[Samba] Samba with BIND9 DLZ affecting internet speed

L.P.H. van Belle belle at bazuin.nl
Fri Dec 7 08:11:00 UTC 2018 

Hai, 


As Andrew also told, setup a caching dns and forward the samba dns zones. 
This works great, i use this on 2 internet connected servers. 

What we (i) also want to know is your running OS and samba version.
That does help us, yes, really..  ;-) 

A very simple to setup for a forwarding dns. 
Install bind9 on the ftp server. 
Set in the named.options. 

        dnssec-enable yes;
        dnssec-validation yes;
        // If you dont any ipv6 resolving. disable dnssec since your dropping valid records. ( not adviced )
	  // if you do this make user all iv6 things are disabled, but again not adviced. 
        //dnssec-enable no;
        //filter-aaaa-on-v4 yes;

        // From 9.9.5 ARM, disables interfaces scanning to prevent unwanted stop listening
        //interface-interval 0;

        // Listen on local interfaces only
        listen-on-v6 { ::1; };
        listen-on { 127.0.0.1; };

	  // MailServer optimized changes for spamassassin.
        // Improve cache timings, adjust these to your needs. 
        min-cache-ttl 60;

        // Spamassassin RBL server optimization for a CACHING dns server.
        // set in view or global, in seconds, changed to 5 min.
        // I lowered the time so RBL server changes are picked up much quicker.
	  //  Adjust these to your needs.
        max-cache-ttl 300;   // default 7 days.
        max-ncache-ttl 300;  // default 3 hours

        // make sure bind does not eat all the ram. Set what you need/want.
        max-cache-size 32M;
        // Dont load empty zones, this can conflict with samba bind_dlz zones.
        empty-zones-enable no;


And add your forwarded zones, if you run this on an internet connected machine, make sure your dns request to go correct direction. 
// 0.1 and 0.2 are the samba-ad-dc servers. 
zone "internal.domain.tld" {
    type forward;
    forwarders { 192.168.0.1; 192.168.0.2; };
};

//
zone "168.192.in-addr.arpa" {
    type forward;
    forwarders {  192.168.0.1; 192.168.0.2; };
};
zone "0.10.in-addr.arpa" {
    type forward;
    forwarders {  192.168.0.1; 192.168.0.2; };
};
// here i forward the internet zone to the internet dns. 
// i needed this on my mail server due to my dkim/spf/dmarc/tlsa setup. 
zone "domain.tld" {
    type forward;
    forwarders { internet_dns1; internet_dns1; };
};

And change the resolv.conf to localhost as first resolver. 

What helps also, at least for me, on debian 9, to reduce the problem. 

I've changed the bind9 systemd service. 
Add this part, it stops bind from reloading, which helps.. 

# /etc/systemd/system/bind9.service.d/override.conf
[Service]
ExecReload=


Samba-ad-dc does not like it when bind reloads. 
This is one on my todo list to re-configure these services and link them together.
And my weekly backup, stops samba and bind , for full offline backup, and starts them again. 

If anyone has some spare time left, i suggest read this. 
http://alesnosek.com/blog/2016/12/04/controlling-a-multi-service-application-with-systemd/ 
Thats the idea to help workaround this problem. 

In my opinion, what it should do.

samba-ad-dc should detect if bind9 is available, if its available, start it before samba starts.
Samba-ad-dc should detect if ntp is vailable, if so start it before samba starts.
With a samba reload, not reload bind, 
With a samba restart, restart bind first. 
And stop stop both, but first samba. 

Just these 2 changes to the samba-ad-dc services will help reduceing the samba dns problem. 


Greetz, 

Louis 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Andrew Bartlett via samba
> Verzonden: donderdag 6 december 2018 22:26
> Aan: Zdravko Zdravkov; Samba List
> Onderwerp: Re: [Samba] Samba with BIND9 DLZ affecting internet speed
> 
> On Thu, 2018-12-06 at 22:08 +0200, Zdravko Zdravkov via samba wrote:
> > Hi folks.
> > 
> > I've just experienced strange behaviour with our samba ad 
> configured with
> > bind9 dlz and our ftp server (separate machine on the same network).
> > 
> > In the past few days I've noticed significant drop of the 
> download speed
> > from the ftp server.
> > As nothing obvious came to my mind I just rebooted our 
> samba AD server.
> > Afterwards the speed increased about 9 times, back to what 
> we are used to.
> > 
> > The ftp server uses the samba AD as dns. That's the only 
> connection between
> > the two machines.
> > 
> > I'm wondering if anyone else can report such troubles or 
> the issue is here
> > only.
> 
> Each DNS lookup takes the Samba DB lock, no matter what the 
> zone.  This
> appears to be the main issue here. 
> 
> We need to cache the list of zones we have so we don't need to get the
> lock.
> 
> In the meantime, set your FTP server to reference a caching BIND9 that
> only forwards the Samba zone to the Samba DC.
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          
> http://catalyst.net.nz/services/samba
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list