[opensuse] RE: Have you experienced a general sligish DNS resolution - OT - Just slightly
I would be interested in others feeling/experience about the very slow resolution of browser enquiries of typical ISP - Particularly if you are in Australia. I ran some stats on my ISP's DNS servers ability to resolve enquiries - The stats were surprising in the number of re-try and Drops. My ISP is a real one and not a partition of bigpond or optusnet. This is particularly noticeable now my speed has increased to min 24000/1000kbps via a DSLAM link. For others it is interesting that Australia being so isolated; the amount of bandwidth available to get out of the country to the nearest major hub is limited and ultimate accessibility to TLD's requires an enormous amount of hops. A situation you don't every need to think about in North America or Europe. To illustrate our delima all you need to do is a traceroute on you ISP's DNS server(s) in .AU. To try to overcome the situation I have set-up my own DNS server - to make all my enquiries and rightly or wrongly I have added zones well up the TLD ladder - I'll probably get kicked off some of my zones but s far o.k (My first zone is a root server in Japan) Put simply the enquiry is Has anyone (particularly living in AU) noticed a slow response or incomplete resolution of DNS from their ISP. My apologies first and foremost for what appears to be a parochial issue. I hate being that way. Scott
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Registration Account wrote:
I would be interested in others feeling/experience about the very slow resolution of browser enquiries of typical ISP - Particularly if you are in Australia. I ran some stats on my ISP's DNS servers ability to resolve enquiries - The stats were surprising in the number of re-try and Drops. My ISP is a real one and not a partition of bigpond or optusnet. This is particularly noticeable now my speed has increased to min 24000/1000kbps via a DSLAM link. For others it is interesting that Australia being so isolated; the amount of bandwidth available to get out of the country to the nearest major hub is limited and ultimate accessibility to TLD's requires an enormous amount of hops. A situation you don't every need to think about in North America or Europe. To illustrate our delima all you need to do is a traceroute on you ISP's DNS server(s) in .AU. To try to overcome the situation I have set-up my own DNS server - to make all my enquiries and rightly or wrongly I have added zones well up the TLD ladder - I'll probably get kicked off some of my zones but s far o.k (My first zone is a root server in Japan) Put simply the enquiry is Has anyone (particularly living in AU) noticed a slow response or incomplete resolution of DNS from their ISP. My apologies first and foremost for what appears to be a parochial issue. I hate being that way. Scott
You do not normally need to explicitly define any external zones to setup a cache-only DNS, all you need to define is your internal zones and any external zones that you own and manage. A cache-only DNS should speed up address resolution after an address has been initially resolved. (As I understand it you would need to come to an arrangement with the controller of the zones host server owners to host a copy of a zone that people external to your environment can query). DNS servers usually are organised hierarchically, and the way the query is actually processed varies. A DNS server can be configured to resolve the request itself if it does not know about a particular address, in which case the requester will get an authoritative response and you will see little of the resolution process, or it can be configured to effectively to give a "I dont know but I know someone who might" response, and the DNS server will respond with information on which server to query for the address. Depending where you are in the domain hierarchy in relation to your target this can involve a number of redirections. This is normal. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGUBNyasN0sSnLmgIRAv0DAJ48/T79xF2BSQGKbv8whxxkQ1uwkgCgr6rS rzndJyvmvPx5fTOhMy2DF/E= =e4pR -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Thanks for your comment. I understand I can trust a cached DNS server to just do what is can do without defining zones, however in this case I don't want to let it do what it wants to - if I did it would probably just ask my ISP DNS servers first and then other local DNS servers. Why I elected to define external zones is that I wanted a cached answer from a source well outside the country - so in some ways I have circumvented a situation where a cached answer could come from a local source. It is so difficult to put into words the difficulty a large very isolated country faces in both its own local telecommunications structure and then limitation of exiting the country without making possibly 20 hops. By guiding the cached DNS server I have set up, I have just circumvented the number of local hops and I love your expression ( I don't know but I know someone who might) its priceless. In this case the someone who might know may be 20 or more hops away. Again, this situation really does not effect anyone else in the world because of proximity and small amounts of hops. Being so isolated with a population very dependant on I.T and so hugely isolated from anything places great strain on our public comms infrastructure which internally is quite good, however at some stage everything needs to exit the country, and that's where the bottleneck starts. Until the recent release of the last satellite, there was even limitations on telephone ISD. At peek times, if I needed to call O/S, I would sometimes get a "all overseas lines are busy - please try later". 5 years ago if you wanted to call overseas on Christmas day, you had to book your calls days in advance. Despite ISD being available at that time, the only way to guarantee a telephone call O/S was to book it days in advance - sounds frightening but that's the cost of isolation. The new satellite went up about 4 years ago - Things are easy now. However large comms dependant companies I.E Qantas (Airline) has its own private satellite - just for itself. There is of course, unlimited capacity for military/government use. AU has a huge U.S base in the middle of the desert which forms an enormous parts of US early warning systems, and AU radio telescope transmitted man landing on the moon to the whole world. Enough rubbish from me. # I will remove the external zones and have a look at its performance just the same. Scott =-O G T Smith wrote:
Registration Account wrote:
I would be interested in others feeling/experience about the very slow resolution of browser enquiries of typical ISP - Particularly if you are in Australia. I ran some stats on my ISP's DNS servers ability to resolve enquiries - The stats were surprising in the number of re-try and Drops. My ISP is a real one and not a partition of bigpond or optusnet. This is particularly noticeable now my speed has increased to min 24000/1000kbps via a DSLAM link. For others it is interesting that Australia being so isolated; the amount of bandwidth available to get out of the country to the nearest major hub is limited and ultimate accessibility to TLD's requires an enormous amount of hops. A situation you don't every need to think about in North America or Europe. To illustrate our delima all you need to do is a traceroute on you ISP's DNS server(s) in .AU. To try to overcome the situation I have set-up my own DNS server - to make all my enquiries and rightly or wrongly I have added zones well up the TLD ladder - I'll probably get kicked off some of my zones but s far o.k (My first zone is a root server in Japan) Put simply the enquiry is Has anyone (particularly living in AU) noticed a slow response or incomplete resolution of DNS from their ISP. My apologies first and foremost for what appears to be a parochial issue. I hate being that way. Scott
You do not normally need to explicitly define any external zones to setup a cache-only DNS, all you need to define is your internal zones and any external zones that you own and manage. A cache-only DNS should speed up address resolution after an address has been initially resolved. (As I understand it you would need to come to an arrangement with the controller of the zones host server owners to host a copy of a zone that people external to your environment can query).
DNS servers usually are organised hierarchically, and the way the query is actually processed varies. A DNS server can be configured to resolve the request itself if it does not know about a particular address, in which case the requester will get an authoritative response and you will see little of the resolution process, or it can be configured to effectively to give a "I dont know but I know someone who might" response, and the DNS server will respond with information on which server to query for the address. Depending where you are in the domain hierarchy in relation to your target this can involve a number of redirections. This is normal.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2007-05-21 at 12:06 +1000, Registration Account wrote:
Thanks for your comment. I understand I can trust a cached DNS server to just do what is can do without defining zones, however in this case I don't want to let it do what it wants to - if I did it would probably just ask my ISP DNS servers first and then other local DNS servers.
Why I elected to define external zones is that I wanted a cached answer from a source well outside the country - so in some ways I have circumvented a situation where a cached answer could come from a local source.
You don't need to define any zones to achieve that behaviour. What you need is playing with the options in /etc/named.conf: forward first; forwarders { One_IP; Another_IP; }; with this two lines, the "named" daemon will ask first those DNSs servers you list there - and you choose them local or in the antipodes. Or remove those lines and it will always ask the root servers. But you do not need to define any zone at all. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGUW3QtTMYHG2NR9URAtvyAJsGS5O70Du7/prvqtAhPbmFfSehEQCeIR7F ac39rxMNfB8Sge8nGV4ClQw= =w99Y -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Carlos E. R. wrote:
The Monday 2007-05-21 at 12:06 +1000, Registration Account wrote:
Thanks for your comment. I understand I can trust a cached DNS server to just do what is can do without defining zones, however in this case I don't want to let it do what it wants to - if I did it would probably just ask my ISP DNS servers first and then other local DNS servers.
Why I elected to define external zones is that I wanted a cached answer from a source well outside the country - so in some ways I have circumvented a situation where a cached answer could come from a local source.
You don't need to define any zones to achieve that behaviour.
What you need is playing with the options in /etc/named.conf:
forward first; forwarders { One_IP; Another_IP; };
with this two lines, the "named" daemon will ask first those DNSs servers you list there - and you choose them local or in the antipodes. Or remove those lines and it will always ask the root servers.
But you do not need to define any zone at all.
There is the further option of defining a forward zone (see below)... This would direct queries about a particular address space to a particular server. This would require a fair bit of TLC. (and I am assuming that is what is being done here, trying to synchronise as a slave zone without permission is quite likely to be interpreted as an attempted security hack whether it succeeds or not).
zone domain_name [ ( in | hs | hesiod | chaos ) ] { type forward; [ forward ( only | first ); ] [ forwarders { [ ip_addr ; [ ip_addr ; ... ] ] }; ] [ check-names ( warn | fail | ignore ); ] };
This could reduce the negotiation traffic -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGUtHlasN0sSnLmgIRAq79AJ9TsjbP1xIbX+rVpijOpUHLafLpmACdEoFt aDjo3nY82HBxIit+kdhfSPo= =A4Wh -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Thanks everyone for their help. As far as complex editing of files - yes I can easily do that - but I am a user an if its not on the GUI screen - its not there (not always). The DNS server is a Cache server only and is zones as to only ask for a no-authoritative response . As far as their DNS servers are concerned I am just 1 of thousands which cannot resolve locally and going up the TLD 's they cannot resolve so the request for resolution *towards* the TLD world root servers is easy safe and I my DNS I have zones thinks of me as just another request for resolution that a lower TLD could not resolve. Beside - This is a secure site - The worst they can do is deny my all my requests. I am quite safe I can assure you and so is the DNS server I have chosen. You worry too much you will give me grey hair Scott G T Smith wrote:
Carlos E. R. wrote:
The Monday 2007-05-21 at 12:06 +1000, Registration Account wrote:
Thanks for your comment. I understand I can trust a cached DNS server to just do what is can do without defining zones, however in this case I don't want to let it do what it wants to - if I did it would probably just ask my ISP DNS servers first and then other local DNS servers. Why I elected to define external zones is that I wanted a cached answer from a source well outside the country - so in some ways I have circumvented a situation where a cached answer could come from a local source. You don't need to define any zones to achieve that behaviour.
What you need is playing with the options in /etc/named.conf:
forward first; forwarders { One_IP; Another_IP; };
with this two lines, the "named" daemon will ask first those DNSs servers you list there - and you choose them local or in the antipodes. Or remove those lines and it will always ask the root servers.
But you do not need to define any zone at all.
There is the further option of defining a forward zone (see below)... This would direct queries about a particular address space to a particular server. This would require a fair bit of TLC. (and I am assuming that is what is being done here, trying to synchronise as a slave zone without permission is quite likely to be interpreted as an attempted security hack whether it succeeds or not).
zone domain_name [ ( in | hs | hesiod | chaos ) ] { type forward; [ forward ( only | first ); ] [ forwarders { [ ip_addr ; [ ip_addr ; ... ] ] }; ] [ check-names ( warn | fail | ignore ); ] };
This could reduce the negotiation traffic
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Registration Account wrote:
Thanks everyone for their help.
As far as complex editing of files - yes I can easily do that - but I am a user an if its not on the GUI screen - its not there (not always).
The DNS server is a Cache server only and is zones as to only ask for a no-authoritative response .
I am not sure I understand this. As far as their DNS servers are concerned I
am just 1 of thousands which cannot resolve locally and going up the TLD 's they cannot resolve so the request for resolution *towards* the TLD world root servers is easy safe and I my DNS I have zones thinks of me as just another request for resolution that a lower TLD could not resolve.
That is what a forwarder zone is supposed to do. However, they will need periodic maintenance as DNS servers addresses can and do change.
Beside - This is a secure site - The worst they can do is deny my all my requests. I am quite safe I can assure you and so is the DNS server I have chosen.
The comment was in regard to attempting to duplicate a zone. You are unlikely to get notification from the zone master of any changes to the zone unless you let the owners know you want them, if you setup a slave zone, Scanning for members of a zone or manually building a zone will look very suspicious from the ISPs and zone owners end. You misunderstand me the worst they can do is terminate your connection. A malconfigured DNS can create havoc, go down this route and get it wrong and someone will drop on you from a great height.
You worry too much you will give me grey hair Scott
G T Smith wrote:
Carlos E. R. wrote:
< Stuff deleted > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGXU/NasN0sSnLmgIRAmQyAJ4jHsB7ag3CfARYpGv+bqqdrq0LKwCgjFhD N+epdDoG5ZcWQeQxcxofqyE= =T2D4 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Carlos E. R. -
G T Smith -
Registration Account