This article details the name resolution performance of the windows DNS Server 2012 R2, when deployed in a strictly authoritative mode on which recursion has been disabled and root hints have been removed.
The tests were performed on a physical machine deployed as an authoritative server with the following hardware configuration
Total Physical memory
Broadcom NetXtreme Gigabit Ethernet
Number of Zones
Number of Records
10000 records per zone, i.e. total of 2 million records
~100 bytes per response
20% of total queries resulting in NXDOMAIN
The test setup to measure performance included the following modules
Client Query Farms
The setup has multiple client query farms that send queries to the authoritative DNS Server. Each farm constitutes of multiple client VMs running Windows 8.1. Each farm collects the performance counters of transmitted DNS queries and received responses across the client VMs within that farm. The client performance counters are aggregated over the multiple client farms.
This DNS server, machine configurations of which have been mentioned earlier, hosts records mentioned in the configurations section. This is the target machine where the DNS queries received and DNS responses sent are measured. For the purpose of this test, the authoritative server and clients, all are in the same private network.
This is the server where the counters are collected from the client farms and DNS Server; and reports are subsequently generated out of that.
The Authoritative Windows DNS Server, under these tests, is able to respond successfully to 99.99% of queries sent to it, up to a rate of 120K Queries per Second (QPS). Even up to 150K QPS, the DNS server responds with reliability of 99.9%
Beyond this rate of QPS, the DNS server continues to respond at higher rates, but there is a drop in the percentage of queries that are responded to by the server.
The number of records and zones on the authoritative DNS server do not have a considerable impact on the QPS. It must be said that more records put higher memory requirements on the DNS Server. On an average, an Authoritative server with 2M records, needs about 2 GB of memory
The responses received by the client query farms are marginally lower than that responded by the authoritative server. This can be attributed to network losses and limited client capacity.
The graph below shows the relationship between percentage of queries successfully responded to by the DNS server and the QPS sent by the client farms.
Following server and network parameters were tuned to achieve the best performance. Note that these tunings are optimized for the server and network configuration as described above. The values of these parameters vary with the deployment.
Following firewall rule was enabled explicitly. This rule restricts the conditions to match the firewall rule to the UDP as protocol and local IP/port. Not enabling this rule can cause high CPU usage by the firewall service at higher QPS. The firewall rules already allow port 53 to be open for DNS traffic. This rule does not disable any firewall feature.
New-NetFirewallRule -DisplayName <String> -Direction Inbound -Action Allow -Protocol UDP -LocalPort 53 -LocalOnlyMapping $true -Enabled True
DNS service creates UDP Receive threads based on total logical cores present in system. e.g. for a 64 logical core system DNS service will create 64 UDP receive threads
When the Windows DNS server is deployed on machines with more than 12 total cores (logical / physical) are more than 12, UDP thread count should be set to 8. This gives the best QPS performance with most optimum utilization of CPU. Following registry key was set for this
Bringing this setting into effect will require a restart of the DNS Service.
The RSS settings were enabled with default values.
Network adapter receive buffers were set to maximum.
Set-NetAdapterAdvancedProperty -Name <NIC Name> -DisplayName "Receive Buffers" -DisplayValue "Maximum"