Reducing DNS lookups

Alan DeKok aland at
Tue Feb 21 13:48:25 CET 2017

On Feb 21, 2017, at 7:10 AM, David Hartburn <D.J.Hartburn at> wrote:
> For our LDAP queries, we have specified the forest DNS name as the LDAP server, so that we achieve via DNS a random distribution of queries against our AD servers. Previously we had hammered the first server on the list.
> This has kept our AD guys happy, but we have noticed that at busy times our FR servers are doing over 100 DNS queries per second, for the same thing.
> I can not spot anything in the FreeRADIUS config files, but is there any way to reduce the number of DNS lookups? We are running 3.0.12 on RHEL7.

  DNS doesn't work that way.  FreeRADIUS doesn't work that way.

  It's simple.  If you put a DNS name into the configuration file, it's resolved to an IP address when the server starts, and cached forever.

  If your LDAP server returns a redirect (as AD does... a LOT), that redirect is a DNS name.  That name *must* then be resolved to an IP at run time.  There is simply no other way to do this.

  The DNS resolver on the RADIUS system is responsible for doing DNS lookups, and for caching the results.  If it doesn't cache the results, you'll see endless DNS queries.

> Outside of FreeRADIUS, we could either make sure each server has a different /etc/hosts file, which is not ideal, or implementing local DNS caching seems to be the more sensible way to go. Are there any other alternatives other people are using?

  Configure a local DNS caching resolver on each RADIUS system.  The DNS lookups will be done once, and then cached.

  But the underlying problem is likely that your AD system is returning redirects.  A LOT of them.

  There may be ways for FreeRADIUS to do fewer LDAP lookups, but without knowing more about your use-case, it's hard to tell.

  Alan DeKok.

More information about the Freeradius-Users mailing list