Reducing DNS lookups

Michael Ströder michael at
Tue Feb 21 18:50:52 CET 2017

David Hartburn wrote:
> For our LDAP queries, we have specified the forest DNS name as the LDAP server, so
> that we achieve via DNS a random distribution of queries against our AD servers.
> Previously we had hammered the first server on the list.

You're doing DNS round-robin now? Note that this does not necessarily means good

> This has kept our AD guys happy, but we have noticed that at busy times our FR servers
> are doing over 100 DNS queries per second, for the same thing.

What is "for the same thing"?

What are the DNS TTLs for the queried records?

You also did not say anything about the authc mechs used. If Kerberos or similar is used
there could be more DNS lookups.

As others said I'd also recommend to use a local caching DNS resolver in case you cannot
improve anything else.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the Freeradius-Users mailing list