset exists and its RDATA matches all specified rdata for that name and type. The keywords require and prohibit are followed by the appropriate information. All relative names are considered to be relative to the zone name. The following lines show the 5 types of prerequisites: require a require a A require a A 1.2.3.4 prohibit x prohibit x A Subsequent lines contain records to be added, records to be deleted, RRsets to be deleted, or names to be deleted. The keywords add or delete are followed by the appropriate information. All relative names are considered to be relative to the zone name. The following lines show the 4 types of updates. add x 3600 A 10.1.2.3 delete y A 10.1.2.3 delete z A delete w Each update message is terminated by a line containing the send command: send

6 Chapter 1: dnsperf Running Tests To run dnsperf tests, include the -d (data file) and -s (server) options in the command string, as shown in the following example: # dnsperf -d input_file -s server Monitoring the Test The output of dnsperf is mostly self-explanatory. Pay attention to the number of dropped packets reported; when running the test over a local Ethernet connection, the number of dropped packets should be zero. If one or more packets has been dropped, there may be a problem with the network connection. In that case, the results should be considered suspect and the test repeated. The following example shows sample output from the dnsperf command: DNS Performance Testing Tool Version 2.0.0.0.d [Status] Command line: dnsperf -d in -l 10 [Status] Sending queries (to 127.0.0.1) [Status] Started at: Thu Jan 26 15:18:06 2012 [Status] Stopping after 10.000000 seconds [Status] Testing complete (time limit) Statistics: Queries sent: 370539 Queries completed: 370539 (100.00%) Queries lost: 0 (0.00%) Response codes: NXDOMAIN 370539 (100.00%) Average packet size: request 27, response 71 Run time (s): 10.000463 Queries per second: 37052.184484 Average Latency (s): 0.001693 (min 0.000048, max 0.036055) Latency StdDev (s): 0.001181 Measuring Latency The average latency is printed in the statitics output; it takes into account both successes and failures. Note that requests that received no response at all will not be included in the latency graph this may unfairly skew the average latency in favor of servers that drop requests (or respond with an error later than the dnsperf timeout) over those from which an error response is received. TSIG Support When the -y option is used, TSIG records are added to all requests. The command-line option specifies the key name and secret, where the secret is encoded in base64.

Running Tests 7 Throttling Support The -Q option limits the numbers of requests per second to a specific number, which is computed during the entire run of dnsperf.

8 Chapter 1: dnsperf

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information