Reducing DNS lookups

Michael Ströder michael at
Tue Feb 21 18:45:01 CET 2017

Matthew Newton wrote:
> On Tue, Feb 21, 2017 at 07:48:25AM -0500, Alan DeKok wrote:
>> On Feb 21, 2017, at 7:10 AM, David Hartburn <D.J.Hartburn at> wrote:
>>> For our LDAP queries, we have specified the forest DNS name as
>>> the LDAP server, so that we achieve via DNS a random
>>> distribution of queries against our AD servers. Previously we
>>> had hammered the first server on the list.
>> But the underlying problem is likely that your AD system is
>> returning redirects.  A LOT of them.
> If the data is in the Global Catalogue, point FreeRADIUS at port
> 3269 on the DCs instead of 636. It should stop the referrals, and
> therefore also speed up LDAP searches.

Since chasing LDAPv3 referrals is a broken concept I always recommend to set

chase_referrals = no

IMHO it should be the default in the FreeRADIUS sample config.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the Freeradius-Users mailing list