Reducing DNS lookups

Brian Julin BJulin at clarku.edu
Tue Feb 21 15:55:25 CET 2017


Alan DeKok wrote:
>  It's simple.  If you put a DNS name into the configuration file, it's resolved to an IP address when the server starts, and cached forever.

I think we are talking of the the server= entries in an ldap config section
which are passed to libldap directly and the DNS entries are looked up
at runtime from there.

For load balancing LDAP here we simply have multiple server= lines all
specifying the same DNS name, which has roundrobin entries and this
seems to work just fine, especially given the connection pooling.  Most of our
DNS traffic is windbind finding kerberos SRV records... but then we don't
LDAP directly to AD.

100 DNS lookups per second being a problem would seem to indicate
the DNS is not well situated close to the authentication server, though.



More information about the Freeradius-Users mailing list