[vox-tech] Fwd: Very slow off net

Rick Moen rick at linuxmafia.com
Thu Oct 29 01:45:59 PDT 2009


Quoting Bill Broadley (bill at broadley.org):

> I'd suggest adding caching in there somewhere, probably assumed.

I've yet to find a nameserver package of any sort, recursive,
authoritative, or even merely forwarding, that doesn't do caching.  


> Agreed.  Large ISPs (like pacbell) often have overloaded DNS, not to mention
> the DNS is often on the wrong end of a busy network.

That's only the beginning of their problems.  To the predominant
dog-slow performance would add pervasive cache poisoning, e.g., the
quality of being a security menace, as the next obvious problem to
mention.  But better to just skip them.

> I suggest unbound.

I like Unbound, despite its relative youth.  PowerDNS Recursor is also
good, and perhaps a bit better tested.  I would also consider MaraDNS.

I'm extremely happy with the authoritative-only server published for
quite a while by the same .nl TLD people who've more recently followed
up with Unbound, FWIW.

> >  It'll also improve performance over using OpenDNS, 
> 
> Sort of.  For cache hits, yes.  For cache misses, not to much.

Obviously, I was talking about cache hits -- which predominate if you
run a recursive nameserver for a long while.

> Sure, so only your ISP instead of opendns and your ISP knowing everywhere you
> visit.

The problem of your upstream link(s) being able to traffic analysis on
where your packets are sent to, and inspection in cases where you don't
bother to encrypt them, is a separate problem.  But you knew that.
Also, unlike OpenDNS, they have fiduciary obligations to you under
contract.  But you knew that, too.

Use OpenDNS, and a party who owes you no loyalty whatsoever has a
central record of all DNS queries your IP has attempted.

> NXDOMAIN does bug me, I believe that optional if you login/create an account.

That deliberate RFC violation _should_ bug you.  It's essentially saying
"Nothing but the Web counts.  Correct DNS information for SMTP mail
doesn't matter, because it's not the Web."

I'm not clear on why a login would remove that misfeature.  They use the 
ads on their "Site not found" Web pages to generate the revenue stream
that underwrites the service.

> Oh, almost forgot.  I'd recommend unbound as a local caching recursive
> server.  It's DNSSEC and DLV aware....

I'm no DJB fan, but I think he's right about the reasons why DNSSEC is
never going to be used on any significant enough scale to matter.  The DLV
lookaside kludge (that partially works around lack of a signed root
zone) to an overengineered and impractical based spec strikes me as just
another deck-chair on the sinking ship.

I don't know why I should trust DLV repositories (Trust Anchor
repositories), and the largest one that makes something like a
meaningful effort to validate that they belong to whom they claim to
(ISC's) had a whopping total of 25 DLV records in it a year ago, when I
last looked into this.  (SecSpidor collects DLVs, but doesn't validate
them.)

So, good luck making that stuff practical and useful.  Do send a
postcard.  ;->


Anyway, FWIW:
http://linuxmafia.com/faq/Network_Other/dns-servers.html


More information about the vox-tech mailing list