l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 10: LUGOD Installfests coming again soon
Page last updated:
2009 Oct 29 18:23

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Fwd: Very slow off net
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Fwd: Very slow off net



Quoting Bill Broadley (bill@broadley.org):

> I'd suggest adding caching in there somewhere, probably assumed.

I've yet to find a nameserver package of any sort, recursive,
authoritative, or even merely forwarding, that doesn't do caching.  


> Agreed.  Large ISPs (like pacbell) often have overloaded DNS, not to mention
> the DNS is often on the wrong end of a busy network.

That's only the beginning of their problems.  To the predominant
dog-slow performance would add pervasive cache poisoning, e.g., the
quality of being a security menace, as the next obvious problem to
mention.  But better to just skip them.

> I suggest unbound.

I like Unbound, despite its relative youth.  PowerDNS Recursor is also
good, and perhaps a bit better tested.  I would also consider MaraDNS.

I'm extremely happy with the authoritative-only server published for
quite a while by the same .nl TLD people who've more recently followed
up with Unbound, FWIW.

> >  It'll also improve performance over using OpenDNS, 
> 
> Sort of.  For cache hits, yes.  For cache misses, not to much.

Obviously, I was talking about cache hits -- which predominate if you
run a recursive nameserver for a long while.

> Sure, so only your ISP instead of opendns and your ISP knowing everywhere you
> visit.

The problem of your upstream link(s) being able to traffic analysis on
where your packets are sent to, and inspection in cases where you don't
bother to encrypt them, is a separate problem.  But you knew that.
Also, unlike OpenDNS, they have fiduciary obligations to you under
contract.  But you knew that, too.

Use OpenDNS, and a party who owes you no loyalty whatsoever has a
central record of all DNS queries your IP has attempted.

> NXDOMAIN does bug me, I believe that optional if you login/create an account.

That deliberate RFC violation _should_ bug you.  It's essentially saying
"Nothing but the Web counts.  Correct DNS information for SMTP mail
doesn't matter, because it's not the Web."

I'm not clear on why a login would remove that misfeature.  They use the 
ads on their "Site not found" Web pages to generate the revenue stream
that underwrites the service.

> Oh, almost forgot.  I'd recommend unbound as a local caching recursive
> server.  It's DNSSEC and DLV aware....

I'm no DJB fan, but I think he's right about the reasons why DNSSEC is
never going to be used on any significant enough scale to matter.  The DLV
lookaside kludge (that partially works around lack of a signed root
zone) to an overengineered and impractical based spec strikes me as just
another deck-chair on the sinking ship.

I don't know why I should trust DLV repositories (Trust Anchor
repositories), and the largest one that makes something like a
meaningful effort to validate that they belong to whom they claim to
(ISC's) had a whopping total of 25 DLV records in it a year ago, when I
last looked into this.  (SecSpidor collects DLVs, but doesn't validate
them.)

So, good luck making that stuff practical and useful.  Do send a
postcard.  ;->


Anyway, FWIW:
http://linuxmafia.com/faq/Network_Other/dns-servers.html
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.