nanog mailing list archives
Re: DNS - connection limit (without any extra hardware)
From: Simon Waters <simonw () zynet net>
Date: Mon, 11 Dec 2006 17:29:21 +0000
On Monday 11 December 2006 16:15, you wrote:
I use to slave "." which can save time on recursive DNS servers when they
have
a lot of dross to answer (assuming it is totally random dross).I'm not sure to understand your solution. You configure your name-server as a slave-root-server?
Yes. Most of the root server traffic is answering queries with "NXDOMAIN" for non-existant top level domains, if you slave root on your recursive servers, your recursive servers can answer those queries directly (from the 120KB root zone file), rather than relying on negative caching, and a round trip to the root servers, for every new non-existant domain. The drawback is you provide the answer with the authority bit set, which isn't what the world's DNS clients should expect, but DNS clients don't care about that one bit (sorry). If the root zone file changed quickly it might also cause other problems! Paul V was very cautious about it as a method of running a DNS server, but if the recursive servers are being barraged with queries for (different) non-existent top level domains I think it is probably preferable to the servers being flattened (and/or passing that load onto the root name servers). If the queries are for existing, or the same, domains each time, it won't provide significant improvement. I suppose any server issuing more than 2000 or so queries a day to the root servers would potentially save bandwidth, and provide a more responsive experience for the end user. But one also has to handle the case of the root zone potentially expiring, not something I ever allowed to happen, but then I'm not the average DNS administrator. I've used this technique extensively myself in the past with no issues, but I'm not using it operationally at the moment. Since the load average on our DNS server is 0.00 to two decimal places I doubt it would make a lot of difference, and we host websites, and email, not randomly misconfigured, home, or business user PCs. So mostly we do lookups in in-addr.arpa, a depressingly large proportion of which fail, or look-ups for a small set of servers we forward email to (most of which exist, or I delete the forward).
Current thread:
- Re: DNS - connection limit (without any extra hardware), (continued)
- Re: DNS - connection limit (without any extra hardware) Hank Nussbacher (Dec 09)
- Re: DNS - connection limit (without any extra hardware) Petri Helenius (Dec 10)
- Re: DNS - connection limit (without any extra hardware) Hank Nussbacher (Dec 10)
- Re: DNS - connection limit (without any extra hardware) Gadi Evron (Dec 10)
- Re: DNS - connection limit (without any extra hardware) Petri Helenius (Dec 10)
- Re: DNS - connection limit (without any extra hardware) Jo Rhett (Dec 27)
- Re: DNS - connection limit (without any extra hardware) Matt Ghali (Dec 08)
- Re: DNS - connection limit (without any extra hardware) Luke C (Dec 11)
- Re: DNS - connection limit (without any extra hardware) Luke C (Dec 11)
- Re: DNS - connection limit (without any extra hardware) Simon Waters (Dec 11)
- Re: DNS - connection limit (without any extra hardware) Matt Ghali (Dec 11)
- Re: DNS - connection limit (without any extra hardware) Mark Andrews (Dec 11)
- Re: DNS - connection limit (without any extra hardware) Jo Rhett (Dec 27)
- Re: DNS - connection limit (without any extra hardware) Randy Bush (Dec 27)
- Network security practices survey Sean Donelan (Dec 09)