linux

How to optimize Bind9 running on Debian as much as possible?

Hello
There is a Dns-server (BIND 9.10.3-P4-Debian) on the Debian 4.9.0-11-amd64 operating system. At peak, the server receives approximately 4000 requests per second.

I must say right away that the hardware itself is not very
2 x --- Intel(R) Xeon(TM) CPU 3.00GHz in total it turns out 4 core
4 G --- Ram

I accidentally noticed that my Dns does not always answer me or there is a delay. Approximately answered 4 requests and 5 . I thought the problem was in iptbales because I wrote the rule:
1). iptables -A INPUT -p udp --dport 53 -m hashlimit --hashlimit-name Dns_speed_limit --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-above 300/minute -j DROP
2). iptables -A INPUT -p udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm -j DROP (ANY)

Removing all the rules double-checked, but still the same. After a little searching, I saw something interesting sang

. In addition, I noticed a queue of 200,000 in Recv-Q at the request watch 'netstat -apn | grep:53 | grep -i named | grep 0.0.0.0'

As I understand it, my buffer is full and therefore the packets are dropped. I decided to increase the buffer and not only...

net.core.rmem_default=425984
net.core.wmem_default=425984
net.core.wmem_max=425984
net.core.rmem_max=425984
net.core.netdev_max_backlog=65536
net.core.somaxconn= 1024

So it got a little better, but again it happens to be in the list (packets to unknown port received , receive buffer errors ) 1k packets. And there are 426k in the Recv-Q queue, dig is responsible at this time for 200-400

ms



I put the same settings on another stronger server without any amendments in the core, everything is normal. This server was running Apache , mysql , Wordpess had to be turned off .
After I decided to register unlimited for this pida in prlimit . But there is no result.

The question is how to optimize the server? And where else can there be a bottleneck?