North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: DNS - connection limit (without any extra hardware)
On Monday 11 December 2006 16:15, you wrote: > > I use to slave "." which can save time on recursive DNS servers when they have > >a lot of dross to answer (assuming it is totally random dross). > > I'm not sure to understand your solution. > You configure your name-server as a slave-root-server? Yes. Most of the root server traffic is answering queries with "NXDOMAIN" for non-existant top level domains, if you slave root on your recursive servers, your recursive servers can answer those queries directly (from the 120KB root zone file), rather than relying on negative caching, and a round trip to the root servers, for every new non-existant domain. The drawback is you provide the answer with the authority bit set, which isn't what the world's DNS clients should expect, but DNS clients don't care about that one bit (sorry). If the root zone file changed quickly it might also cause other problems! Paul V was very cautious about it as a method of running a DNS server, but if the recursive servers are being barraged with queries for (different) non-existent top level domains I think it is probably preferable to the servers being flattened (and/or passing that load onto the root name servers). If the queries are for existing, or the same, domains each time, it won't provide significant improvement. I suppose any server issuing more than 2000 or so queries a day to the root servers would potentially save bandwidth, and provide a more responsive experience for the end user. But one also has to handle the case of the root zone potentially expiring, not something I ever allowed to happen, but then I'm not the average DNS administrator. I've used this technique extensively myself in the past with no issues, but I'm not using it operationally at the moment. Since the load average on our DNS server is 0.00 to two decimal places I doubt it would make a lot of difference, and we host websites, and email, not randomly misconfigured, home, or business user PCs. So mostly we do lookups in in-addr.arpa, a depressingly large proportion of which fail, or look-ups for a small set of servers we forward email to (most of which exist, or I delete the forward).