BIND DNS udp_bad_chksum

[anderson_thomas]

Hi List,

I'm using CentOS-7 BIND 9.9.4 package as DNS-Server for my network. I WORKS! - BUT the query's are a little bit slow, so I decided to watch the traffic via tcpdump:

Code: Select all

# tcpdump -vvv -s 0 -l -n port 53
11:07:00.432814 IP (tos 0x0, ttl 64, id 59529, offset 0, flags [none], proto UDP (17), length 69)
    192.168.0.40.49680 > 192.168.0.20.domain: [bad udp cksum 0x148c -> 0xed8b!] 32290+ [1au] A? tachtler.net. ar: . OPT UDPsize=4096 (41)
...
...
...
11:08:14.110922 IP (tos 0x0, ttl 64, id 36180, offset 0, flags [none], proto UDP (17), length 67)
    192.168..0.70.39099 > 192.168.0.20.domain: [bad udp cksum 0x14a8 -> 0xdacb!] 14978+ [1au] A? google.com. ar: . OPT UDPsize=4096 (39)

My PROBLEM is, that there are lot's of bad udp cksum ERRORS!

One SOLUTION was to do following MANUAL with ETHTOOL:

Code: Select all

# ethtool --offload  eth0  rx off  tx off
# ethtool -K eth0 gso off

AFTER that, the bad udp cksum ERRORS are gone.

But how can I configure this BOOT SAVE to the next server restart?

Thank you!
Thomas.

[pjsr2]

Look at the file /etc/sysconfig/network-scripts/ifup-post.
Near the end of this file, you can see that it calls the script /sbin/ifup-local if such a file exists and is executable.
Edit or create /sbin/ifup-local and put the command in there.

However, before making this change: are you sure you need this setting? Does it really make your DNS queries faster?

As shown in the diagram in https://sandilands.info/sgordon/segment ... nd-ethtool tcpdump captures the traffic between network device driver and the network card. If your network card has hardware support for computing the check sums, the device driver does not compute them but leaves (offloads) this work to the network card. In this case, tcpdump will show the check sums as incorrect, simply because they have not been computed yet. That is no problem because the network card will compute and add the check sums before putting the packets on the wire. So the receiving side will receive packets with correct check sums. When you switch off offloading, the network device driver will compute the check sums and tcpdump shows them as correct. However, you pay with extra CPU cycles. If the check sums where really incorrect "on the wire" you would not get slower answers, but no answer at all, since the packages would have been rejected.

[anderson_thomas]

Hi pjsr2,

thank you for your reply.

I'm not sure taht I need that, but at tcpdump bad udp cksum is not the best?

I'm in a KVM environment and I found some solutions to speed up the performance with this step.

Since I have deactivated the offloading - I think the speed for DNS request are faster!


What do you think?

Thank you!
Thomas

[anderson_thomas]

Hi,

performace test with namebench:

BEVORE: (offloading)

Code: Select all

********************************************************************************
In this test, Google Public DNS is 188.4%: Faster
********************************************************************************

AFTER: (offloading)

Code: Select all

********************************************************************************
In this test, Google Public DNS is 86.8%: Faster
********************************************************************************

Maybe this could be an answer?
Thomas

[pjsr2]

Hi Thomas,

Tcpdump has an option -K or --dont-verify-checksums to suppress the check sum verifications for use when the check sum calculations are offloaded to the network card. See man tcpdump.

When you are in a KVM environment, it doesn't make a difference for your CPU load when you compute the check sums in the device driver or in the virtualized network card, since both will be done by the the same CPU's.

I have seen some reports in mailing lists that performance is better with offload de-actived in virtualized environments. Maybe it also depends on the type of network cards that you have selected on your virtual machine.

Peter