[Samba] Samba with BIND9 DLZ affecting internet speed
Zdravko Zdravkov
nirayah at gmail.com
Fri Dec 7 10:28:54 UTC 2018
Hi there.
Setup is Centos 7.4 with Samba 4.7.4. I
In our second office I've got configured Centos 7.5 with latest samba ad +
dlz, which I've set just as Andrew suggested, using separate bind9 that
forwards queries to the samba AD(dlz) for the given dns zone. Unfortunately
the office isn't operational yet, so I can't share any experience.
Best
On Fri, Dec 7, 2018 at 10:11 AM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> Hai,
>
>
> As Andrew also told, setup a caching dns and forward the samba dns zones.
> This works great, i use this on 2 internet connected servers.
>
> What we (i) also want to know is your running OS and samba version.
> That does help us, yes, really.. ;-)
>
> A very simple to setup for a forwarding dns.
> Install bind9 on the ftp server.
> Set in the named.options.
>
> dnssec-enable yes;
> dnssec-validation yes;
> // If you dont any ipv6 resolving. disable dnssec since your
> dropping valid records. ( not adviced )
> // if you do this make user all iv6 things are disabled, but
> again not adviced.
> //dnssec-enable no;
> //filter-aaaa-on-v4 yes;
>
> // From 9.9.5 ARM, disables interfaces scanning to prevent
> unwanted stop listening
> //interface-interval 0;
>
> // Listen on local interfaces only
> listen-on-v6 { ::1; };
> listen-on { 127.0.0.1; };
>
> // MailServer optimized changes for spamassassin.
> // Improve cache timings, adjust these to your needs.
> min-cache-ttl 60;
>
> // Spamassassin RBL server optimization for a CACHING dns server.
> // set in view or global, in seconds, changed to 5 min.
> // I lowered the time so RBL server changes are picked up much
> quicker.
> // Adjust these to your needs.
> max-cache-ttl 300; // default 7 days.
> max-ncache-ttl 300; // default 3 hours
>
> // make sure bind does not eat all the ram. Set what you need/want.
> max-cache-size 32M;
> // Dont load empty zones, this can conflict with samba bind_dlz
> zones.
> empty-zones-enable no;
>
>
> And add your forwarded zones, if you run this on an internet connected
> machine, make sure your dns request to go correct direction.
> // 0.1 and 0.2 are the samba-ad-dc servers.
> zone "internal.domain.tld" {
> type forward;
> forwarders { 192.168.0.1; 192.168.0.2; };
> };
>
> //
> zone "168.192.in-addr.arpa" {
> type forward;
> forwarders { 192.168.0.1; 192.168.0.2; };
> };
> zone "0.10.in-addr.arpa" {
> type forward;
> forwarders { 192.168.0.1; 192.168.0.2; };
> };
> // here i forward the internet zone to the internet dns.
> // i needed this on my mail server due to my dkim/spf/dmarc/tlsa setup.
> zone "domain.tld" {
> type forward;
> forwarders { internet_dns1; internet_dns1; };
> };
>
> And change the resolv.conf to localhost as first resolver.
>
> What helps also, at least for me, on debian 9, to reduce the problem.
>
> I've changed the bind9 systemd service.
> Add this part, it stops bind from reloading, which helps..
>
> # /etc/systemd/system/bind9.service.d/override.conf
> [Service]
> ExecReload=
>
>
> Samba-ad-dc does not like it when bind reloads.
> This is one on my todo list to re-configure these services and link them
> together.
> And my weekly backup, stops samba and bind , for full offline backup, and
> starts them again.
>
> If anyone has some spare time left, i suggest read this.
>
> http://alesnosek.com/blog/2016/12/04/controlling-a-multi-service-application-with-systemd/
> Thats the idea to help workaround this problem.
>
> In my opinion, what it should do.
>
> samba-ad-dc should detect if bind9 is available, if its available, start
> it before samba starts.
> Samba-ad-dc should detect if ntp is vailable, if so start it before samba
> starts.
> With a samba reload, not reload bind,
> With a samba restart, restart bind first.
> And stop stop both, but first samba.
>
> Just these 2 changes to the samba-ad-dc services will help reduceing the
> samba dns problem.
>
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Andrew Bartlett via samba
> > Verzonden: donderdag 6 december 2018 22:26
> > Aan: Zdravko Zdravkov; Samba List
> > Onderwerp: Re: [Samba] Samba with BIND9 DLZ affecting internet speed
> >
> > On Thu, 2018-12-06 at 22:08 +0200, Zdravko Zdravkov via samba wrote:
> > > Hi folks.
> > >
> > > I've just experienced strange behaviour with our samba ad
> > configured with
> > > bind9 dlz and our ftp server (separate machine on the same network).
> > >
> > > In the past few days I've noticed significant drop of the
> > download speed
> > > from the ftp server.
> > > As nothing obvious came to my mind I just rebooted our
> > samba AD server.
> > > Afterwards the speed increased about 9 times, back to what
> > we are used to.
> > >
> > > The ftp server uses the samba AD as dns. That's the only
> > connection between
> > > the two machines.
> > >
> > > I'm wondering if anyone else can report such troubles or
> > the issue is here
> > > only.
> >
> > Each DNS lookup takes the Samba DB lock, no matter what the
> > zone. This
> > appears to be the main issue here.
> >
> > We need to cache the list of zones we have so we don't need to get the
> > lock.
> >
> > In the meantime, set your FTP server to reference a caching BIND9 that
> > only forwards the Samba zone to the Samba DC.
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett http://samba.org/~abartlet/
> > Authentication Developer, Samba Team http://samba.org
> > Samba Developer, Catalyst IT
> > http://catalyst.net.nz/services/samba
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list