Tcp tunning kernel linux

Hi guys, first of all, thanks for let me join this community :wink:

This is my server:
root@ 19:41:37 etc#cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)

It’s a virtual machine in Google Cloud Platform but as it’s always free policy cpu is 600Mhz and Ram is 600MB. I was deploying a server with several services (apache, php-fpm, dns…) and when I was following this guide: https://kb.isc.org/docs/bind-best-practices-authoritative I got attention this sentence:
Ensure that system outbound network buffers are large enough to handle your rates of outbound query traffic. Some OS implementations (linux particularly some versions) by default assume low rates of outbound network traffic - but an authoritative server will often be responding with significantly larger packets than the queries it received, particularly for signed zones.

I guess that also could affect TXT records like spf because of size too?

I searched for dnssec protocol type and says that is tcp because of packets sizes:
" DNSSEC can use both UDP and TCP 53 ports. But as DNSSEC packets are generally larger than 512 bytes and UDP can transmit a maximum 512 byte TCP protocol is used for DNSSEC . So DNSSEC uses TCP 53 port for communication"

That’s how I arrived this article: https://www.cyberciti.biz/faq/linux-tcp-tuning/. Here is where I doubt if I should do it (anyway I have snapshot of virtual machine but I would like to ask you): Here is a warning in the article:
WARNING! The default value of rmem_max and wmem_max is about 128 KB in most Linux distributions, which may be enough for a low-latency general purpose network environment or for apps such as DNS / Web server. However, if the latency is large, the default size might be too small. Please note that the following settings going to increase memory usage on your server.

echo ‘net.core.wmem_max=12582912’ >> /etc/sysctl.conf

echo ‘net.core.rmem_max=12582912’ >> /etc/sysctl.conf

You also need to set minimum size, initial size, and maximum size in bytes:

echo ‘net.ipv4.tcp_rmem= 10240 87380 12582912’ >> /etc/sysctl.conf

echo ‘net.ipv4.tcp_wmem= 10240 87380 12582912’ >> /etc/sysctl.conf

Turn on window scaling which can be an option to enlarge the transfer window:

echo ‘net.ipv4.tcp_window_scaling = 1’ >> /etc/sysctl.conf

Enable timestamps as defined in RFC1323:

echo ‘net.ipv4.tcp_timestamps = 1’ >> /etc/sysctl.conf

Enable select acknowledgments:

echo ‘net.ipv4.tcp_sack = 1’ >> /etc/sysctl.conf

If set, TCP will not cache metrics on closing connections.

echo ‘net.ipv4.tcp_no_metrics_save = 1’ >> /etc/sysctl.conf

Set maximum number of packets, queued on the INPUT side, when the interface receives packets faster than kernel can process them.

echo ‘net.core.netdev_max_backlog = 5000’ >> /etc/sysctl.conf

Now reload the changes:

sysctl -p

My question is only with buffers I would need to raise for dnssec:

echo ‘net.core.wmem_max=12582912’ >> /etc/sysctl.conf

echo ‘net.core.rmem_max=12582912’ >> /etc/sysctl.conf

You also need to set minimum size, initial size, and maximum size in bytes:

echo ‘net.ipv4.tcp_rmem= 10240 87380 12582912’ >> /etc/sysctl.conf

echo ‘net.ipv4.tcp_wmem= 10240 87380 12582912’ >> /etc/sysctl.conf

My actual minnimum initial and max are
root@ 20:34:54 etc#cat /proc/sys/net/ipv4/tcp_mem
12957 17279 25914
Can I change previous values instead of using initial of 80MB to:

echo ‘net.ipv4.tcp_rmem= 12957 17279 12582912’ >> /etc/sysctl.conf

echo ‘net.ipv4.tcp_wmem= 12957 17279 12582912’ >> /etc/sysctl.conf

I think my initial value would be more tunned to my server ram and only would reach up to 125MB in case of DNSSEC query.

What happens with ipv6 stack? is there anyway to tune it too or are higher sizes?

Thanks in advance

According to this information: https://www.google.com/search?rlz=1C1CHBF_esES890ES890&sxsrf=ALeKk01i1NGI_N5sxs9K_BezksK8BkaSbw%3A1586662318576&ei=rouSXsXbIq-BjLsPl-a5iAI&q=dnssec+packet+size&oq=dnssec+packet+size&gs_lcp=CgZwc3ktYWIQAzIFCAAQywEyBggAEBYQHjoGCCMQJxATOgIIAEoRCBcSDTgtNzJnNzNnNzdnNzBKDQgYEgk4LTFnMWc1ZzZQ3ZAFWPecBWDAngVoAHAAeACAAUiIAegGkgECMTOYAQCgAQGqAQdnd3Mtd2l6&sclient=psy-ab&ved=0ahUKEwjF6oHf-eHoAhWvAGMBHRdzDiEQ4dUDCAw&uact=5

With DNSSEC, many DNS packets will exceed 512 bytes and may approach 4096 bytes
My values are in range of DNSSEC size packages:
root@ 05:38:24 pablo_valcarcel1980#cat /proc/sys/net/ipv4/tcp_mem
12957 17279 25914
root@ 05:37:57 pablo_valcarcel1980#cat /proc/sys/net/core/rmem_max
212992
root@ 05:38:12 pablo_valcarcel1980#cat /proc/sys/net/core/wmem_max
212992
root@ 03:17:42 named#cat /proc/sys/net/core/optmem_max
20480

So those values are higher than 4096 bytes of DNSSEC packets, no need to change it.

I will disable timestamp because of gathering information vulnerability:


The downside of TCP timestamps is adversaries can remotely calculate the system uptime and boot time of the machine and the host’s clock down to millisecond precision. … To prevent this information leaking to
an adversary, it is recommended to disable TCP timestamps on any operating systems in use

Then I would change in your article this part:
echo ‘net.ipv4.tcp_tcp_timestamps = 0’ >> /etc/sysctl.conf

Thanks for your help


Linux sysadmin blog - Linux/Unix Howtos and Tutorials - Linux bash shell scripting wiki