For an authoritative DNS server, high response rate is not only useful to serve many clients, but also to withstand some flood attack attempts. While the basic answering routines are well optimized in most open-source DNS servers, profiling disclosed that 30% to 70% of CPU time of a highly-loaded server is spent on network I/O. It's not that Linux syscalls would be ineffectively implemented, but they do too much: firewall, routing, queuing, etc.
Using Berkeley Packet Filter, we can capture DNS-over-UDP packets before they arrive to Linux network stack, while passing the other traffic to the stack. Further, using eXpress Data Path, we can process the captured packets in our DNS application, and send the responses also bypassing the Linux stack.
In my talk, I will summarize the feature design, examine the obvious and hidden limitations, and share practical experiences from implementing XDP in Knot DNS authoritative server.
|Talk Duration||No longer available: 15 Minutes|