From owner-freebsd-current@FreeBSD.ORG Sun Aug 5 09:02:44 2007 Return-Path: Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E2A116A46E; Sun, 5 Aug 2007 09:02:44 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [IPv6:2001:1b20:1:3::1]) by mx1.freebsd.org (Postfix) with ESMTP id B257313C45D; Sun, 5 Aug 2007 09:02:42 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (rozohw@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id l7592Zx6080811; Sun, 5 Aug 2007 11:02:40 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id l7592ZuQ080809; Sun, 5 Aug 2007 11:02:35 +0200 (CEST) (envelope-from olli) From: Oliver Fromme Message-Id: <200708050902.l7592ZuQ080809@lurza.secnetix.de> To: dougb@FreeBSD.org (Doug Barton) Date: Sun, 5 Aug 2007 11:02:35 +0200 (CEST) In-Reply-To: <46B50AA1.2080502@FreeBSD.org> X-Mailer: ELM [version 2.5 PL8] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Sun, 05 Aug 2007 11:02:40 +0200 (CEST) X-Mailman-Approved-At: Sun, 05 Aug 2007 11:18:38 +0000 Cc: freebsd-current@FreeBSD.org, freebsd-stable@FreeBSD.org Subject: Re: named.conf restored to hint zone for the root by default X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Aug 2007 09:02:44 -0000 Doug Barton wrote: > Oliver Fromme wrote: > > > By the way, I have changed from hints to slaves on the DNS > > servers for a large server farm (just testing right now; > > I might go back to hints if I don't feel it's worth it). > > Depending on how many name servers you have you might get a bigger win > by slaving the root to one server, then slaving it to the others from > your "local master." If you're only talking about a few name servers > it's probably not worth it though. It's three name servers, and they're intended to be completely independent of each other. That's why I've configured each of them to retrieve the root zone of its own. > > It _seems_ a few applications run with lower latency, but > > I'll need to run some benchmarks in order to get some hard > > numbers. > > If your stuff is relatively well behaved, and generally only queries a > few TLDs you might not get much of a benefit in terms of reduced > latency. In this scenario the main advantage is better resilience to a > root DDoS. > > Where this technique really works well is a scenario where you are > answering a lot of "random" queries that could potentially include > invalid TLDs and other "junk." Not sending those queries to the roots > helps reduce traffic for them and for you, and gives you much better > latency on the inevitable NXDOMAIN response. The farm contains several mail servers with spam and virus scanners, http proxies with (roughly) several thousands of users, a few dozen web servers and other things. I think especially the mail scanners and the proxies generate some amount of dns "junk" queries. Thanks for your suggestions! Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "I made up the term 'object-oriented', and I can tell you I didn't have C++ in mind." -- Alan Kay, OOPSLA '97