Re: nscd: Was Re: long delays with LDAP nss/pam
G'day,
From: "Russell Coker" <russell@coker.com.au>
> On Wed, 27 Oct 2004 18:07, Donovan Baarda <abo@minkirri.apana.org.au>
wrote:
> > Sorry to subvert a thread like this, but has anyone else decided that
> > nscd is pretty much essential for all systems, regardless of nss, or
> > local nameservers?
>
> No.
>
> > It seems without it there is _no_ dns caching of any kind (except for
>
> Run named on localhost.
I actually run pdnsd. I find it leaner and simpler than named. However, is
"run named on all hosts" really better than "run nscd on all hosts"?
I have the gut feeling nscd is a lighter simpler and faster solution than
named, but I could be wrong.
> > apps like squid that explicitly have it). If you ping, every single ping
> > packet triggers an nslookup.
>
> Which ping program have you seen doing this? The ping program in
iputils-ping
I am using the ping from iputils-ping in sarge. It definitely does ns
lookups for every packet... using iptraf to monitor traffic, I see the
following repeated for every ping packet.
ICMP echo req (84 bytes) from 192.168.2.33 to 203.12.237.50 on eth1
ICMP echo rply (84 bytes) from 203.12.237.50 to 192.168.2.33 on eth1
UDP (72 bytes) from 127.0.0.1:54815 to 127.0.0.1:53 on lo
UDP (72 bytes) from 127.0.0.1:54815 to 127.0.0.1:53 on lo
UDP (188 bytes) from 127.0.0.1:53 to 127.0.0.1:54815 on lo
UDP (188 bytes) from 127.0.0.1:53 to 127.0.0.1:54815 on lo
ICMP echo req (84 bytes) from 192.168.2.33 to 203.12.237.50 on eth1
ICMP echo rply (84 bytes) from 203.12.237.50 to 192.168.2.33 on eth1
UDP (72 bytes) from 127.0.0.1:54815 to 127.0.0.1:53 on lo
UDP (72 bytes) from 127.0.0.1:54815 to 127.0.0.1:53 on lo
UDP (188 bytes) from 127.0.0.1:53 to 127.0.0.1:54815 on lo
UDP (188 bytes) from 127.0.0.1:53 to 127.0.0.1:54815 on lo
Note you only see this when you ping hosts not found in your /etc/hosts file
(obviously).
If you don't have a local name server, this triggers remote nslookups. Even
worse, if you have multiple remote nameservers in your resolve.conf, and the
first is down, It waits for the first nslookup to time-out before trying the
second... for _every_ lookup.
This is when I first noticed this behaviour... ping was taking ~10secs
between each ping packet... it turns out waiting for nslookups to time out
before trying the second nameserver between each ping.
> only does a DNS lookup before sending the first packet and I expect that
all
> other ping programs do the same. Run tcpdump while running ping and check
> what your ping program does.
see above...
> > Even if you have a local caching name
> > server, the UDP traffic on the loopback interface hurts.
>
> How does UDP traffic on the loopback hurt more than Unix domain socket
access?
Unix domain socket access doesn't show up in iptraf? :-)
I would have though that since nscd hooks in at the libc level, it would be
more efficient... again unfounded speculation on my part...
> > Is there any reason why nscd should not be installed on a system?
>
> It wastes RAM on small machines. Caches get stale some times. It's one
more
> thing that can go wrong or have a security issue. Most people don't need
it.
but does running named instead really avoid all these issues, or make them
worse?
----------------------------------------------------------------
Donovan Baarda http://minkirri.apana.org.au/~abo/
----------------------------------------------------------------
Reply to: