[opensuse] optimizing resolv.conf
My web browsers often seem to spend a lot of time reporting "looking up host <blah>". I'd like to see less of that in 2014, and spend less time watching nothing happen in the browser's viewport. http://www.edwin.io/optimized-resolv-conf seems to make sense, but it includes no discussion of a local nameserver, such as the one typically enabled by default in an internet router, only using Google IPs. Anyone have anything to add or dispute what it says? Are those using routers better off using the one it includes? Better off avoiding? Is there any convenient way to evaluate average response times from various servers? Are there logical reasons for avoiding Google's or other high visibility servers? Are there reasons why the servers provided by the ISP subscribed to shouldn't be preferred? Can anyone explain why the default timeout is 5s and not more or less? Is it a holdover from times past when the internet was less busy, and often less speedy via dialup or ISDN instead of broadband? -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/1/2014 12:27 AM, Felix Miata wrote:
My web browsers often seem to spend a lot of time reporting "looking up host <blah>". I'd like to see less of that in 2014, and spend less time watching nothing happen in the browser's viewport.
http://www.edwin.io/optimized-resolv-conf seems to make sense, but it includes no discussion of a local nameserver, such as the one typically enabled by default in an internet router, only using Google IPs. Anyone have anything to add or dispute what it says?
Are those using routers better off using the one it includes? Better off avoiding?
Is there any convenient way to evaluate average response times from various servers?
Are there logical reasons for avoiding Google's or other high visibility servers?
Are there reasons why the servers provided by the ISP subscribed to shouldn't be preferred?
Can anyone explain why the default timeout is 5s and not more or less? Is it a holdover from times past when the internet was less busy, and often less speedy via dialup or ISDN instead of broadband?
If you EVER see "looking up host" then, Yes, you have a problem, and yes you should consider using some other servers. I often see waiting for......, but never looking up.... I can't remember the last time I saw that for a site that ultimately resolved. If I do, its because I fat-fingered they keyboard while typing a url. I subscribe to opendns.com, (they have a free service). It is very fast. I have a fall back (secondary) of 8.8.8.8 (google). I think it has fallen over to google's server maybe once in all the years I've been using them, and that was for a scheduled outage. Their servers are fast, at least as fast as googles. My ISP is spotty, sometimes very good but other times their servers become slow. My prior ISP was simply terrible. That's what lead me to look for alternatives. I run my own in-house DNS server on opensuse, because I have a split horizon for office machines. Other wise, I would just code openDNS's IPs into the router, which is what I do at home. All my machines just point to my in-house server or the router for DNS, and that means I only have to change the settings in one place. Opendns allows me to block a bunch of web ad servers so that I don't have to run ad block on every browser on every machine. Every once in a while I will reverse the order of the DNS servers to see the difference, and Google's servers are very fast, the the amount of ads on web pages goes up by a lot because they don't offer blocking. Where I really notice this is on tablets and smartphones. What I block via opendns is those ad agencies that underline random words on any page and trigger pop-ups each time your mouse crosses them. All of these creep through Google's servers, but not opendns. The other reason I avoid Google is that I have no clue what they are doing with that data. As for why you would avoid your ISP's router, you answered that question before you asked it, because you should never see "looking up" messages in a browser. Ever. (Well, ok, maybe on dial-up). The time out of 5 seconds is traditional, and probably no longer warranted, but falling over to your second server starts the process all over again, and there is no reason to believe the secondary will be faster than the primary, since people usually put the fastest boxes as primary and the older boxes as secondaries. Forcing premature fail-over to secondaries can be counter productive. (This is not a concern if your secondary is a different system, such as google). Option Rotate does not always work (not honored by many systems, most small routers, etc). -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
I run my own in-house DNS server on opensuse, because I have a split horizon for office machines. Other wise, I would just code openDNS's IPs into the router, which is what I do at home. All my machines just point to my in-house server or the router for DNS, and that means I only have to change the settings in one place.
I run dnsmasq on my firewall and have it configured OpenDNS and he.net via IPv6 and Google via IPv4. This works well. I avoid my ISP's DNS as they send you elsewhere when you enter a bad host name, instead of returning 404. I have Google via IPv4 for two reasons. If my IPv6 tunnel is down, I need an IPv4 DNS and also for redundancy, if the other two DNS servers are not working. Here's what's in my resolv.conf nameserver 2620:0:ccc::2 #OpenDNS nameserver 2001:470:20::2 #he.net nameserver 8.8.8.8 #Google -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-01 09:27, Felix Miata wrote:
My web browsers often seem to spend a lot of time reporting "looking up host <blah>". I'd like to see less of that in 2014, and spend less time watching nothing happen in the browser's viewport.
You can set a DNS local server, working as cache. It is now even easier than it was. Dnsmasq is now installed by default, just use it. In "/etc/dnsmasq.conf" tell dnsmasq to ask the router or isp or whatever. server=192.168.1.1 In the file "/etc/resolv.conf" tell the system to query local DNS server (or do it in Yast or network manager, whatever you use): search somewhere #nameserver 192.168.1.1 nameserver 127.0.0.1 Then start dnsmasq, test network. If it works, enable dnsmasq to start up automatically on boot. That's the setup I'm using on this machine&partition, it works. Yes, I have it setup to ask my router, so far, no complains. But the router memory is small, thus it is complemented with dnsmasq on the computer. On all my computers, actually. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 01/01/2014 14:35, Carlos E. R. a écrit :
Dnsmasq is now installed by default, just use it.
In "/etc/dnsmasq.conf" tell dnsmasq to ask the router or isp or whatever.
server=192.168.1.1
seems to be not even necessary I didn't know about dnsmasq (or really didn't have had time to t'est it yet), and decided to follow your advice. I found the /etc/dnsmasq.conf file filed with comments and probably no other things and decided not to touch it in the beginning go to yast and set 127.0.0.1 as dns as a result yast wrote in resolv.conf *two* IP as dns, 127.0.0.1, but also my routers one (192.68.0.254, the one returned by dhcp). See below the systemctl status. browsing seems faster, but may it's only an impression :-( thanks jdd systemctl status dnsmasq.service -l dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled) Drop-In: /run/systemd/generator/dnsmasq.service.d └─50-insserv.conf-$named.conf Active: active (running) since mer. 2014-01-01 16:37:43 CET; 4min 42s ago Process: 3340 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS) Main PID: 3352 (dnsmasq) CGroup: /system.slice/dnsmasq.service └─3352 /usr/sbin/dnsmasq --log-async --enable-dbus --keep-in-foreground janv. 01 16:37:43 linux-zckr dnsmasq[3340]: dnsmasq: syntax check OK. janv. 01 16:37:43 linux-zckr systemd[1]: Started DNS caching server.. janv. 01 16:37:43 linux-zckr dnsmasq[3352]: started, version 2.65 cachesize 2000 janv. 01 16:37:43 linux-zckr dnsmasq[3352]: compile time options: IPv6 GNU-getopt no-DBus i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack janv. 01 16:37:43 linux-zckr dnsmasq[3352]: DBus support enabled: connected to system bus janv. 01 16:37:43 linux-zckr dnsmasq[3352]: asynchronous logging enabled, queue limit is 5 messages janv. 01 16:37:43 linux-zckr dnsmasq[3352]: reading /etc/resolv.conf janv. 01 16:37:43 linux-zckr dnsmasq[3352]: using nameserver 192.168.0.254#53 janv. 01 16:37:43 linux-zckr dnsmasq[3352]: ignoring nameserver 127.0.0.1 - local interface janv. 01 16:37:43 linux-zckr dnsmasq[3352]: read /etc/hosts - 7 addresses -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-01 16:57, jdd wrote:
Le 01/01/2014 14:35, Carlos E. R. a écrit :
Dnsmasq is now installed by default, just use it.
In "/etc/dnsmasq.conf" tell dnsmasq to ask the router or isp or whatever.
server=192.168.1.1
seems to be not even necessary
It is. because...
as a result yast wrote in resolv.conf *two* IP as dns, 127.0.0.1, but also my routers one (192.68.0.254, the one returned by dhcp). See below the systemctl status.
you are really using the 192.68.0.254 server. You have to tell your system to _only_ use the dnsmasq service, and you also have to tell your dnsmasq service to make queries up to the router, and not query the entire internet on its own, which can be slower (there may be exceptions). In theory, asking your ISP server should be faster, as Anton pointed out. And this is what the router typically does. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-01 14:35 (GMT+0100) Carlos E. R. composed:
Felix Miata wrote:
My web browsers often seem to spend a lot of time reporting "looking up host <blah>". I'd like to see less of that in 2014, and spend less time watching nothing happen in the browser's viewport.
You can set a DNS local server, working as cache. It is now even easier than it was.
Dnsmasq is now installed by default, just use it.
My 24/7 box is still on 11.4. Dnsmasq was not installed.
In "/etc/dnsmasq.conf" tell dnsmasq to ask the router or isp or whatever.
server=192.168.1.1
Seems simple enough, until I look at the default /etc/dnsmasq.conf file, where I see only this example that seems like the closest equivalent to your suggestion: #server=/localnet/192.168.0.1 What are the "/" and "localnet" about? Searching through the man page, search string localnet was not found. There is no separate man page for dnsmasq.conf. Maybe localnet would have been better expressed as <localnet> or <domain>? If I wanted to use two Google servers instead of router IP, bypassing resolv.conf, would I put both IPs on one line, or two, and if on one, separated how?
In the file "/etc/resolv.conf" tell the system to query local DNS server (or do it in Yast or network manager, whatever you use):
search somewhere #nameserver 192.168.1.1 nameserver 127.0.0.1
Then start dnsmasq, test network. If it works, enable dnsmasq to start up automatically on boot.
That's the setup I'm using on this machine&partition, it works. Yes, I have it setup to ask my router, so far, no complains. But the router memory is small, thus it is complemented with dnsmasq on the computer. On all my computers, actually.
-- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-03 01:35, Felix Miata wrote:
On 2014-01-01 14:35 (GMT+0100) Carlos E. R. composed:
You can set a DNS local server, working as cache. It is now even easier than it was.
Dnsmasq is now installed by default, just use it.
My 24/7 box is still on 11.4. Dnsmasq was not installed.
Ah, right. You can use plain bind, which by default acts as DNS cache. It is just a bit trickier to setup. Or wait till you upgrade that 11.4 to 13.1, which I'm also about to do (both are Evergreen versions).
In "/etc/dnsmasq.conf" tell dnsmasq to ask the router or isp or whatever.
server=192.168.1.1
Seems simple enough, until I look at the default /etc/dnsmasq.conf file, where I see only this example that seems like the closest equivalent to your suggestion:
#server=/localnet/192.168.0.1
What are the "/" and "localnet" about? Searching through the man page, search string localnet was not found. There is no separate man page for dnsmasq.conf. Maybe localnet would have been better expressed as <localnet> or <domain>?
Forget all that. You only need to add the new line I suggested.
If I wanted to use two Google servers instead of router IP, bypassing resolv.conf, would I put both IPs on one line, or two, and if on one, separated how?
Two lines: server=X.y.z.v server=X.y.z.w It is a very simple syntax. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-03 01:51 (GMT+0100) Carlos E. R. composed:
Felix Miata wrote:
My 24/7 box is still on 11.4. Dnsmasq was not installed.
Ah, right. You can use plain bind, which by default acts as DNS cache. It is just a bit trickier to setup.
Keyword: was. No need for bind.
Or wait till you upgrade that 11.4 to 13.1, which I'm also about to do (both are Evergreen versions).
That is unlikely ever to happen here due to https://bugs.freedesktop.org/show_bug.cgi?id=39949 if it ever gets fixed, highly unlikely ever applied to 13.1, same reason I never downgraded to 12.1, 12.2 or 12.3 on my 24/7 box.
If I wanted to use two Google servers instead of router IP, bypassing resolv.conf, would I put both IPs on one line, or two, and if on one, separated how?
Two lines:
server=X.y.z.v server=X.y.z.w
It is a very simple syntax.
Made unclear by example integral to dnsmasq.conf. :-p I now have dnsmasq running, with 127.0.0.1 the only nameserver line in resolv.conf. For now, I have one server=<OpenDNS#> and one server=<Google#> in dnsmasq.conf, which I can tweak when the mood strikes. Now I have a mental block how to redirect adservers to the bit bucket. Is hosts still being used with dnsmasq running? My router is now no more than gateway and firewall, right? Do ad server domains need to be added to dnsmasq.conf to be most efficient? -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-03 03:06, Felix Miata wrote:
On 2014-01-03 01:51 (GMT+0100) Carlos E. R. composed:
Two lines:
server=X.y.z.v server=X.y.z.w
It is a very simple syntax.
Made unclear by example integral to dnsmasq.conf. :-p
True...
I now have dnsmasq running, with 127.0.0.1 the only nameserver line in resolv.conf. For now, I have one server=<OpenDNS#> and one server=<Google#> in dnsmasq.conf, which I can tweak when the mood strikes.
Good.
Now I have a mental block how to redirect adservers to the bit bucket. Is hosts still being used with dnsmasq running?
Yes. And dnsmasq reads it and serves the contents via dns queries, too, no conflict.
My router is now no more than gateway and firewall, right?
Right.
Do ad server domains need to be added to dnsmasq.conf to be most efficient?
I have no experience there, I don't block them. Yet. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/2/2014 4:56 PM, James Knott wrote:
Felix Miata wrote:
My 24/7 box is still on 11.4. Dnsmasq was not installed.
My firewall is also 11.4. I had to manually add Dnsmasq.
Mines 10.2 with bind and a split horizon. I didn't find it particularly difficult to set up, and didn't need no stinkin Dnsmasq. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/02/2014 07:35 PM, Felix Miata pecked at the keyboard and wrote:
On 2014-01-01 14:35 (GMT+0100) Carlos E. R. composed:
Felix Miata wrote:
My web browsers often seem to spend a lot of time reporting "looking up host <blah>". I'd like to see less of that in 2014, and spend less time watching nothing happen in the browser's viewport.
You can set a DNS local server, working as cache. It is now even easier than it was.
Dnsmasq is now installed by default, just use it.
My 24/7 box is still on 11.4. Dnsmasq was not installed.
In "/etc/dnsmasq.conf" tell dnsmasq to ask the router or isp or whatever.
server=192.168.1.1
Seems simple enough, until I look at the default /etc/dnsmasq.conf file, where I see only this example that seems like the closest equivalent to your suggestion:
#server=/localnet/192.168.0.1
What are the "/" and "localnet" about? Searching through the man page, search string localnet was not found. There is no separate man page for dnsmasq.conf. Maybe localnet would have been better expressed as <localnet> or <domain>?
If I wanted to use two Google servers instead of router IP, bypassing resolv.conf, would I put both IPs on one line, or two, and if on one, separated how?
nameserver 8.8.8.8 nameserver 8.8.4.4 -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Felix Miata <mrmazda@earthlink.net> wrote:
My web browsers often seem to spend a lot of time reporting "looking up host <blah>". I'd like to see less of that in 2014, and spend less time watching nothing happen in the browser's viewport.
http://www.edwin.io/optimized-resolv-conf seems to make sense, but it includes no discussion of a local nameserver, such as the one typically
enabled by default in an internet router, only using Google IPs. Anyone have anything to add or dispute what it says?
Are those using routers better off using the one it includes? Better off avoiding?
Is there any convenient way to evaluate average response times from various servers?
Are there logical reasons for avoiding Google's or other high visibility servers?
Are there reasons why the servers provided by the ISP subscribed to shouldn't be preferred?
Can anyone explain why the default timeout is 5s and not more or less? Is it a holdover from times past when the internet was less busy, and often less speedy via dialup or ISDN instead of broadband?
Felix, I know you have numerous PCs. Do you run your own local dns server? Since you have numerous machines you should. Set it up to forward non-cached lookups to a good dns server. No need for that good dns server to be your isp's. Dns is a pretty lightweight service, so the recommendation even 20 years ago was to dedicate a low performance PC to dns. The reason for that is uptime for your local dns server is very important. Having a local dns server means 99% of dns lookups will be handled at local lan speeds. It also means the cache of names/ips is shared by all your machines. Greg -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 2014-01-01 at 09:37 -0500, Greg Freemyer wrote:
Felix Miata <mrmazda@earthlink.net> wrote:
My web browsers often seem to spend a lot of time reporting "looking up host <blah>". I'd like to see less of that in 2014, and spend less time watching nothing happen in the browser's viewport.
http://www.edwin.io/optimized-resolv-conf seems to make sense, but it includes no discussion of a local nameserver, such as the one typically
enabled by default in an internet router, only using Google IPs. Anyone have anything to add or dispute what it says?
Are those using routers better off using the one it includes? Better off avoiding?
Is there any convenient way to evaluate average response times from various servers?
Are there logical reasons for avoiding Google's or other high visibility servers?
Are there reasons why the servers provided by the ISP subscribed to shouldn't be preferred?
Can anyone explain why the default timeout is 5s and not more or less? Is it a holdover from times past when the internet was less busy, and often less speedy via dialup or ISDN instead of broadband?
Felix,
I know you have numerous PCs.
Do you run your own local dns server? Since you have numerous machines you should. Set it up to forward non-cached lookups to a good dns server. No need for that good dns server to be your isp's.
Dns is a pretty lightweight service, so the recommendation even 20 years ago was to dedicate a low performance PC to dns. The reason for that is uptime for your local dns server is very important. Having a local dns server means 99% of dns lookups will be handled at local lan speeds. It also means the cache of names/ips is shared by all your machines.
Sounds like a good job for a couple of raspberry pi's (primary & secondary dns). Each of them fed from its own recharchable and PSU. hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hans Witvliet wrote:
Dns is a pretty lightweight service, so the recommendation even 20 years ago was to dedicate a low performance PC to dns. The reason for that is uptime for your local dns server is very important. Having a local dns server means 99% of dns lookups will be handled at local lan speeds. It also means the cache of names/ips is shared by all your machines.
Sounds like a good job for a couple of raspberry pi's (primary & secondary dns). Each of them fed from its own recharchable and PSU.
Actually, it's a good job for any computer that's running all the time. My firewall/router is an old i586 computer running openSUSE 11.4. That's where ai run Dnscache, along with some other services. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 2014-01-02 at 17:11 -0500, James Knott wrote:
Hans Witvliet wrote:
Dns is a pretty lightweight service, so the recommendation even 20 years ago was to dedicate a low performance PC to dns. The reason for that is uptime for your local dns server is very important. Having a local dns server means 99% of dns lookups will be handled at local lan speeds. It also means the cache of names/ips is shared by all your machines.
Sounds like a good job for a couple of raspberry pi's (primary & secondary dns). Each of them fed from its own recharchable and PSU.
Actually, it's a good job for any computer that's running all the time. My firewall/router is an old i586 computer running openSUSE 11.4. That's where ai run Dnscache, along with some other services.
Yeah, i know. I used to have my dns on my firewall/imap/dhcp/... machine. But i found out that if something goes wrong with dns, everything else tumbled down. Hence i going to migrate my dns-functionality to two machines doing nothing else. @John, my main access is via cable, secondly via adsl (different providers) and if even those fail i still got a GSM-modem hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hans Witvliet wrote:
I used to have my dns on my firewall/imap/dhcp/... machine. But i found out that if something goes wrong with dns, everything else tumbled down. Hence i going to migrate my dns-functionality to two machines doing nothing else.
As I mentioned earlier, the main purpose of running Dnsmasq is for name resolution of my local devices. I have a 2nd external DNS configured on any computer with a static address. I also use a DNS service for when I'm away from home. It provides an alias to the long host name for my IPv4 address, but also AAAA records for my IPv6 addresses. I suppose I could add the local RFC 1918 addresses for my local devices to that external DNS, so that I could fall back to it if my local DNS failed, though it of course woudn't work for elsewhere. I currently have configured an old consumer grade firewall/router that I could drop in as a replacement, should my Linux box firewall/router fail. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/02/2014 04:11 PM, James Knott wrote:
Actually, it's a good job for any computer that's running all the time. My firewall/router is an old i586 computer running openSUSE 11.4. That's where ai run Dnscache, along with some other services.
+1 Any old box is plenty fast to serve as a firewall/router/dhcpd/bind server. IIRC the Linux Desktop Router Project did benchmark testing on 386 boxes and CPU latency was not an issue. The issue then/now was network I/O. An old Athlon tbird, duron, 586 is more than enough processor for the job. Most of the older core server apps were surprisingly efficient. In addition to firewall, etc... the older boxes also serve well as fax and web servers. You can literally create your firewall/router/dhcpd/bind server out of the spare parts you have laying around. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-04 22:51, David C. Rankin wrote:
Any old box is plenty fast to serve as a firewall/router/dhcpd/bind server.
I use an old laptop with new hard disk for some 24*7 tasks. Saves on energy costs. I have the bottom open, set on top of a tray with fan, one of those sold for cooling laptops, connected to an usb port. Only that I connect the fan to a power converter from the mains, not from an USB socket. The lappy has no battery at all, so it is connected to the same UPS as the router. But I don't serve dnsmasq to my network because I don't have it absolutely always running. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-04 15:51 (GMT-0600) David C. Rankin composed:
James Knott wrote:
Actually, it's a good job for any computer that's running all the time. My firewall/router is an old i586 computer running openSUSE 11.4. That's where ai run Dnscache, along with some other services.
+1
Any old box is plenty fast to serve as a firewall/router/dhcpd/bind server.
By implication, those would be trivial additional load to any system that's already running 24/7, which wouldn't require additional oxidation of dead dinosaurs or radioactive waste to keep another older, probably less efficient, PS, CPU & RAM running, and eat another switch port and cable.
You can literally create your firewall/router/dhcpd/bind server out of the spare parts you have laying around.
I have lots of parts already assembled into well over a dozen complete working PCs at 850MHz or less, just waiting for some use to be put to besides out-of-support software, roach, dust and spider web housing. -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/2/2014 2:04 PM, Hans Witvliet wrote:
Sounds like a good job for a couple of raspberry pi's (primary & secondary dns). Each of them fed from its own recharchable and PSU.
Who needs more than one when its in-house? Redundancy behind your single point of failure (modem and isp connection) seems misguided. As long as it had two different forwarders, you would be good. There are a number of small services for in-house use, that could be pushed to Rasberrys, such a time, dhcpd, dns, etc. Maybe even cups. A lot fewer services would need to be running on the big box. I wish they would come out with a raspberry with dual cat5 ports. The current models seem sort of limited in useability. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen said the following on 01/02/2014 05:20 PM:
I wish they would come out with a raspberry with dual cat5 ports. The current models seem sort of limited in useability.
I hope you realise that there are other very-small motherboards beside the 'berry. Google for "mini-itx", "nano-itx" and "pico-itx" Mini-ITX 6.7 × 6.7 in or 170 × 170 mm Nano-ITX 4.7 × 4.7 in or 120 × 120 mm Pico-ITX 3.9 × 2.8 in or 100 × 72 mm Neo-ITX 170 × 85 × 35 mm http://en.wikipedia.org/wiki/Pico-ITX http://en.wikipedia.org/wiki/Mini-ITX many of these use plugin 'daughter cards' to expand IO capability. Check the vendors for one that offer multiple Ethernet. And then there's Arduino ... http://www.tomshardware.com/news/intel-arduino-quark-galileo,24531.html If all you need is a minimalist low powered 'board' on the LAN to run basic services such as DNS. DHCP etc and not be a firewall/dual-port then there's a lot of choice. And if you want a small board that has slots for those extra ports then there's still a lot of choice. http://global.aopen.com/products_detail.aspx?Auno=2158 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-02 23:04 (GMT+0100) Hans Witvliet composed:
On Wed, 2014-01-01 at 09:37 -0500, Greg Freemyer wrote:
Do you run your own local dns server? Since you have numerous machines you should. Set it up to forward non-cached lookups to a good dns server. No need for that good dns server to be your isp's.
While I do have a lot of machines, only two run 24/7, and one runs eComStation 1.14 (most recent variant of OS/2; latest release 2.1; 2.2 now in beta), which has a 500kb hosts file initially created using more than a decade ago.
Dns is a pretty lightweight service, so the recommendation even 20 years ago was to dedicate a low performance PC to dns. The reason for that is uptime for your local dns server is very important. Having a local dns server means 99% of dns lookups will be handled at local lan speeds. It also means the cache of names/ips is shared by all your machines.
Sounds like a good job for a couple of raspberry pi's (primary & secondary dns). Each of them fed from its own recharchable and PSU.
Is there good reason for 2 additional machines and switch port consumption to do what one already running 24/7 for both desktop, LAN server, and Apache can do? If read this whole thread that I started, though not all at once. A lot of good info, with multiple philosophical variances. It seems the preferred starting point for me will be using OpenDNS server IPs, as my own ISP's redirect to its own junk page instead of allowing my browser to show its standard 404 message, and the OpenDNS tests with traceroute -n -w 2 -q 2 were overall best of all I tried, e.g. 199.166.31.3 (199.166.31.3) 23.240 ms 22.991 ms. As to a caching server I'm not sure what to think. If I saw an explanation how one like dnsmasq on a PC might be better than the server in my internet router, I either missed it, or have forgotten. It seems like most convenient would be to use the one in the router, set to use OpenDNS IPs, and also use it to block ad servers. As to blocking ad servers, is blocking via the firewall materially different in effectiveness from redirecting to 0.0.0.0 or 127.0.0.1 via hosts entries? I use a lot of different browsers on different machines, so have never tried the adblock extension. I do have an adblock.css file preventing display of various standard ad image sizes in some browser profiles. -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Felix Miata wrote:
As to a caching server I'm not sure what to think. If I saw an explanation how one like dnsmasq on a PC might be better than the server in my internet router, I either missed it, or have forgotten. It seems like most convenient would be to use the one in the router, set to use OpenDNS IPs, and also use it to block ad servers.
On a small network, the caching function wouldn't provide much advantage. However, it can act as a local DNS for your network devices, instead of using host files on all computers. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-03 01:58, James Knott wrote:
On a small network, the caching function wouldn't provide much advantage. However, it can act as a local DNS for your network devices, instead of using host files on all computers.
It does, even on a single computer. The slowest the internet pipe, the better the advantage. You can save seconds on every query, and a single page may trigger dozens. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
It does, even on a single computer. The slowest the internet pipe, the better the advantage. You can save seconds on every query, and a single page may trigger dozens.
A DNS cache works only if that address has been requested recently. With few users, that will be less likely. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott said the following on 01/02/2014 09:56 PM:
Carlos E. R. wrote:
It does, even on a single computer. The slowest the internet pipe, the better the advantage. You can save seconds on every query, and a single page may trigger dozens.
A DNS cache works only if that address has been requested recently. With few users, that will be less likely.
I disagree. Any one web page is also going to request .css and possibly .js files and these days its so close to a certainty as makes no difference that it is going to request some graphics. Those are likely to be from the same server or at the very least a server in the same domain. If you google for something all that applies and its likely you will read the next page as well. Depending on your reading habits you are likely when visiting a site to 'follow on' to subsequent pages. All of the above applies. Perhaps a really smart browser will not request the same .css and .js and perhaps not the header image, the next pages will have unique content. More and more the web is become graphics intense. So even with one user three is going to be a need for DNS cache. As Carlos says, a single page may trigger dozens of requests. Oh and there's always google analytics. Unless you are unsociable and include that in your adblock list. -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward wrote:
I disagree. Any one web page is also going to request .css and possibly .js files and these days its so close to a certainty as makes no difference that it is going to request some graphics. Those are likely to be from the same server or at the very least a server in the same domain.
If you google for something all that applies and its likely you will read the next page as well.
Depending on your reading habits you are likely when visiting a site to 'follow on' to subsequent pages. All of the above applies. Perhaps a really smart browser will not request the same .css and .js and perhaps not the header image, the next pages will have unique content.
More and more the web is become graphics intense.
So even with one user three is going to be a need for DNS cache. As Carlos says, a single page may trigger dozens of requests.
As I pointed out in another message, the OS and browser also cache DNS, so providing yet another cache will not make much difference, if there are few computers using it. On the other hand, a DNS server caching for several computers would provide more benefit. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Jan 2, 2014 at 7:58 PM, James Knott <james.knott@rogers.com> wrote:
On a small network, the caching function wouldn't provide much advantage.
I disagree, but I haven't really used wireshark to verify it in a couple years. To the best of my knowledge, if a website has 20 images on it referenced by hostname, then the browser will do a DNS lookup for each of those 20. If you're not running a caching DNS server either on that box itself or on your lan somewhere, then those 20 queries have to go out to the DNS server you're using. At normal ISP speeds, that can add up. As to using the DNS server in the router, I've always assumed all it did was forward your requests to the ISP for you. Do low end home routers actually cache DNS queries? Greg -- Greg Freemyer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-03 02:08, Greg Freemyer wrote:
As to using the DNS server in the router, I've always assumed all it did was forward your requests to the ISP for you. Do low end home routers actually cache DNS queries?
Yes, they do. How many entries and for how long depends on how good they are, ie, how much memory they have. Verifying this would require doing queries and timing them. Maybe someone has a test suite out there. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/2/2014 5:19 PM, Carlos E. R. wrote:
On 2014-01-03 02:08, Greg Freemyer wrote:
As to using the DNS server in the router, I've always assumed all it did was forward your requests to the ISP for you. Do low end home routers actually cache DNS queries?
Yes, they do. How many entries and for how long depends on how good they are, ie, how much memory they have.
Verifying this would require doing queries and timing them. Maybe someone has a test suite out there.
Naw, just put an old ethernet hub between the router and your provider, then ethereal scanning for dns hits. I did this a couple years ago when testing my in-house bind vs the dns cache in a router. Even the lamest old router I had did some amount of caching, but it was dramatically better running bind than the best router. It would literately cash for days and days, where as the hardware router would exceed its tables often within 10 minutes, sometimes on the same page, when pre-fetch is turned on in browsers, and you pull up a page like google news. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/02/2014 08:18 PM, John Andersen wrote:
Naw, just put an old ethernet hub between the router and your provider, then ethereal scanning for dns hits. I did this a couple years ago when testing my in-house bind vs the dns cache in a router.
Even the lamest old router I had did some amount of caching, but it was dramatically better running bind than the best router. It would literately cash for days and days, where as the hardware router would exceed its tables often within 10 minutes, sometimes on the same page, when pre-fetch is turned on in browsers, and you pull up a page like google news.
JA has it right. The following setup is almost impossible to beat: WAN LAN ----[router]---------[hub]---[rest of local subnet] | \ All but desired bind/dhcpd/server Ports Blocked authoritive/caching I run an old linksys wifi router and disable all dhcp, etc. I have one box that runs bind with dhcpd providing dynamic updates. The setup is relatively simple and once setup it will provide years of service. As for which servers to use for DNS, I just conducted a small test while writing the article. In bind, external DNS server addresses are controlled with the forwarders statement. So I conducted a test between my ISP, openDNS, google, etc.. Here are the results (after named restart - no cache; using 'dig @my.server.com trinitydesktop.org'): 17:23 alchemy:~> dig @nirvana.3111skyline.com trinitydesktop.org ; <<>> DiG 9.7.6-P4 <<>> @nirvana.3111skyline.com trinitydesktop.org ; (1 server found) <snip> My ISP: forwarders { 208.180.42.100; 208.180.42.68; 68.1.208.30; }; ;; Query time: 88.9 msec OpenDNS: forwarders { 208.67.220.220; 208.67.222.222; 208.180.42.100; }; ;; Query time: 60.0 msec forwarders { 208.67.222.222; 208.67.220.220; 208.180.42.100; }; ;; Query time: 74.4 msec Google: forwarders { 8.8.8.8; 8.8.4.4; 208.180.42.100; }; ;; Query time: 92.9 msec Now, once an address is in cache, then the *dramatic* advantage of using cache can be seen on the second call to named using dig. For all addresses queried and in cache, the Query time was: ;; Query time: 2 msec The test is completely unscientific, no account for network traffic, number of hops, etc., but on balance the best *initial* response times were about 60ms while the worst were about 90ms. What is important though is to note how *dramatic* the Query times were reduced once the address was in cache. Now also note, that even over a wireless link, the round trip ping times to the server to receive the result were on the order of (time=0.692 ms). So running an additional caching service on each local machine, in addition to the nameserver, would be an effort in futility. I would be interested to see what others see with dsnmasq (or other caching services) versus bind and also what initial and cached Query times you see with other DNS servers. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/4/2014 3:33 PM, David C. Rankin wrote:
OpenDNS:
forwarders { 208.67.220.220; 208.67.222.222; 208.180.42.100; }; ;; Query time: 60.0 msec
forwarders { 208.67.222.222; 208.67.220.220; 208.180.42.100; }; ;; Query time: 74.4 msec
Interesting, this shows that there is often an advantage of swapping the order of the DNS servers and using the secondary, simply because its usually less busy. Surprised Google was that slow. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-05 00:33, David C. Rankin wrote:
;; Query time: 2 msec
Let's see on my network. Using the router: Elessar:~ # time host trinitydesktop.org 192.168.1.1 Using domain server: Name: 192.168.1.1 Address: 192.168.1.1#53 Aliases: trinitydesktop.org has address 108.166.152.50 real 0m1.469s user 0m0.006s sys 0m0.004s Elessar:~ # More attempts: real 0m0.481s real 0m0.721s Now, letting dnsmasq work: Elessar:~ # time host trinitydesktop.org real 0m1.175s real 0m0.075s real 0m0.302s real 0m0.072s real 0m0.076s real 0m0.176s So it appears my router does a lousy job, it does not cache anything, it seems. It asks my ISP, then, and my ISP takes about a second to answer. Google is not better: Elessar:~ # time host trinitydesktop.org 8.8.8.8 real 0m1.163s real 0m0.858s real 0m0.475s OpenDNS: Elessar:~ # time host trinitydesktop.org 208.67.220.220 real 0m1.011s real 0m0.337s you see, for me a local cache on my machine does a big, big, advantage, because any external DNS query takes about a second with my ISP. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/04/2014 06:41 PM, Carlos E. R. wrote:
you see, for me a local cache on my machine does a big, big, advantage, because any external DNS query takes about a second with my ISP.
Carlos, All, For grins, I decided to see if I could get any further advantage running dnsmasq on my laptop: WAN LAN ----[router]---------[hub]---[rest of local subnet] | | \ All but desired | bind/dhcpd/server Ports Blocked | authoritive/caching laptop dnsmasq The results were pretty much as I expected. Again requesting resolution of trinitydesktop.org: Setup: nameserver: 127.0.0.1 added as 1st nameserver in resolv.con No entries in /etc/dnsmasq.conf # dnsmasq -d Results: 1st attempt nothing in laptop cache: 01:23 alchemy:~> dig @127.0.0.1 trinitydesktop.org <snip> ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) 2nd attempt: ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) Without dnsmasq, I saw an average 2 msec Query time when answer was in my local server cache (1 msec at times) across my wireless link. With dsnmasq, the average Query time was 1 msec when information was cached on my laptop. However, reading a follow-up from Felix, it was noted that dsnmasq does provide additional flexibility to tailor ad-blocking on a per-machine basis using http://pgl.yoyo.org/adservers/ blocking lists. (though you can also use a hosts file formatted list from the same site to accomplish almost the same thing with no dnsmasq running -- and -- it gives an alternative to deploying the block subnet wide with their bind formatted file in my case. Excellent thread - enjoyable and informative. Thanks to all. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-05 08:43, David C. Rankin wrote:
On 01/04/2014 06:41 PM, Carlos E. R. wrote:
;; Query time: 3 msec
2nd attempt:
;; Query time: 1 msec
The difference in my case is that the first attempt takes 1 second. My internet is much slower than yours - why exactly I would like to know: 1Mbit/s is slow, but not that much when it is idle for a simple query.
Excellent thread - enjoyable and informative. Thanks to all.
Indeed it is. I'm considering replacing bind with dnsmasq in my main system, it seems far easier to maintain. No need to keep direct and reverse zone files, for different zones. Just an /etc/hosts file... -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/05/2014 05:53 AM, Carlos E. R. wrote:
I'm considering replacing bind with dnsmasq in my main system, it seems far easier to maintain. No need to keep direct and reverse zone files, for different zones. Just an /etc/hosts file...
Carlos, I've looked around a bit, but always stick with isc-bind & isc-dhcpd. While setup takes a bit of reading and making friends with TSIG keys, zone signing, etc.. -- for the most part it is automated such that once configured - it will run for years without any additional intervention. Also, suse generates the needed TSIG keys for you on install and provides the genDDNSkey script to automate generating any additional keys needed. I was completely impressed with dnsmasq and easily see it being able to replace my bind/dhcp (with dynamic dns update) setup. Even providing equivalent to the isc-dhcpd host statement allowing hostname rewriting and address allocation based on mac address. Maybe I'll play with it when I get a chance and see what the memory requirements are for each. isc bind/dhcpd configuration has gotten so dead-bang easy on new server installs for my little network, it really is just a 'dance with the one than brought you case'. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-07 07:48, David C. Rankin wrote:
Maybe I'll play with it when I get a chance and see what the memory requirements are for each. isc bind/dhcpd configuration has gotten so dead-bang easy on new server installs for my little network, it really is just a 'dance with the one than brought you case'.
I have bind running on this 12.3 setup. I have had it for ages. But I know I have errors on it, which I'm too lazy to correct. Each time I add a machine I have to edit two files (direct and reverse). Be careful with the timestamps. And then I see little inconsistencies which I try to correct, and there is always some little new mistake. I have a virtual machine where I installed bind afresh, using the YaST module. But something went wrong and it doesn't work at all. The instructions on the openSUSE book, plus the YaST module online help are not clear enough. They assume you really know about zones and DNS and what each particular type of entry is for. And I don't, not really. So it is a pending task. And here comes DNSmasq. It is so easy! Just write an /etc/host file and off you go. No more zones, no direct, no reverse, no mismatches. No MX registers. No pointers. Nothing to do to it. So... is the effort to insist on using bind worth it? -- Cheers / Saludos, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar)
Carlos E. R. wrote:
On 2014-01-07 07:48, David C. Rankin wrote:
Maybe I'll play with it when I get a chance and see what the memory requirements are for each. isc bind/dhcpd configuration has gotten so dead-bang easy on new server installs for my little network, it really is just a 'dance with the one than brought you case'.
I have bind running on this 12.3 setup. I have had it for ages. But I know I have errors on it, which I'm too lazy to correct. Each time I add a machine I have to edit two files (direct and reverse). Be careful with the timestamps. And then I see little inconsistencies which I try to correct, and there is always some little new mistake.
I have a virtual machine where I installed bind afresh, using the YaST module. But something went wrong and it doesn't work at all. The instructions on the openSUSE book, plus the YaST module online help are not clear enough. They assume you really know about zones and DNS and what each particular type of entry is for. And I don't, not really.
So it is a pending task.
And here comes DNSmasq. It is so easy! Just write an /etc/host file and off you go. No more zones, no direct, no reverse, no mismatches. No MX registers. No pointers. Nothing to do to it.
So... is the effort to insist on using bind worth it?
It's fairly easily answered - if using bind is more effort and less or equal functionality, clearly not. -- Per Jessen, Zürich (10.4°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-07 15:34, Per Jessen wrote:
Carlos E. R. wrote:
So... is the effort to insist on using bind worth it?
It's fairly easily answered - if using bind is more effort and less or equal functionality, clearly not.
I know. But does bind have features that are important enough to keep using it? -- Cheers / Saludos, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar)
Carlos E. R. wrote:
On 2014-01-07 15:34, Per Jessen wrote:
Carlos E. R. wrote:
So... is the effort to insist on using bind worth it?
It's fairly easily answered - if using bind is more effort and less or equal functionality, clearly not.
I know. But does bind have features that are important enough to keep using it?
I think only you yourself can answer that. You need to know your requirements and whether they are best satisfied by dnsmasq or bind. Personally speaking, I have had a working bind setup for years, it is hardly any effort maintaining it, I have no plans to switch to something else. I don't know dnsmasq at all, but to start with, if it doesn't serve zones, it's no good to me. /Per -- Per Jessen, Zürich (7.8°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-07 18:53, Per Jessen wrote:
Carlos E. R. wrote:
something else. I don't know dnsmasq at all, but to start with, if it doesn't serve zones, it's no good to me.
By default, what it does is read /etc/hosts. I have not read the entire documentation, so I don't know if there are more possible config files. -- Cheers / Saludos, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/07/2014 06:28 AM, Carlos E. R. wrote:
I have bind running on this 12.3 setup. I have had it for ages. But I know I have errors on it, which I'm too lazy to correct. Each time I add a machine I have to edit two files (direct and reverse). Be careful with the timestamps. And then I see little inconsistencies which I try to correct, and there is always some little new mistake.
No problem. The have these neat little tools that ship like named-checkzone, named-checkconfig, etc.. The slickest part about the setup is using dynamic update from dhcpd to keep your zones updated automagically when new devices plug in or connect wirelessly. Take for example all the wireless stuff that wants an address everyday, even at home it is a blessing. Example from the forward zone: <snip> $TTL 3600 ; 1 hour davids-iPhone A 192.168.6.110 TXT "31de32cd4c301bc6e6e8526f436b2118f6" dcrgx A 192.168.6.111 TXT "315bafb7bcb07998abd2a40f11eb09219c" Deborahs-iPhone A 192.168.6.122 TXT "31a5bf958f65a6efa478be2842c3f9b936" iPhone A 192.168.6.137 TXT "31de32cd4c301bc6e6e8526f436b2118f6" Jordan-Rankin-1 A 192.168.6.144 TXT "31d202900ab3d104fe54191d6673301af1" ripper A 192.168.6.149 TXT "313f41f262462bc25dedb4fa3bb99bc318" Sydney-Rankin A 192.168.6.131 TXT "3112768425732e649608601ac373cfca0e" Sydneys-iPad A 192.168.6.147 TXT "313c6b00df734206b614790a9a4806fec8" Sydneys-IPod A 192.168.6.136 TXT "311da689704c4fb2be7d4edcaabc67107f" each of those are wired/wireless examples that requested an IP via dhcp. My server said OK, your MAC is in my allow filter, so here is your address, updated both forward and reverse zones and then signed the zone. Never had to touch a thing. An for those time when you add a host on a static IP, or assign it a non-changing IP via dhcpd, then simple issue "rndc freeze" to suspend dynamic updates (this conveniently forces the journal cache to be written to the zones), use vi to make needed changes in the zones (increment serial by 1 also), then simply "rndc thaw" and you are done. Literally makes adding new dhcp devices to your network plug-n-play, your zones are automatically and securely updated :-)
I have a virtual machine where I installed bind afresh, using the YaST module. But something went wrong and it doesn't work at all. The instructions on the openSUSE book, plus the YaST module online help are not clear enough. They assume you really know about zones and DNS and what each particular type of entry is for. And I don't, not really.
So it is a pending task.
Piece of cake, 99.9% of the diagnosis is # named-checkzone zonename filename real-world: [03:23 nemesis:/home/david] # named-checkzone rlfpllc.com /var/lib/named/dyn/rlfpllc.com zone rlfpllc.com/IN: loaded serial 2013113017 OK If there is an issue with the zone file, it will flag it and you can fix it long before you issue rcnamed start or systemctl start named.service
And here comes DNSmasq. It is so easy! Just write an /etc/host file and off you go. No more zones, no direct, no reverse, no mismatches. No MX registers. No pointers. Nothing to do to it.
So... is the effort to insist on using bind worth it?
I see the allure... I would still need to do a bit more digging to see if dnsmasq can facilitate backup dnshandling handling like named does, but so far it looks pretty good. - -- David C. Rankin, J.D.,P.E. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLNGv0ACgkQZMpuZ8Cyrci7OgCfe2kVRLlBcFl84MwT7gnQu38K g40Anjk4EQYZpNZmwo40Hyi8ixs+9hzu =HucH -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
To the best of my knowledge, if a website has 20 images on it referenced by hostname, then the browser will do a DNS lookup for each of those 20. If you're not running a caching DNS server either on that box itself or on your lan somewhere, then those 20 queries have to go out to the DNS server you're using. At normal ISP speeds, that can add up.
Isn't a DNS cache included in the browser or operating system already? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Isn't a DNS cache included in the browser or operating system already?
Check nscd. It's used in openSUSE for name server caching. man nscd for details. Firefox also has a DNS cache. So, using a caching DNS server won't provide much improvement for a single computer. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
James Knott wrote:
Isn't a DNS cache included in the browser or operating system already?
Check nscd. It's used in openSUSE for name server caching. man nscd for details. Firefox also has a DNS cache. So, using a caching DNS server won't provide much improvement for a single computer.
Yep, I agree. Perhaps it's worth mentioning that nscd did have some issues a couple/few years ago, but it's been running quite stable for a while now. -- Per Jessen, Zürich (5.1°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Jan 2, 2014 at 10:20 PM, James Knott <james.knott@rogers.com> wrote:
James Knott wrote:
Isn't a DNS cache included in the browser or operating system already?
Check nscd. It's used in openSUSE for name server caching. man nscd for details. Firefox also has a DNS cache. So, using a caching DNS server won't provide much improvement for a single computer.
slightly OT: I just used wireshark to watch chrome page refresh with Windows 7. I happened to have susestudio open on a page with no advertising and few graphics. the result was 4 outbound DNS queries for susestudio.com to my DNS server in 3 seconds. So chrome v31 does not cache DNS even during a single page refresh. And neither does Windows 7. I repeated the test with firefox, and I got no DNS queries for susestudio.com, so it does seem to cache internally. Thus anyone with Windows 7 / Chrome as part of their local LAN should realize they are pounding their DNS server heavily. If that DNS server is 10 or 20 milliseconds away, a heavily graphic'ed webpage could be slowed down a second or two just making the DNS queries. I'm using my ISPs DNS server on that windows laptop and it is taking about 20 millisecs to respond to a DNS query. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
On Thu, Jan 2, 2014 at 10:20 PM, James Knott <james.knott@rogers.com> wrote:
James Knott wrote:
Isn't a DNS cache included in the browser or operating system already?
Check nscd. It's used in openSUSE for name server caching. man nscd for details. Firefox also has a DNS cache. So, using a caching DNS server won't provide much improvement for a single computer.
slightly OT:
I just used wireshark to watch chrome page refresh with Windows 7. I happened to have susestudio open on a page with no advertising and few graphics. the result was 4 outbound DNS queries for susestudio.com to my DNS server in 3 seconds. So chrome v31 does not cache DNS even during a single page refresh.
An application really should not be caching, it should leave that to nscd or a caching dns. -- Per Jessen, Zürich (7.1°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen said the following on 01/03/2014 11:43 AM:
An application really should not be caching, it should leave that to nscd or a caching dns.
Let me tout the "Context is Everything" point once again. Yes you are right, in certain contexts. Such as folks like us doing general computing using a variety of applications that make demands on network services. But in other contexts you are wrong, dead wrong. The most obvious of these is the netbook/chromebook where the browser is the system, there is no other application to share the DNS results. And lets face it, a lot of users are not like us, they live in the browser even when they are suing some variety of Windows. They like on Facebook or one friend I have you lives in eBay, using only the eBay internal mail. That's his 'context'. No point sending him e-mail as smtp or gmail, he doesn't have an account and wouldn't know how to read it. Such people live in the browser. For them Windows and Linux are irrelevant. Swap out their PC for a Chromebook that boots 'instantly' from the SSD and they will see it as an improvement. Even some people here live on gmail and I wonder if they use a non-web-browser mail user interface. -- " Excellent!" I cried. "Elementary," said he. -- Watson and Sherlock Holmes, in "The Adventure of the Crooked Man" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward wrote:
Per Jessen said the following on 01/03/2014 11:43 AM:
An application really should not be caching, it should leave that to nscd or a caching dns.
Let me tout the "Context is Everything" point once again.
Yes you are right, in certain contexts. Such as folks like us doing general computing using a variety of applications that make demands on network services.
Well, I did say "should not", not "must not" :-)
But in other contexts you are wrong, dead wrong. The most obvious of these is the netbook/chromebook where the browser is the system, there is no other application to share the DNS results.
I don't quite see how that makes my point "dead wrong". Honestly. Multiple threads might benefit from sharing a dns cache, but it's not so much about the sharing. It's simply that an application really ought to leave it to the system to cache DNS results. For instance, an application using the regular resolver (via getaddrinfo) will not have access to the TTL, whereas nscd does. What the overall system is being used for (browsing, playing solitaire or whatever) is less relevant. -- Per Jessen, Zürich (7.0°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-03 17:43 (GMT+0100) Per Jessen composed:
An application really should not be caching, it should leave that to nscd or a caching dns.
Or? I have dnsmasq running. Should I turn off nscd? -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Felix Miata wrote:
Or? I have dnsmasq running. Should I turn off nscd?
I don't know that having multiple caches will hurt, unless one is caching longer than the TTL.to the point it has stale data. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/3/2014 10:25 AM, James Knott wrote:
Felix Miata wrote:
Or? I have dnsmasq running. Should I turn off nscd?
I don't know that having multiple caches will hurt, unless one is caching longer than the TTL.to the point it has stale data.
Even a "stale" cache is probably good enough in the case of monster big sites using round-robin dns schemes and very short TTLs. Those sites are still likely to have all those servers running. In a sense such sites pervert the whole concept of DNS by using it to load balance by round-robin. I'm NOT convinced it should be the remote client's job to query dns for every page part simply because the site want's to balance load. Any caching by your own browser or your in-house nscd, or your ISP's DNS server is going to undo the web site's round robin via DNS anyway. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John, et al -- ...and then John Andersen said... % ... % I'm NOT convinced it should be the remote client's job to % query dns for every page part simply because the site want's % to balance load. Any caching by your own browser or your [snip] I am QUITE convinced that it should not be the client's job; that's why there are load balancers that present multiple instances behind one IP. I *might* be open to the concept of regional addressing, but only if the case is made very eloquently. I've very much enjoyed this thread :-) Happy New Year :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt
David T-G said the following on 01/03/2014 03:32 PM:
I am QUITE convinced that it should not be the client's job; that's why there are load balancers that present multiple instances behind one IP.
That would require one and only one pipe into the service. For many high volume services that is unacceptable. In addition, many services separate out different types of content.
I*might* be open to the concept of regional addressing, but only if the case is made very eloquently.
Regional addressing as in "if the requester is in Europe have them served from a server that is electrically situated near them rather than making every transaction go all the way across the Atlantic to the USA." Actually if I query google for google.com I end up getting served by google.ca :-) And I'm not even French! Its no 'eloquence' we've been discussion so much as speed of response. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
Any caching by your own browser or your in-house nscd, or your ISP's DNS server is going to undo the web site's round robin via DNS anyway.
Perhaps for your own access, but what about the next guy who winds up on a different server, as intended? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott 01/03/14 3:50 PM >>> John Andersen wrote: Any caching by your own browser or your in-house nscd, or your ISP's DNS server is going to undo the web site's round robin via DNS anyway.
Perhaps for your own access, but what about the next guy who winds up on a different server, as intended?
Or, if one of the address is inaccessible, the client *should* pick one of the other addresses automatically. Before we were able to purchase a Barracuda on campus, we just used DNS round-robin to let the client randomly pick one of the three nodes in our Tomcat cluster; if the node it chose was down for some reason, the client would automatically hop over to one of the other addresses. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/3/2014 1:53 PM, Christopher Myers wrote:
Or, if one of the address is inaccessible, the client *should* pick one of the other addresses automatically.
Before we were able to purchase a Barracuda on campus, we just used DNS round-robin to let the client randomly pick one of the three nodes in our Tomcat cluster; if the node it chose was down for some reason, the client would automatically hop over to one of the other addresses.
But DNS serves up exactly one IP address (to the best of my knowledge). Customized applications might allow you to remember additional addresses, in my day job, we develop a load balanced application server for a custom application, and we provide the option of fail-over to any of the farm servers should the principal server be down. But AFAIK, DNS just serves one. This presents a problem for busy web sites if the machine sitting at the address served up by DHCP crashes. There are off-site services that take care of this for you such as (picked at random) http://www.dnsmadeeasy.com/services/dns-failover-system-monitoring/ and usually these solutions have the ability to load balance for you not by using DNS. Amazon offers both fail-over and load-balance for their "route 53" product line: http://aws.typepad.com/aws/2013/05/amazon-route-53-elb-integration-dns-failo... -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen 01/03/14 4:38 PM >>> On 1/3/2014 1:53 PM, Christopher Myers wrote:
But DNS serves up exactly one IP address (to the best of my knowledge).
Hmm, when we set up the round-robin entries wacluster IN A 216.125.123.66 wacluster IN A 216.125.123.67 it would return multiple values: mucolo:/ # nslookup wacluster.millikin.edu Server: 208.34.148.12 Address: 208.34.148.12#53 Non-authoritative answer: Name: wacluster.millikin.edu Address: 216.125.123.67 Name: wacluster.millikin.edu Address: 216.125.123.66 (We just have two nodes in the cluster visible currently, the third one isn't included in the round-robin.) -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Christopher Myers wrote:
Hmm, when we set up the round-robin entries
wacluster IN A 216.125.123.66 wacluster IN A 216.125.123.67
it would return multiple values:
But woudn't that just be different addresses handed out to separate requests? So, one person would get .66 and the next .67. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott 01/03/14 5:01 PM >>> Christopher Myers wrote: Hmm, when we set up the round-robin entries
wacluster IN A 216.125.123.66 wacluster IN A 216.125.123.67
it would return multiple values:
But woudn't that just be different addresses handed out to separate requests? So, one person would get .66 and the next .67.
Actually, everyone gets both; the device picks which one to use, which is what allows it to randomly balance or fail over to the other address if the one it picks isn't responding. (Mind you, it's not perfect, since a 404 or 500 error is still "responding," which is why a real load balancer is better.) If you want to give it a shot, do an nslookup for that host address (wacluster.millikin.edu) and it should give you both addresses. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Christopher Myers wrote:
If you want to give it a shot, do an nslookup for that host address (wacluster.millikin.edu) and it should give you both addresses.
I just watched with Wireshark as I pinged www.google.com The reply contained 6 "answers", each a different address, with a TTL of 2m 11s. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/3/2014 3:05 PM, Christopher Myers wrote:
Actually, everyone gets both; the device picks which one to use, which is what allows it to randomly balance or fail over to the other address if the one it picks isn't responding. (Mind you, it's not perfect, since a 404 or 500 error is still "responding," which is why a real load balancer is better.)
Are you sure? For instance, a PING wacluster.millikin.edu alternated between 67 and 66 upon each startup. (They all fail). So it appears your system is handing out one address only, and switches between the two. I havent figured out the nslookup arguments that make exact same request as a simple DNS request. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen said the following on 01/03/2014 06:17 PM:
On 1/3/2014 3:05 PM, Christopher Myers wrote:
Actually, everyone gets both; the device picks which one to use, which is what allows it to randomly balance or fail over to the other address if the one it picks isn't responding. (Mind you, it's not perfect, since a 404 or 500 error is still "responding," which is why a real load balancer is better.)
Are you sure?
Well *I* am sure. As I said, look at GETHOSTBYNAME(3)
For instance, a PING wacluster.millikin.edu alternated between 67 and 66 upon each startup. (They all fail). So it appears your system is handing out one address only, and switches between the two.
No. It gets both when it calls GETHOSTBYNAME but has to choose one to use. Or rather one to use _first_.
I havent figured out the nslookup arguments that make exact same request as a simple DNS request.
What do you man by that? A application makes a 'simple' request using GETHOSTBYNAME(3) Check the man page and you'll see that returns a *list* of addresses. The application, even 'ping', has to pick one. If it fails - time-out or error - then try the next on the list. Or whatever algorithm the application chooses. 'nslookup' returns the same list. What's the problem here? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen said the following on 01/03/2014 05:38 PM:
But DNS serves up exactly one IP address (to the best of my knowledge).
No it doesn't. Look at the example James Knott and I have give. The output of HOST: $ host google.com google.com has address 74.125.226.132 google.com has address 74.125.226.135 google.com has address 74.125.226.142 google.com has address 74.125.226.131 google.com has address 74.125.226.129 google.com has address 74.125.226.128 google.com has address 74.125.226.133 google.com has address 74.125.226.130 google.com has address 74.125.226.137 google.com has address 74.125.226.134 google.com has address 74.125.226.136 google.com has IPv6 address 2607:f8b0:400b:80b::100e google.com mail is handled by 40 alt3.aspmx.l.google.com. google.com mail is handled by 30 alt2.aspmx.l.google.com. google.com mail is handled by 10 aspmx.l.google.com. google.com mail is handled by 20 alt1.aspmx.l.google.com. google.com mail is handled by 50 alt4.aspmx.l.google.com. or the output of DIG $ dig google.com ; <<>> DiG 9.9.3-P2 <<>> google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27199 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 4, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 218 IN A 74.125.226.131 google.com. 218 IN A 74.125.226.133 google.com. 218 IN A 74.125.226.142 google.com. 218 IN A 74.125.226.128 google.com. 218 IN A 74.125.226.134 google.com. 218 IN A 74.125.226.135 google.com. 218 IN A 74.125.226.137 google.com. 218 IN A 74.125.226.132 google.com. 218 IN A 74.125.226.129 google.com. 218 IN A 74.125.226.130 google.com. 218 IN A 74.125.226.136 ;; AUTHORITY SECTION: google.com. 49972 IN NS ns1.google.com. google.com. 49972 IN NS ns3.google.com. google.com. 49972 IN NS ns4.google.com. google.com. 49972 IN NS ns2.google.com. ;; ADDITIONAL SECTION: ns1.google.com. 222772 IN A 216.239.32.10 ns2.google.com. 222772 IN A 216.239.34.10 ns3.google.com. 222772 IN A 216.239.36.10 ns4.google.com. 222772 IN A 216.239.38.10 illustrates this. If you look at the man page for GETHOSTBYNAME(3) you'll see that it returns a LIST of addresses. The structure is: struct hostent { char *h_name; /* official name of host */ char **h_aliases; /* alias list */ int h_addrtype; /* host address type */ int h_length; /* length of address */ char **h_addr_list; /* list of addresses */ } and the man page says h_addr_list An array of pointers to network addresses for the host (in network byte order), terminated by a NULL pointer. Given that list, the application can pick and choose. At any point in time the server's DNS can return a subset of the possible addresses - as shown by the differences between my earlier post and James' earlier post. How the application picks and chooses is entirely up to the application. What happens BEHIND these interfaces that google, yahoo and others present is another matter, and they have published a number of papers on this and how they have tried out different approaches, But essentially there is another 'crossbar switch' and another layer of load balancing. How it works ... probably changes as new technology comes along and new ideas are formulated. I'll grant you that some sites, like my own little site, does have just one address. $ host www.antonaylward.com www.antonaylward.com has address 66.33.210.248 Yes, that's it. But its not as if I get a lot of traffic :-) -- "You may have to fight a battle more than once to win it." -- Margaret Thatcher -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/3/2014 1:50 PM, James Knott wrote:
John Andersen wrote:
Any caching by your own browser or your in-house nscd, or your ISP's DNS server is going to undo the web site's round robin via DNS anyway.
Perhaps for your own access, but what about the next guy who winds up on a different server, as intended?
As others have mentioned, that should be take care of internally by the website. Its not exactly a new concept, that's been around quite a while. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen said the following on 01/03/2014 03:21 PM:
Even a "stale" cache is probably good enough in the case of monster big sites using round-robin dns schemes and very short TTLs. Those sites are still likely to have all those servers running.
Indeed. Look back and you'll see that the set of sites I fund using DIG and the set of sites James Knott found were slightly different, just a few minutes apart and even though he's just a few miles down the rad from e. That round robin for you :-( But I could equally well ignore the TTL on the sites I found and use those same records half and hour, half a day later. The site will still be there. From my POV it doesn't matter. From the POV of Yahoo, Google or Amazon it DOES matter. They need to balance the load across not only their servers but also across the incoming pipes.
In a sense such sites pervert the whole concept of DNS by using it to load balance by round-robin.
In just the same way RFC1918 addresses pervert the whole concept of peer-to-peer addressing that is the basis of the Internet. But sometimes accommodations are needed to get acceptable performance. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Felix Miata wrote:
On 2014-01-03 17:43 (GMT+0100) Per Jessen composed:
An application really should not be caching, it should leave that to nscd or a caching dns.
Or? I have dnsmasq running. Should I turn off nscd?
I guess dnsmasq qualifies as a caching dns? I am not familiar with it. -- Per Jessen, Zürich (7.1°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/03/2014 12:12 PM, Felix Miata wrote:
On 2014-01-03 17:43 (GMT+0100) Per Jessen composed:
An application really should not be caching, it should leave that to nscd or a caching dns.
Or? I have dnsmasq running. Should I turn off nscd?
It is really de minimis. Even over slow wireless your ping time to a caching server is on the order of 2/3 millisecond. The cache query time itself is 2-3 milliseconds. Whether you run a nscd or a browsercache, you are only saving at most a millisecond. If you have a caching nameserver - there is no need for another cache; If you don't have a local caching nameserver - then, of course cache on your local machine. Now there is a HUGE question about how much latency develops in a "browser cache" as the number of files or cache size grows. That could cause a "browser cache" to be interjecting additional delay just to read its own cache. I have not tested, but I doubt the sqlite3 type cache structure of FF compares to the speed of bind. I suspect a nscd type cache is more efficient than a FF cache, so you may be better off disabling your browser cache if you have another local caching service, so long as you can tell your browser to use the external cache. (that in itself may/may not be possible) As pointed out, a browser cache does absolutely nothing for all of the remaining apps that need address resolution. That is where a standard caching setup such as bind, etc.. can eliminate a lot of "gee, I wonder" questions regarding this topic. As long as you never see a "looking up host" message from any of your applications, how you do it is largely irrelevant. If I'm going to invest the time to setup a caching solution, I want to insure it is spent on a long term reliable solution. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-03 04:20, James Knott wrote:
James Knott wrote:
Isn't a DNS cache included in the browser or operating system already?
Check nscd. It's used in openSUSE for name server caching. man nscd for details.
No, it doesn't. It caches the hosts file. Nscd provides caching for accesses of the passwd(5), group(5), and hosts(5) databases through standard libc interfaces, such as getpwnam(3), getpwuid(3), getgrnam(3), getgrgid(3), gethostbyname(3), and others. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
No, it doesn't. It caches the hosts file.
Nscd provides caching for accesses of the passwd(5), group(5), and hosts(5) databases through standard libc interfaces, such as getpwnam(3), getpwuid(3), getgrnam(3), getgrgid(3), gethostbyname(3), and others.
Read http://prefetch.net/blog/index.php/2011/03/27/configuring-nscd-to-cache-dns-... and then take a look at /etc/nscd.conf. On my system, the positive-time-to-live is 3600. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
On 2014-01-03 04:20, James Knott wrote:
James Knott wrote:
Isn't a DNS cache included in the browser or operating system already?
Check nscd. It's used in openSUSE for name server caching. man nscd for details.
No, it doesn't. It caches the hosts file.
Yes it does. See your own quote:
Nscd provides caching for accesses of the passwd(5), group(5), and hosts(5) databases through standard libc interfaces, such as getpwnam(3), getpwuid(3), getgrnam(3), getgrgid(3), gethostbyname(3), and others.
^^^^^^^^^^^^^^^ -- Per Jessen, Zürich (5.8°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-04 12:27, Per Jessen wrote:
Carlos E. R. wrote:
Check nscd. It's used in openSUSE for name server caching. man nscd for details.
No, it doesn't. It caches the hosts file.
Yes it does. See your own quote:
Nscd provides caching for accesses of the passwd(5), group(5), and hosts(5) databases through standard libc interfaces, such as getpwnam(3), getpwuid(3), getgrnam(3), getgrgid(3), gethostbyname(3), and others.
^^^^^^^^^^^^^^^
I understand it means that it uses that function, yes, but only the hosts database is cached. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Jan 4, 2014 at 9:35 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2014-01-04 12:27, Per Jessen wrote:
Carlos E. R. wrote:
Check nscd. It's used in openSUSE for name server caching. man nscd for details.
No, it doesn't. It caches the hosts file.
Yes it does. See your own quote:
Nscd provides caching for accesses of the passwd(5), group(5), and hosts(5) databases through standard libc interfaces, such as getpwnam(3), getpwuid(3), getgrnam(3), getgrgid(3), gethostbyname(3), and others.
^^^^^^^^^^^^^^^
I understand it means that it uses that function, yes, but only the hosts database is cached.
Carlos, I agree that man page is horrible, but per other searches it does cache dns queries. I just installed nscd for the first time (seems like it should be part of the default install since it is useful in web browsing). Browsing with firefox I see the "hosts cache" growing, but there are no cache hits. I guess that confirms that firefox is caching internally. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
Browsing with firefox I see the "hosts cache" growing, but there are no cache hits. I guess that confirms that firefox is caching internally.
I wonder if firefox does asynchronous DNS lookups, it would make a lot of sense. If so, firefox almost certainly doesn't use the libc calls. -- Per Jessen, Zürich (5.7°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
I just installed nscd for the first time (seems like it should be part of the default install since it is useful in web browsing).
I think it _is_ part of the default install. I don't remember having to explicitly select nscd. -- Per Jessen, Zürich (5.5°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Jan 4, 2014 at 10:43 AM, Per Jessen <per@computer.org> wrote:
Greg Freemyer wrote:
I just installed nscd for the first time (seems like it should be part of the default install since it is useful in web browsing).
I think it _is_ part of the default install. I don't remember having to explicitly select nscd.
My install is not "default" so I am probably wrong. In my case I had to zypper in / rcnscd start; Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-04 16:18, Greg Freemyer wrote:
On Sat, Jan 4, 2014 at 9:35 AM, Carlos E. R. <> wrote:
I understand it means that it uses that function, yes, but only the hosts database is cached.
Carlos,
I agree that man page is horrible, but per other searches it does cache dns queries.
:-? Dunno.
I just installed nscd for the first time (seems like it should be part of the default install since it is useful in web browsing).
It is installed here, and running. I did not do it myself. It is a fresh 13.1 install.
Browsing with firefox I see the "hosts cache" growing, but there are no cache hits. I guess that confirms that firefox is caching internally.
Well, that's interesting. I have noticed that when I do a simple google search with my smartphone, and loading some pages, it is very slow, absurdly so. The transferred data is not that big. Part of the issue could be DNS, perhaps seconds per query. The default internet browser (not firefox) in that Samsung must be pretty small. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
I just installed nscd for the first time (seems like it should be part of the default install since it is useful in web browsing).
It's installed on all my systems here (2 x 13.1 & 1 x 11.4). I have never had to install it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
On 2014-01-04 12:27, Per Jessen wrote:
Carlos E. R. wrote:
Check nscd. It's used in openSUSE for name server caching. man nscd for details.
No, it doesn't. It caches the hosts file.
Yes it does. See your own quote:
Nscd provides caching for accesses of the passwd(5), group(5), and hosts(5) databases through standard libc interfaces, such as getpwnam(3), getpwuid(3), getgrnam(3), getgrgid(3), gethostbyname(3), and others.
^^^^^^^^^^^^^^^
I understand it means that it uses that function, yes, but only the hosts database is cached.
You are mistaken, I assure you. You can convince yourself with this simple test: In a console, run a tcpdump on your outgoing interface and port 53: tcpdump -n -i eth0 port 53 Open a second window and ping -c1 www.dns24.ch (or any other host). Check tcpdump and you'll see the outgoing query. Do another ping: ping -c1 www.dns24.ch Now notice no outgoing DNS traffic. If you want to be certain 'nscd' is doing the caching, stop it, then repeat the exercise and notice outgoing DNS traffic on every ping command. -- Per Jessen, Zürich (5.6°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-04 16:24, Per Jessen wrote:
Carlos E. R. wrote:
Now notice no outgoing DNS traffic.
If you want to be certain 'nscd' is doing the caching, stop it, then repeat the exercise and notice outgoing DNS traffic on every ping command.
It would not work in any of my system, I have always set a DNS cache server. Previously I used bind, now I use dnsmasq. I would have to disable that and reconfigure my network. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
On 2014-01-04 16:24, Per Jessen wrote:
Carlos E. R. wrote:
Now notice no outgoing DNS traffic.
If you want to be certain 'nscd' is doing the caching, stop it, then repeat the exercise and notice outgoing DNS traffic on every ping command.
It would not work in any of my system, I have always set a DNS cache server. Previously I used bind, now I use dnsmasq.
I would have to disable that and reconfigure my network.
Hmm, without knowing your config, you still ought to be able to see/tcpdump the DNS traffic somewhere. If dnsmasq is accessed via 127.0.0.1, just run tcpdump on 'lo'. If dnsmasq doesn't run locally, run tcpdump on whichever interface is used to access it. -- Per Jessen, Zürich (6.1°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/4/2014 9:22 AM, Per Jessen wrote:
Carlos E. R. wrote:
On 2014-01-04 16:24, Per Jessen wrote:
Carlos E. R. wrote:
Now notice no outgoing DNS traffic.
If you want to be certain 'nscd' is doing the caching, stop it, then repeat the exercise and notice outgoing DNS traffic on every ping command.
It would not work in any of my system, I have always set a DNS cache server. Previously I used bind, now I use dnsmasq.
I would have to disable that and reconfigure my network.
Hmm, without knowing your config, you still ought to be able to see/tcpdump the DNS traffic somewhere. If dnsmasq is accessed via 127.0.0.1, just run tcpdump on 'lo'.
If dnsmasq doesn't run locally, run tcpdump on whichever interface is used to access it.
Carlos's point is that nscd might not be doing the cacheing on his network because he is explicitly running some other services to handle this, and therefore his results would prove nothing about nscd. I don't think he meant that the actual commands wouldn't work. Your tests work for me, but I too have no idea who is doing this caching, as nscd -g shows no difference comparing before or after, and cache hit rate remains 0. I run bind as well, on my gateway box, so it might be in there. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
On 1/4/2014 9:22 AM, Per Jessen wrote:
Carlos E. R. wrote:
On 2014-01-04 16:24, Per Jessen wrote:
Carlos E. R. wrote:
Now notice no outgoing DNS traffic.
If you want to be certain 'nscd' is doing the caching, stop it, then repeat the exercise and notice outgoing DNS traffic on every ping command.
It would not work in any of my system, I have always set a DNS cache server. Previously I used bind, now I use dnsmasq.
I would have to disable that and reconfigure my network.
Hmm, without knowing your config, you still ought to be able to see/tcpdump the DNS traffic somewhere. If dnsmasq is accessed via 127.0.0.1, just run tcpdump on 'lo'.
If dnsmasq doesn't run locally, run tcpdump on whichever interface is used to access it.
Carlos's point is that nscd might not be doing the cacheing on his network because he is explicitly running some other services to handle this, and therefore his results would prove nothing about nscd.
Well, libc calls will still attempt to look for nscd, regardless of what Carlos does. If nscd is running, e.g. getaddrinfo() _will_ use it. After that, a cache-miss will be dealt with as per Carlos' setup. Applications not using the libc resolver may or may not be using nscd.
Your tests work for me, but I too have no idea who is doing this caching, as nscd -g shows no difference comparing before or after, and cache hit rate remains 0. I run bind as well, on my gateway box, so it might be in there.
"nscd -g" doesn't show me much either. Not sure why not. -- Per Jessen, Zürich (5.3°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-04 20:11, John Andersen wrote:
Carlos's point is that nscd might not be doing the cacheing on his network because he is explicitly running some other services to handle this, and therefore his results would prove nothing about nscd. I don't think he meant that the actual commands wouldn't work.
Right. I would have to stop dnsmasq, and edit /etc/resolv.conf to point to my router, which is not that difficult, anyway.
Your tests work for me, but I too have no idea who is doing this caching, as nscd -g shows no difference comparing before or after, and cache hit rate remains 0. I run bind as well, on my gateway box, so it might be in there.
I'm running this on a terminal: watch "nscd -g | head -80 | tail -23" and what I see is: hosts cache: yes cache is enabled no cache is persistent yes cache is shared 211 suggested size 216064 total data pool size 112 used data pool size 600 seconds time to live for positive entries 0 seconds time to live for negative entries 0 cache hits on positive entries 0 cache hits on negative entries 1 cache misses on positive entries 0 cache misses on negative entries 0% cache hit rate 1 current number of cached values 1 maximum number of cached values 0 maximum chain length searched 0 number of delays on rdlock 0 number of delays on wrlock 0 memory allocations failed yes check /etc/hosts for changes and this does not change when I run "host google.es" or "host suse.de". Or local addresses. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/4/2014 11:58 AM, Carlos E. R. wrote:
and this does not change when I run "host google.es" or "host suse.de". Or local addresses.
Yes, I see the same thing, but if you are running tcpdump -n -i eth0 port 53 in another shell you will see that the host command totally ignores the nscd and does a hit each time. Which makes sense, since you might want to use that command to diagnose cache problems. Ping, or lynx or ssh, or most other applications do hit the nscd. Have you tried turning off nscd ? -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-04 21:09, John Andersen wrote:
On 1/4/2014 11:58 AM, Carlos E. R. wrote:
and this does not change when I run "host google.es" or "host suse.de". Or local addresses.
Yes, I see the same thing, but if you are running tcpdump -n -i eth0 port 53 in another shell you will see that the host command totally ignores the nscd and does a hit each time.
Which makes sense, since you might want to use that command to diagnose cache problems. Ping, or lynx or ssh, or most other applications do hit the nscd.
Ok, right, using ping things changes: hosts cache: yes cache is enabled no cache is persistent yes cache is shared 211 suggested size 216064 total data pool size 720 used data pool size 600 seconds time to live for positive entries 0 seconds time to live for negative entries 1 cache hits on positive entries 0 cache hits on negative entries 6 cache misses on positive entries 0 cache misses on negative entries 14% cache hit rate 6 current number of cached values 6 maximum number of cached values 1 maximum chain length searched 0 number of delays on rdlock 0 number of delays on wrlock 0 memory allocations failed yes check /etc/hosts for changes But most are misses, not hits, even repeating the ping several times. If I try the tcpdump, and ping "suse.de" (which fails, by the way, this is new, it worked for many years) I see no new lines in the dump. With google I see some, but not always.
Have you tried turning off nscd ?
Let's try. [...] No difference, suse.de is cached. Or local names. If I put the tcpdump on "lo" and repeat, with nscd running I see only one hit. If I stop nscd I see one hit each time (but none on eth0). So it appears that both nscd and dnsmasq are caching DNS queries... Interesting! So, the point now is to decide which is best to use. I want dnsmasq, because I also use it for local machine names. So perhaps I should disable nscd (for hosts). :-? -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/4/2014 12:31 PM, Carlos E. R. wrote:
If I put the tcpdump on "lo" and repeat, with nscd running I see only one hit. If I stop nscd I see one hit each time (but none on eth0). So it appears that both nscd and dnsmasq are caching DNS queries...
Interesting!
So, the point now is to decide which is best to use. I want dnsmasq, because I also use it for local machine names. So perhaps I should disable nscd (for hosts). :-?
That is kind of what I was suspecting, you have dual caches. Since nscd caches things beyond DNS, it probably doesn't hurt you, other than taking up a bit more memory. Local machine names can be cached if they are in /etc/hosts I suppose. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-04 22:05, John Andersen wrote:
On 1/4/2014 12:31 PM, Carlos E. R. wrote:
If I put the tcpdump on "lo" and repeat, with nscd running I see only one hit. If I stop nscd I see one hit each time (but none on eth0). So it appears that both nscd and dnsmasq are caching DNS queries...
Interesting!
So, the point now is to decide which is best to use. I want dnsmasq, because I also use it for local machine names. So perhaps I should disable nscd (for hosts). :-?
That is kind of what I was suspecting, you have dual caches. Since nscd caches things beyond DNS, it probably doesn't hurt you, other than taking up a bit more memory. Local machine names can be cached if they are in /etc/hosts I suppose.
/etc/nscd.conf enable-cache hosts no and restart it. I try to ping suse.de, with tcpdump on eth0 active, and I see no entries, so dnsmasq is still caching it. And dnsmasq as caches /etc/hosts :-) Very interesting thread! Thanks. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/4/2014 1:29 PM, Carlos E. R. wrote:
On 2014-01-04 22:05, John Andersen wrote:
On 1/4/2014 12:31 PM, Carlos E. R. wrote:
If I put the tcpdump on "lo" and repeat, with nscd running I see only one hit. If I stop nscd I see one hit each time (but none on eth0). So it appears that both nscd and dnsmasq are caching DNS queries...
Interesting!
So, the point now is to decide which is best to use. I want dnsmasq, because I also use it for local machine names. So perhaps I should disable nscd (for hosts). :-?
That is kind of what I was suspecting, you have dual caches. Since nscd caches things beyond DNS, it probably doesn't hurt you, other than taking up a bit more memory. Local machine names can be cached if they are in /etc/hosts I suppose.
/etc/nscd.conf
enable-cache hosts no
and restart it. I try to ping suse.de, with tcpdump on eth0 active, and I see no entries, so dnsmasq is still caching it.
And dnsmasq as caches /etc/hosts :-)
Very interesting thread! Thanks.
Here's more on this found on this site: http://alpacapowered.wordpress.com/2013/03/08/nscd-dns-caching-and-postfix/ Turns out if cache is shared (mine is) you get incomplete stats out of nscd -g because applications are raiding its cookie jar behind its back. This is the intended way for it to operate, apparently. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-04 22:43, John Andersen wrote:
On 1/4/2014 1:29 PM, Carlos E. R. wrote:
Here's more on this found on this site: http://alpacapowered.wordpress.com/2013/03/08/nscd-dns-caching-and-postfix/ Turns out if cache is shared (mine is) you get incomplete stats out of nscd -g because applications are raiding its cookie jar behind its back.
This is the intended way for it to operate, apparently.
And it also seems that postfix doesn't use nscd, although a simple config change solves that; other apps also do not use nscd and they can't be made to use it, apparently. Thus disabling nscd and using dnsmasq as I do means that all queries would go to dnsmasq and the global hit ratio should increase. Interesting. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/4/2014 3:31 PM, Carlos E. R. wrote:
And it also seems that postfix doesn't use nscd, although a simple config change solves that; other apps also do not use nscd and they can't be made to use it, apparently. Thus disabling nscd and using dnsmasq as I do means that all queries would go to dnsmasq and the global hit ratio should increase.
That assumes that dnsmasq does not also have some built in way to go around it. (I really don't know). There comes a point, especially in things like spamassassin that use DNS hits to evaluate spam hashes, where adding stuff to the cache is counter productive. After all, inbound email (especially spam) does not need to be instantaneous, and the few seconds longer that it takes amavis/spamassassin to send hashes to cloudmark and other RBLs won't hurt you. But web site address caching helps all users. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-05 00:50, John Andersen wrote:
On 1/4/2014 3:31 PM, Carlos E. R. wrote:
And it also seems that postfix doesn't use nscd, although a simple config change solves that; other apps also do not use nscd and they can't be made to use it, apparently. Thus disabling nscd and using dnsmasq as I do means that all queries would go to dnsmasq and the global hit ratio should increase.
That assumes that dnsmasq does not also have some built in way to go around it. (I really don't know).
Well, dnsmasq is a dns server. All DNS servers cache entries as long as they can. So dnsmasq should work just fine with any program that does DNS query. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
That assumes that dnsmasq does not also have some built in way to go around it. (I really don't know).
Dnsmasq is the specified DNS server. How does any app get around that, other than going to the root servers etc. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/4/2014 6:13 PM, James Knott wrote:
John Andersen wrote:
That assumes that dnsmasq does not also have some built in way to go around it. (I really don't know).
Dnsmasq is the specified DNS server. How does any app get around that, other than going to the root servers etc.
I don't know that anything does get around that, but if anything wanted to I imagine it would be the same way Dig or postfix gets around nscd. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-05 03:46, John Andersen wrote:
On 1/4/2014 6:13 PM, James Knott wrote:
John Andersen wrote:
That assumes that dnsmasq does not also have some built in way to go around it. (I really don't know).
Dnsmasq is the specified DNS server. How does any app get around that, other than going to the root servers etc.
I don't know that anything does get around that, but if anything wanted to I imagine it would be the same way Dig or postfix gets around nscd.
No way. They get around nscd because nscd is not a DNS, it just replaces some (not all) system calls with new functionality. When they do a DNS call, whatever DNS is defined for the system, local, external or at the other end of the world, responds. No way around that. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
On 2014-01-05 03:46, John Andersen wrote:
On 1/4/2014 6:13 PM, James Knott wrote:
John Andersen wrote:
That assumes that dnsmasq does not also have some built in way to go around it. (I really don't know).
Dnsmasq is the specified DNS server. How does any app get around that, other than going to the root servers etc.
I don't know that anything does get around that, but if anything wanted to I imagine it would be the same way Dig or postfix gets around nscd.
They simply use their own resolver instead of libc. getaddrinfo() et al are synchronous, if you need to do a lot of lookups and remain responsive, you do asynchronous lookups in parallel. For examples of alternative resolvers, have a look at "adns" and "udns" . I prefer the latter.
No way.
They get around nscd because nscd is not a DNS, it just replaces some (not all) system calls with new functionality. When they do a DNS call, whatever DNS is defined for the system, local, external or at the other end of the world, responds. No way around that.
Being slightly petty, well, yes there is, but doesn't make a lot of sense. Any application can talk to any nameserver it wants to, it doesn't _have_ to look at /etc/resolv.conf. -- Per Jessen, Zürich (5.1°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-05 10:20, Per Jessen wrote:
Carlos E. R. wrote:
They get around nscd because nscd is not a DNS, it just replaces some (not all) system calls with new functionality. When they do a DNS call, whatever DNS is defined for the system, local, external or at the other end of the world, responds. No way around that.
Being slightly petty, well, yes there is, but doesn't make a lot of sense. Any application can talk to any nameserver it wants to, it doesn't _have_ to look at /etc/resolv.conf.
Oh, well, absolutely, but normal applications are not going to do that :-) -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
On 1/4/2014 6:13 PM, James Knott wrote:
John Andersen wrote:
That assumes that dnsmasq does not also have some built in way to go around it. (I really don't know). Dnsmasq is the specified DNS server. How does any app get around that, other than going to the root servers etc.
I don't know that anything does get around that, but if anything wanted to I imagine it would be the same way Dig or postfix gets around nscd.
Nscd is only a cache, not a DNS server. Dnsmasq is a DNS server that any app shouldn't know how to get around. As far as an app is concerned, there's no difference between using Dnsmasq, Google DNS, the ISP's DNS etc. They're all DNS servers. The next thing beyond that would be to do an iterative DNS query, starting from the root DNS server in the manner the ISPs DNS would. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
On 1/4/2014 3:31 PM, Carlos E. R. wrote:
And it also seems that postfix doesn't use nscd, although a simple config change solves that; other apps also do not use nscd and they can't be made to use it, apparently. Thus disabling nscd and using dnsmasq as I do means that all queries would go to dnsmasq and the global hit ratio should increase.
That assumes that dnsmasq does not also have some built in way to go around it. (I really don't know).
There comes a point, especially in things like spamassassin that use DNS hits to evaluate spam hashes, where adding stuff to the cache is counter productive.
Somewhat OT, but spamassassin does not use the libc resolver, it does it's own asynchronous dns lookups. -- Per Jessen, Zürich (5.0°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-05 10:13, Per Jessen wrote:
Somewhat OT, but spamassassin does not use the libc resolver, it does it's own asynchronous dns lookups.
Using the system configured DNS server for that, I understand. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
On 2014-01-05 10:13, Per Jessen wrote:
Somewhat OT, but spamassassin does not use the libc resolver, it does it's own asynchronous dns lookups.
Using the system configured DNS server for that, I understand.
Presumably, yes. -- Per Jessen, Zürich (5.8°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
On 2014-01-04 22:43, John Andersen wrote:
On 1/4/2014 1:29 PM, Carlos E. R. wrote:
Here's more on this found on this site:
http://alpacapowered.wordpress.com/2013/03/08/nscd-dns-caching-and-postfix/
Turns out if cache is shared (mine is) you get incomplete stats out of nscd -g because applications are raiding its cookie jar behind its back.
This is the intended way for it to operate, apparently.
And it also seems that postfix doesn't use nscd, although a simple config change solves that; other apps also do not use nscd and they can't be made to use it, apparently.
It's not really the application that uses nscd, the application is unaware. nscd is used by the libc resolver. When an application does it's own resolving, it typically will not use nscd. -- Per Jessen, Zürich (4.9°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/4/2014 7:24 AM, Per Jessen wrote:
If you want to be certain 'nscd' is doing the caching, stop it, then repeat the exercise and notice outgoing DNS traffic on every ping command.
Yes, this test pretty well proves it. Interestingly enough, these dns hits do not show up in anything output by nscd -g and I suspect that command only shows those things that are relative to files (passwd, groups, hosts). Nothing specific to dns requests via gethostbyaddr seems to be output. One very telling inidcation is the Chrome Browser running on any machine that accesses the network via the box running nscd. The option in Chrome named "Use a prediction service to help complete searches and URLs typed in the address bar" can flood the network with dns requests if nscd is off. If you turn off nscd, then call up any web site, and simply erase (backspace) nodes of the address, you will see a storm of dns requests. Example: open your suggested site: www.dns24.ch and you actually arrive at http://www.dns24.ch/home/welcome Back space over the trailing "e" causes another dns request. Backspace over the m and another dns hit is made. (Someone run over and bitchslap Google for me, m'kay?). Turn on nscd on the gateway box and those all disappear. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-03 01:38, Felix Miata wrote:
As to blocking ad servers, is blocking via the firewall materially different in effectiveness from redirecting to 0.0.0.0 or 127.0.0.1 via hosts entries?
Yes. The idea is that blocking on the firewall acts after you make the request to download the ad. The advert is effectively downloaded, just blocked on the doorstep. Similarly with browser extensions to block adds. With a dns redirect, when the page wants to download an advert, as it asks the wrong machine for it, the request is never sent to internet, and it is never downloaded, so that it does not use your internet pipe. However, I do not block adverts, as a general rule. Only obnoxious adverts. -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" (Elessar)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Felix Miata said the following on 01/01/2014 03:27 AM:
My web browsers often seem to spend a lot of time reporting "looking up host <blah>". I'd like to see less of that in 2014, and spend less time watching nothing happen in the browser's viewport.
http://www.edwin.io/optimized-resolv-conf seems to make sense, but it includes no discussion of a local nameserver, such as the one typically enabled by default in an internet router, only using Google IPs. Anyone have anything to add or dispute what it says?
Yes, lots! Visit http://pgl.yoyo.org/adservers/ and read up on a few other items. First, filtering out ads, either by this method or using an adblock plugin for Firefox, means fewer looks & delays and less screen real estate taken up by adverts. That also means faster rendering. Second, by routing a whole pile of advert sites at the DNS level rather than just within the adblock level you are blocking them for all machines on your LAN and for all types of access. You may find this a better 'parental control' but it also means a while pile of malicious "Call home" services are blocked. And I don't mean just botnets. Read the 'cyber-News" of the last few months. Yes this too takes maintenance.
Are those using routers better off using the one it includes? Better off avoiding?
No. In my config 8.8.8.8 is the LAST entry. The first is for my local caching DNS server. Read that again: *C*A*C*H*I*N*G* That means it has instantaneous response from the cache rather than looking up yet again at Google. The benefit of google, presumably, is that they are running a ****-ing huge caching server on a machine or cluster that is very fast and has a very fat pipe. Which is why I list them at all. But not first! Many people consider it unsociable to block adverts since they are what, ultimately, pays for the services. I've heard this same thing said about TV adverts. You may consider it even more unsociable to block google-analytics since that lookup takes time as well. That might amount to the height of 'Net unsociability!
Is there any convenient way to evaluate average response times from various servers?
Well you could start by pinging them. How fast they will resolve as DNS servers depends on the load being placed on them by other users. In general that's not something you have control over. Since, however, my #1 DNS server is the server under my desk that also handles email, I do know about its load. There's only me using it.
Are there logical reasons for avoiding Google's or other high visibility servers?
Are there reasons why the servers provided by the ISP subscribed to shouldn't be preferred?
Quite the converse. Assuming you have a good ISP who knows that they are doing, then their caching DNS server is just a scaled down version of Google's. But the point is that its closer! Ping it and look at at the response times. Ping your ISP then ping google. I get: --- server ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 3999ms rtt min/avg/max/mdev = 0.236/0.261/0.294/0.030 ms --- Router ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rtt min/avg/max/mdev = 1.733/2.003/2.551/0.341 ms --- 8.8.8.8 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4004ms rtt min/avg/max/mdev = 33.696/34.659/35.935/0.794 ms I think that makes a strong case for why *I* use a local DNS server. YMMV.
Can anyone explain why the default timeout is 5s and not more or less? Is it a holdover from times past when the internet was less busy, and often less speedy via dialup or ISDN instead of broadband?
It only makes sense, as fr as I can tell, if you are using round robin and a few other details that arise out of performance testing of those particular servers from that particular location. It would make no sense for me. If my local DNS server can't find the relevant record in its config or cache the it will hit my ISP. That's the first timeout that matters. My ISP has a big pipe and they probably end up checking with google eventually, so there's little point in timing out with them and going to google. My going to google would be really slow. If I were to use the resolv.conf in the article then my system would become very very slow and unresponsive. -- How long did the whining go on when KDE2 went on KDE3? The only universal constant is change. If a species can not adapt it goes extinct. That's the law of the universe, adapt or die. -- Billie Walsh, May 18 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward wrote:
Yes, lots! Visit http://pgl.yoyo.org/adservers/ and read up on a few other items.
I've just added that ad server list to the hosts file on my firewall, where I'm running Dnsmasq caching DNS server. This means every device on my home network will benefit. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-01-01 10:01 (GMT-0500) Anton Aylward composed:
Felix Miata composed:
My web browsers often seem to spend a lot of time reporting "looking up host <blah>". I'd like to see less of that in 2014, and spend less time watching nothing happen in the browser's viewport.
http://www.edwin.io/optimized-resolv-conf seems to make sense, but it includes no discussion of a local nameserver, such as the one typically enabled by default in an internet router, only using Google IPs. Anyone have anything to add or dispute what it says?
Yes, lots! Visit http://pgl.yoyo.org/adservers/ and read up on a few other items.
Some I knew about, some was new.
First, filtering out ads, either by this method or using an adblock plugin for Firefox, means fewer looks & delays and less screen real estate taken up by adverts. That also means faster rendering.
Second, by routing a whole pile of advert sites at the DNS level rather than just within the adblock level you are blocking them for all machines on your LAN and for all types of access. You may find this a better 'parental control' but it also means a while pile of malicious "Call home" services are blocked. And I don't mean just botnets. Read the 'cyber-News" of the last few months.
89kb, 2526 lines, from there now appended to dnsmasq.conf.
Yes this too takes maintenance.
How often is your habit?
Are those using routers better off using the one it includes? Better off avoiding?
No. In my config 8.8.8.8 is the LAST entry. The first is for my local caching DNS server.
Read that again: *C*A*C*H*I*N*G* That means it has instantaneous response from the cache rather than looking up yet again at Google.
The benefit of google, presumably, is that they are running a ****-ing huge caching server on a machine or cluster that is very fast and has a very fat pipe. Which is why I list them at all.
But not first!
Many people consider it unsociable to block adverts since they are what, ultimately, pays for the services. I've heard this same thing said about TV adverts. You may consider it even more unsociable to block google-analytics since that lookup takes time as well. That might amount to the height of 'Net unsociability!
Is there any convenient way to evaluate average response times from various servers?
Well you could start by pinging them. How fast they will resolve as DNS servers depends on the load being placed on them by other users. In general that's not something you have control over. Since, however, my #1 DNS server is the server under my desk that also handles email, I do know about its load. There's only me using it.
Are there logical reasons for avoiding Google's or other high visibility servers?
Are there reasons why the servers provided by the ISP subscribed to shouldn't be preferred?
Quite the converse. Assuming you have a good ISP who knows that they are doing, then their caching DNS server is just a scaled down version of Google's. But the point is that its closer!
Ping it and look at at the response times. Ping your ISP then ping google.
Bad 404 behavior makes my ISP's lousy choice regardless of competence otherwise.
I get:
--- server ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 3999ms rtt min/avg/max/mdev = 0.236/0.261/0.294/0.030 ms
--- Router ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rtt min/avg/max/mdev = 1.733/2.003/2.551/0.341 ms
--- 8.8.8.8 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4004ms rtt min/avg/max/mdev = 33.696/34.659/35.935/0.794 ms
I think that makes a strong case for why *I* use a local DNS server.
Clearly. --- 207.69.188.186 ping statistics --- # earthlink.net DNS1 9 packets transmitted, 0 received, 100% packet loss, time 7999ms --- 8.8.8.8 ping statistics --- # google 5 packets transmitted, 5 received, 0% packet loss, time 4005ms rtt min/avg/max/mdev = 67.896/68.765/70.057/0.895 ms --- 199.166.31.3 ping statistics --- # OpenDNS 5 packets transmitted, 5 received, 0% packet loss, time 4004ms rtt min/avg/max/mdev = 22.184/41.325/59.765/16.284 ms --- 207.69.188.187 ping statistics --- # earthlink.net DNS2 3 packets transmitted, 0 received, 100% packet loss, time 1999ms --- 192.168.1.1 ping statistics --- # router 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.282/0.302/0.320/0.014 ms --- 127.0.0.1 ping statistics --- # localhost 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.026/0.030/0.036/0.007 ms
Can anyone explain why the default timeout is 5s and not more or less? Is it a holdover from times past when the internet was less busy, and often less speedy via dialup or ISDN instead of broadband?
It only makes sense, as fr as I can tell, if you are using round robin and a few other details that arise out of performance testing of those particular servers from that particular location. It would make no sense for me.
If my local DNS server can't find the relevant record in its config or cache the it will hit my ISP. That's the first timeout that matters. My ISP has a big pipe and they probably end up checking with google eventually, so there's little point in timing out with them and going to google. My going to google would be really slow.
If I were to use the resolv.conf in the article then my system would become very very slow and unresponsive.
I see. Thanks! Any chance all this plays a part in IRC timeouts that can be tailored to reducing them? -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Felix Miata said the following on 01/02/2014 11:57 PM:
Yes this too takes maintenance. How often is your habit?
Its not clock driven, its event drive. This discussion is an example event. New adverts getting though are another example. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Felix Miata wrote:
My web browsers often seem to spend a lot of time reporting "looking up host <blah>". I'd like to see less of that in 2014, and spend less time watching nothing happen in the browser's viewport.
http://www.edwin.io/optimized-resolv-conf seems to make sense, but it includes no discussion of a local nameserver, such as the one typically enabled by default in an internet router, only using Google IPs. Anyone have anything to add or dispute what it says?
A local nameserver should presumably be read to mean one on your local network, where you would (also presumably) want to always direct your queries. Then you could 'optimize' your resolv.conf to just "nameserver <your-local-nameserver>".
Is there any convenient way to evaluate average response times from various servers?
'dig' will tell you, but you'd have to work out the average times yourself.
Are there reasons why the servers provided by the ISP subscribed to shouldn't be preferred?
Not AFAICS. -- Per Jessen, Zürich (5.3°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen said the following on 01/01/2014 01:28 PM:
Are there reasons why the servers provided by the ISP subscribed to shouldn't be preferred? Not AFAICS.
Given "preferred over what?" being answered as "Something that takes longer to respond such as 8.8.8.8" then yes. But compared to a LAN-local or machine-local caching DNS server, the very emphatically NO! -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Merry Christmas and a happy new year, On Wednesday 01 of January 2014 03:27:44 Felix Miata wrote:
Is there any convenient way to evaluate average response times from various servers?
Yes, try namebench by Google. It is available in the OBS.
Are there logical reasons for avoiding Google's or other high visibility servers?
Well, Google and OpenDNS almost certainly use statistics from the DNS traffic for profit. This is not necessarily bad, but it may become so if they start altering the answers based on their commercial interests.
Are there reasons why the servers provided by the ISP subscribed to shouldn't be preferred?
ISP's servers should be the fastest with regard to network latency and quite fast with regard to the number of queries cached. I checked the effect these two factors have on performance with namebench some days ago, and Google's and openDNS's name servers outperformed my ISP's servers by 70%, so the number of users apparently has much higher effect on DNS performance than network latency. Regarding the DNS server on DSL routers/modems, in general it has bad performance and in my case it doesn't work at all! Regards, Peter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
auxsvr@gmail.com said the following on 01/03/2014 02:16 AM:
ISP's servers should be the fastest with regard to network latency and quite fast with regard to the number of queries cached. I checked the effect these two factors have on performance with namebench some days ago, and Google's and openDNS's name servers outperformed my ISP's servers by 70%, so the number of users apparently has much higher effect on DNS performance than network latency.
While I agree in broad brush terms there are a couple of other factors that matter * Cache size * Cache time-out/LRU flush algorithm You can get some of the more popular domains such as google searches and the major news providers are going to be retained from sheer popularity. Perhaps they get hard-wired in :-) But the point is that we as individuals are not going to be viewing our own use patterns as 'statistics' but as certainties. From my POV having an old or tiny box dedicated to DNS with a couple of gigs of memory[1] with a -ing cache and a -ing long timeout will 'outperform' all of the above after a couple of days, provided I don't turn it off at night. And if its a 'berry or one off the micro-ITX boards then its taking less power than than the compact fluorescent bulb over my desk. The point here is that with the local DNS server I have control over the cache and the cash is exactly matched to my use patterns, not that of some world wide statistical group. [1] I can pull a old desktop from the Closet of Anxieties and load it up with a couple of sticks of old DDR2 and its close to zero cost for me. -- The more laws and restrictions there are, The poorer people become. The sharper men's weapons, The more trouble in the land. The more ingenious and clever men are, The more strange things happen. The more rules and regulations, The more thieves and robbers. -- The Tao Te Ching -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Friday 03 of January 2014 08:34:38 Anton Aylward wrote:
The point here is that with the local DNS server I have control over the cache and the cash is exactly matched to my use patterns, not that of some world wide statistical group.
namebench performs the queries based on the user's history in the browser. All that said, I'm using my own DNS server that forwards requests to the ISP's server, but the main reasons I do so are that (1) the DSL router's DNS server does not work and (2) I have set up a local DNS zone. Regards, Peter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward wrote:
From my POV having an old or tiny box dedicated to DNS with a couple of gigs of memory[1] with a -ing cache and a -ing long timeout will 'outperform' all of the above after a couple of days, provided I don't turn it off at night.
Actually, the time to live value in the returned DNS reply will limit any caching. I just did one test for Yahoo and it showed 34 seconds. Another one showed 3 min 2 sec, so upstream caches will return a varying TTL depending on when they obtained the record. Those times are nowhere near "overnight". -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Jan 3, 2014 at 10:13 AM, James Knott <james.knott@rogers.com> wrote:
Anton Aylward wrote:
From my POV having an old or tiny box dedicated to DNS with a couple of gigs of memory[1] with a -ing cache and a -ing long timeout will 'outperform' all of the above after a couple of days, provided I don't turn it off at night.
Actually, the time to live value in the returned DNS reply will limit any caching. I just did one test for Yahoo and it showed 34 seconds. Another one showed 3 min 2 sec, so upstream caches will return a varying TTL depending on when they obtained the record. Those times are nowhere near "overnight".
I had no idea TTLs were so short these days. When I was admin'ing DNS 15+ years ago, a week was a very common TTL (time-to-live). If the majority are down in the minutes area now, it is even more important to have a busy DNS server in your query forwarding logic somewhere. My ISP is huge, so I just use theirs. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
I had no idea TTLs were so short these days. When I was admin'ing DNS 15+ years ago, a week was a very common TTL (time-to-live). If the majority are down in the minutes area now, it is even more important to have a busy DNS server in your query forwarding logic somewhere. My ISP is huge, so I just use theirs.
The TTL is determined by the source DNS and can be set as desired. So, if you have an address that's not likely to change, then you can go with a long TTL. However, if you use DNS records for load balancing, as may be the case with Yahoo, then you probably want a short TTL. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
The problem we run into sometimes at work is that larger ISPs (like Comcast) ignore our TTL and use their own, which causes issues with our failover site sometimes :/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer said the following on 01/03/2014 10:20 AM:
On Fri, Jan 3, 2014 at 10:13 AM, James Knott <james.knott@rogers.com> wrote:
Anton Aylward wrote:
From my POV having an old or tiny box dedicated to DNS with a couple of gigs of memory[1] with a -ing cache and a -ing long timeout will 'outperform' all of the above after a couple of days, provided I don't turn it off at night.
Actually, the time to live value in the returned DNS reply will limit any caching. I just did one test for Yahoo and it showed 34 seconds. Another one showed 3 min 2 sec, so upstream caches will return a varying TTL depending on when they obtained the record. Those times are nowhere near "overnight".
I had no idea TTLs were so short these days. When I was admin'ing DNS 15+ years ago, a week was a very common TTL (time-to-live).
+1. My Albitz&Liu talks of a default of 85400 seconds, which is 24 hours which *IS* overnight! Why should a site have such short TTL? The only justification I can think of is that they are implementing Round Robin DNS that way. Think about it: how often are major sites such as yahoo, Google and the big news agencies, government departments and so forth going to change their network addresses for soemthing radically differnet? But organizations such as Yahoo will have huge server farms and DO want to do load balancing. Balancing by hardware internally still requires the single external address, and that's not what they want. A test for yahoo using DIG returns ;; QUESTION SECTION: ;yahoo.com. IN A ;; ANSWER SECTION: yahoo.com. 1800 IN A 206.190.36.45 yahoo.com. 1800 IN A 98.139.183.24 yahoo.com. 1800 IN A 98.138.253.109 ;; AUTHORITY SECTION: yahoo.com. 75033 IN NS ns6.yahoo.com. yahoo.com. 75033 IN NS ns5.yahoo.com. yahoo.com. 75033 IN NS ns2.yahoo.com. yahoo.com. 75033 IN NS ns4.yahoo.com. yahoo.com. 75033 IN NS ns1.yahoo.com. yahoo.com. 75033 IN NS ns3.yahoo.com. yahoo.com. 75033 IN NS ns8.yahoo.com. ;; ADDITIONAL SECTION: ns1.yahoo.com. 74847 IN A 68.180.131.16 ns2.yahoo.com. 74847 IN A 68.142.255.16 ns3.yahoo.com. 74847 IN A 203.84.221.53 ns4.yahoo.com. 74847 IN A 98.138.11.157 ns5.yahoo.com. 74847 IN A 119.160.247.124 ns6.yahoo.com. 75036 IN A 202.43.223.170 ns8.yahoo.com. 75037 IN A 202.165.104.22 1800 sec = 30 min 75033 sec = 20.8425 hours 74847 sec = 20.790833 hours So the name servers at least will stay in my cache overnight :-) Google.com is even more interesting and dramatic ;; ANSWER SECTION: google.com. 300 IN A 74.125.226.128 google.com. 300 IN A 74.125.226.132 google.com. 300 IN A 74.125.226.129 google.com. 300 IN A 74.125.226.134 google.com. 300 IN A 74.125.226.131 google.com. 300 IN A 74.125.226.136 google.com. 300 IN A 74.125.226.142 google.com. 300 IN A 74.125.226.130 google.com. 300 IN A 74.125.226.133 google.com. 300 IN A 74.125.226.135 google.com. 300 IN A 74.125.226.137 ;; AUTHORITY SECTION: google.com. 74246 IN NS ns1.google.com. google.com. 74246 IN NS ns4.google.com. google.com. 74246 IN NS ns2.google.com. google.com. 74246 IN NS ns3.google.com. ;; ADDITIONAL SECTION: ns1.google.com. 247046 IN A 216.239.32.10 ns2.google.com. 247046 IN A 216.239.34.10 ns3.google.com. 247046 IN A 216.239.36.10 ns4.google.com. 247046 IN A 216.239.38.10 300 sec = 5 min 74246 sec = 20.623889 hours 247046 sec = 68.623889 hours At this point I suggest a re-read of how the resolver works when presented with a number of "answers" such as the above. I have no doubt that google.com is returning a value that matches "geographically". My resolver sees all of "74.125.226.x" as being 'electrically' equidistant so it going to do a RR on them. The likelyhood that I'd hit google.com a second time in 5 minutes is about 50/50. The first time I hit a google page there are well over 100 additional references back to google for ... stuff. If there wasn't caching, be it DNS or be in in my browser, it would take ages for the page to load. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward wrote:
Think about it: how often are major sites such as yahoo, Google and the big news agencies, government departments and so forth going to change their network addresses for soemthing radically differnet? But organizations such as Yahoo will have huge server farms and DO want to do load balancing. Balancing by hardware internally still requires the single external address, and that's not what they want.
According to host, Google has 11 IPv4 addresses and 1 IPv6. google.com has address 74.125.239.129 google.com has address 74.125.239.142 google.com has address 74.125.239.132 google.com has address 74.125.239.134 google.com has address 74.125.239.130 google.com has address 74.125.239.128 google.com has address 74.125.239.133 google.com has address 74.125.239.135 google.com has address 74.125.239.136 google.com has address 74.125.239.137 google.com has address 74.125.239.131 google.com has IPv6 address 2607:f8b0:4004:800::1002 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward wrote:
Greg Freemyer said the following on 01/03/2014 10:20 AM:
On Fri, Jan 3, 2014 at 10:13 AM, James Knott <james.knott@rogers.com> wrote:
Anton Aylward wrote:
From my POV having an old or tiny box dedicated to DNS with a couple of gigs of memory[1] with a -ing cache and a -ing long timeout will 'outperform' all of the above after a couple of days, provided I don't turn it off at night.
Actually, the time to live value in the returned DNS reply will limit any caching. I just did one test for Yahoo and it showed 34 seconds. Another one showed 3 min 2 sec, so upstream caches will return a varying TTL depending on when they obtained the record. Those times are nowhere near "overnight".
I had no idea TTLs were so short these days. When I was admin'ing DNS 15+ years ago, a week was a very common TTL (time-to-live).
+1. My Albitz&Liu talks of a default of 85400 seconds, which is 24 hours which *IS* overnight!
Why should a site have such short TTL? The only justification I can think of is that they are implementing Round Robin DNS that way.
And that's a poor justification. Maybe have a look at 'rrset' in the bind manual. -- Per Jessen, Zürich (7.2°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
On Fri, Jan 3, 2014 at 10:13 AM, James Knott <james.knott@rogers.com> wrote:
Anton Aylward wrote:
From my POV having an old or tiny box dedicated to DNS with a couple of gigs of memory[1] with a -ing cache and a -ing long timeout will 'outperform' all of the above after a couple of days, provided I don't turn it off at night.
Actually, the time to live value in the returned DNS reply will limit any caching. I just did one test for Yahoo and it showed 34 seconds. Another one showed 3 min 2 sec, so upstream caches will return a varying TTL depending on when they obtained the record. Those times are nowhere near "overnight".
I had no idea TTLs were so short these days.
Some are, but the vast majority is in the 12-24 hours range (and longer).
When I was admin'ing DNS 15+ years ago, a week was a very common TTL (time-to-live).
I have not seen that for quite some time, a propagation delay of up to a week it is impractical. -- Per Jessen, Zürich (7.2°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
I had no idea TTLs were so short these days. When I was admin'ing DNS 15+ years ago, a week was a very common TTL (time-to-live). If the majority are down in the minutes area now, it is even more important to have a busy DNS server in your query forwarding logic somewhere. My ISP is huge, so I just use theirs.
The TTL is determined by the source DNS and can be set as desired. So, if you have an address that's not likely to change, then you can go with a long TTL. However, if you use DNS records for load balancing, as may be the case with Yahoo, then you probably want a short TTL. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (14)
-
Anton Aylward -
auxsvr@gmail.com -
Carlos E. R. -
Christopher Myers -
David C. Rankin -
David T-G -
Felix Miata -
Greg Freemyer -
Hans Witvliet -
James Knott -
jdd -
John Andersen -
Ken Schneider - openSUSE -
Per Jessen