Re: nscd: Was Re: long delays with LDAP nss/pam
On Fri, 29 Oct 2004 09:56, "Donovan Baarda" <abo@minkirri.apana.org.au> wrote:
> I actually run pdnsd. I find it leaner and simpler than named. However, is
> "run named on all hosts" really better than "run nscd on all hosts"?
That's debatable. Some people will say that DNS servers are too much of a
security risk. However another issue is that nscd uses different cache
algorithms to DNS servers and is likely to either give worse performance or
less accurate results than using a DNS server.
> I have the gut feeling nscd is a lighter simpler and faster solution than
> named, but I could be wrong.
Probably. But on a modern machine named takes so little resources that it
doesn't matter (IMHO). Having named on localhost gives better performance
than talking to another server while guaranteeing the same results (the other
server is almost certainly running named).
> > > apps like squid that explicitly have it). If you ping, every single
> > > ping packet triggers an nslookup.
> >
> > Which ping program have you seen doing this? The ping program in
>
> iputils-ping
>
> I am using the ping from iputils-ping in sarge. It definitely does ns
> lookups for every packet... using iptraf to monitor traffic, I see the
> following repeated for every ping packet.
Try pinging smtp.sws.net.au (my mail server) and www.coker.com.au (my web
server). Note that the repeated reverse lookups only occur on
www.coker.com.au, it seems that the repeated lookups only occur if forward
and reverse DNS don't match (but I haven't checked the source code to verify
this).
You are correct that it does repeated DNS lookups in some situations. The
first test case that I chose happened to be one that it does not do such
lookups for.
> This is when I first noticed this behaviour... ping was taking ~10secs
> between each ping packet... it turns out waiting for nslookups to time out
> before trying the second nameserver between each ping.
I think that ping is buggy in this regard. I think that it should just keep
using the first DNS result that it gets, if the user wants ping to re-do the
DNS lookups then they will press ^C and re-start it! Would you like to file
the bug report or shall I?
> > > Is there any reason why nscd should not be installed on a system?
> >
> > It wastes RAM on small machines. Caches get stale some times. It's one
> > more thing that can go wrong or have a security issue. Most people don't
> > need it.
>
> but does running named instead really avoid all these issues, or make them
> worse?
If there was a choice between running only nscd or only named then nscd might
be a reasonable option. But given that every serious network will need a
caching DNS proxy (for which task it's unfortunate that there is nothing
better than BIND) it doesn't seem to be a problem to me that you run it on
several machines instead of just one.
If you have only a single machine connected to an ISP then maybe nscd will be
the best choice. However that scenario is becoming increasingly rare.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: