[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: nscd: Was Re: long delays with LDAP nss/pam



On Fri, 29 Oct 2004 09:56, "Donovan Baarda" <abo@minkirri.apana.org.au> wrote:
> I actually run pdnsd. I find it leaner and simpler than named. However, is
> "run named on all hosts" really better than "run nscd on all hosts"?

That's debatable.  Some people will say that DNS servers are too much of a 
security risk.  However another issue is that nscd uses different cache 
algorithms to DNS servers and is likely to either give worse performance or 
less accurate results than using a DNS server.

> I have the gut feeling nscd is a lighter simpler and faster solution than
> named, but I could be wrong.

Probably.  But on a modern machine named takes so little resources that it 
doesn't matter (IMHO).  Having named on localhost gives better performance 
than talking to another server while guaranteeing the same results (the other 
server is almost certainly running named).

> > > apps like squid that explicitly have it). If you ping, every single
> > > ping packet triggers an nslookup.
> >
> > Which ping program have you seen doing this?  The ping program in
>
> iputils-ping
>
> I am using the ping from iputils-ping in sarge. It definitely does ns
> lookups for every packet... using iptraf to monitor traffic, I see the
> following repeated for every ping packet.

Try pinging smtp.sws.net.au (my mail server) and www.coker.com.au (my web 
server).  Note that the repeated reverse lookups only occur on 
www.coker.com.au, it seems that the repeated lookups only occur if forward 
and reverse DNS don't match (but I haven't checked the source code to verify 
this).

You are correct that it does repeated DNS lookups in some situations.  The 
first test case that I chose happened to be one that it does not do such 
lookups for.

> This is when I first noticed this behaviour... ping was taking ~10secs
> between each ping packet... it turns out waiting for nslookups to time out
> before trying the second nameserver between each ping.

I think that ping is buggy in this regard.  I think that it should just keep 
using the first DNS result that it gets, if the user wants ping to re-do the 
DNS lookups then they will press ^C and re-start it!  Would you like to file 
the bug report or shall I?

> > > Is there any reason why nscd should not be installed on a system?
> >
> > It wastes RAM on small machines.  Caches get stale some times.  It's one
> > more thing that can go wrong or have a security issue.  Most people don't
> > need it.
>
> but does running named instead really avoid all these issues, or make them
> worse?

If there was a choice between running only nscd or only named then nscd might 
be a reasonable option.  But given that every serious network will need a 
caching DNS proxy (for which task it's unfortunate that there is nothing 
better than BIND) it doesn't seem to be a problem to me that you run it on 
several machines instead of just one.

If you have only a single machine connected to an ISP then maybe nscd will be 
the best choice.  However that scenario is becoming increasingly rare.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



Reply to: