[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: high performance caching bind server

On Mon, Mar 12, 2007 at 07:21:34PM -0600, Michael Loftis wrote:
>
>
>--On March 12, 2007 7:16:10 PM -0400 George Georgalis <george@galis.org> 
>wrote:
>
>>you're not recommending dnscache, you are recommending against it.
>>
>>but really you are spreading FUD.
>>
>>a) what various ways are you referring to?
>
>I don't have a boatload of specifics but one that bugs me is incomplete TCP 
>support.  You can only do an SOA/AXFR sequence over TCP.

dnscache supports TCP queries,

COMMAND   PID USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
tinydns   100  dns    3u  IPv4 0xc14b0000      0t0  UDP wsip-70-183-8-250.ri.ri.cox.net:domain
dnscache 3383  dns    3u  IPv4 0xc14b00d8      0t0  UDP localhost:domain
dnscache 3383  dns    4u  IPv4 0xc14bd168      0t0  TCP localhost:domain (LISTEN)

and AXFR, but it's not recommended, in favor of a different
security model, which boils to:

scp data remote:data.tmp
ssh remote "mv data.tmp data"

to load new authoritative records, but AXFR is not caching.

>>b) I'm not sure what the distribution is, but it sure looks round-robin...
>
>I'm not familiar with the dnsip program, but it is from djbdns, and appears 
>to be doing it's round robin-ing internally, or... randomizing the output 
>more likely.  Specifically version 1.05 of dnscache definitely does not 
>round robin, if you query multiple times in succession with dig, or host, 
>you will get the same answer every time.  Perhaps that was finally 
>corrected.  If you ask a BIND or basically anything else (not sure of 
>others specifically) you get round robin results.  While I tend to somewhat 
>agree that the clients should randomize or round-robin internally, the fact 
>is most don't.

Well I think it's normal for clients to random choose when they
get multiple A records. But indeed, it looks like dnscache itself
doesn't do any randomization! It _only_ caches the original
result.

for example, I lowered the ttl to 6 seconds and the first two
queries below (within 3 seconds) get the exact results. the others
(within 7 seconds) are randomized by tinydns (authoritative) NOT
dnscache.

# DNSCACHEIP=70.183.8.249 dnsqr a testdnscache.galis.org; sleep 3 ;for n in 1 2 3 ; do DNSCACHEIP=70.183.8.249 dnsqr a testdnscache.galis.org ; sleep 7 ; done
1 testdnscache.galis.org:
168 bytes, 1+8+0+0 records, response, noerror
query: 1 testdnscache.galis.org
answer: testdnscache.galis.org 6 A 1.0.0.17
answer: testdnscache.galis.org 6 A 1.0.0.7
answer: testdnscache.galis.org 6 A 1.0.0.8
answer: testdnscache.galis.org 6 A 1.0.0.4
answer: testdnscache.galis.org 6 A 1.0.0.15
answer: testdnscache.galis.org 6 A 1.0.0.19
answer: testdnscache.galis.org 6 A 1.0.0.20
answer: testdnscache.galis.org 6 A 1.0.0.6
1 testdnscache.galis.org:
168 bytes, 1+8+0+0 records, response, noerror
query: 1 testdnscache.galis.org
answer: testdnscache.galis.org 3 A 1.0.0.17
answer: testdnscache.galis.org 3 A 1.0.0.7
answer: testdnscache.galis.org 3 A 1.0.0.8
answer: testdnscache.galis.org 3 A 1.0.0.4
answer: testdnscache.galis.org 3 A 1.0.0.15
answer: testdnscache.galis.org 3 A 1.0.0.19
answer: testdnscache.galis.org 3 A 1.0.0.20
answer: testdnscache.galis.org 3 A 1.0.0.6
1 testdnscache.galis.org:
168 bytes, 1+8+0+0 records, response, noerror
query: 1 testdnscache.galis.org
answer: testdnscache.galis.org 6 A 1.0.0.19
answer: testdnscache.galis.org 6 A 1.0.0.12
answer: testdnscache.galis.org 6 A 1.0.0.9
answer: testdnscache.galis.org 6 A 1.0.0.10
answer: testdnscache.galis.org 6 A 1.0.0.18
answer: testdnscache.galis.org 6 A 1.0.0.15
answer: testdnscache.galis.org 6 A 1.0.0.13
answer: testdnscache.galis.org 6 A 1.0.0.7
1 testdnscache.galis.org:
168 bytes, 1+8+0+0 records, response, noerror
query: 1 testdnscache.galis.org
answer: testdnscache.galis.org 6 A 1.0.0.14
answer: testdnscache.galis.org 6 A 1.0.0.6
answer: testdnscache.galis.org 6 A 1.0.0.7
answer: testdnscache.galis.org 6 A 1.0.0.2
answer: testdnscache.galis.org 6 A 1.0.0.9
answer: testdnscache.galis.org 6 A 1.0.0.19
answer: testdnscache.galis.org 6 A 1.0.0.16
answer: testdnscache.galis.org 6 A 1.0.0.1

but the authority, tinydns will randomize all day
long, with no delay:

 for n in 1 2 3 ; do dnsq a testdnscache.galis.org 70.183.8.250; done                                                                                              <
1 testdnscache.galis.org:
267 bytes, 1+8+3+3 records, response, authoritative, noerror
query: 1 testdnscache.galis.org
answer: testdnscache.galis.org 6 A 1.0.0.10
answer: testdnscache.galis.org 6 A 1.0.0.5
answer: testdnscache.galis.org 6 A 1.0.0.15
answer: testdnscache.galis.org 6 A 1.0.0.7
answer: testdnscache.galis.org 6 A 1.0.0.16
answer: testdnscache.galis.org 6 A 1.0.0.4
answer: testdnscache.galis.org 6 A 1.0.0.8
answer: testdnscache.galis.org 6 A 1.0.0.1
authority: galis.org 194400 NS a.ns.galis.org
authority: galis.org 194400 NS b.ns.galis.org
authority: galis.org 194400 NS c.ns.galis.org
additional: a.ns.galis.org 194400 A 70.183.8.250
additional: b.ns.galis.org 194400 A 70.183.8.248
additional: c.ns.galis.org 194400 A 89.186.67.105
1 testdnscache.galis.org:
267 bytes, 1+8+3+3 records, response, authoritative, noerror
query: 1 testdnscache.galis.org
answer: testdnscache.galis.org 6 A 1.0.0.4
answer: testdnscache.galis.org 6 A 1.0.0.20
answer: testdnscache.galis.org 6 A 1.0.0.9
answer: testdnscache.galis.org 6 A 1.0.0.6
answer: testdnscache.galis.org 6 A 1.0.0.3
answer: testdnscache.galis.org 6 A 1.0.0.19
answer: testdnscache.galis.org 6 A 1.0.0.16
answer: testdnscache.galis.org 6 A 1.0.0.18
authority: galis.org 194400 NS a.ns.galis.org
authority: galis.org 194400 NS b.ns.galis.org
authority: galis.org 194400 NS c.ns.galis.org
additional: a.ns.galis.org 194400 A 70.183.8.250
additional: b.ns.galis.org 194400 A 70.183.8.248
additional: c.ns.galis.org 194400 A 89.186.67.105
1 testdnscache.galis.org:
267 bytes, 1+8+3+3 records, response, authoritative, noerror
query: 1 testdnscache.galis.org
answer: testdnscache.galis.org 6 A 1.0.0.8
answer: testdnscache.galis.org 6 A 1.0.0.5
answer: testdnscache.galis.org 6 A 1.0.0.1
answer: testdnscache.galis.org 6 A 1.0.0.9
answer: testdnscache.galis.org 6 A 1.0.0.15
answer: testdnscache.galis.org 6 A 1.0.0.2
answer: testdnscache.galis.org 6 A 1.0.0.11
answer: testdnscache.galis.org 6 A 1.0.0.12
authority: galis.org 194400 NS a.ns.galis.org
authority: galis.org 194400 NS b.ns.galis.org
authority: galis.org 194400 NS c.ns.galis.org
additional: a.ns.galis.org 194400 A 70.183.8.250
additional: b.ns.galis.org 194400 A 70.183.8.248
additional: c.ns.galis.org 194400 A 89.186.67.105


so I guess dnscache does not randomize. But it makes me wonder 3
things

* do _any_ clients hit one (exactly the same) ip when given multiple A records?

* does a rfc specify the domain cache to randomize authoritative answers?

* under what circumstances is this actually a problem, even with a 3 day ttl?

Most important is the third, but all problem scenarios I can
imagine are very special cases which could be addressed.

I say all this because I learned bind before djbdns, the latter
being about 6 years ago, and since I switched dns has been a snap.

Cheers,
// George


-- 
George Georgalis, systems architect, administrator <IXOYE><
Reply to: