> Humans notice, because the traffic runs through a perimeter firewall > that checks port 53 traffic against its Intrusion Protection > profiles (amongst other things). Lately, during periods of heavy > activity it's been ramping up the CPU and memory of the perimeter > firewall. I've noticed moments of sluggishness as a result.
If you have 250,000 messages, each one does 10 lookups -- 2.5 million remote lookups on its own is not overwhelming (of course, depending on your raw upstream/downstream bandwidth, but I presume you have that limit covered.) But 250,000 daily queries to an individual BL will likely exceed their limits if they have one: overages may be timed out or throttled down, adversely (and purposely) affecting the number of attempted and simultaneous outbound connections. What is the firewall model? What's the rated max UDP connections? The rated max for wire-speed IPS inspection? Do these effects, in other words, simply jibe with your use of a lowish-end firewall to do egress filtering on some rather chatty servers? If the results are not what you would expect from your hardware, do you have some setting that is leaving connections open for too long? An too-deep inspection profile being applied to these servers? If push comes to shove, what about giving these machines their own dedicated IPS and not filtering on the main unit? > My two declude servers probably handle about 250k messgaes per day, but > around 90% of that is eliminated as waste. This waste still consumes > bandwidth and DNS connections. Well, of course... if it didn't take DNS connections, you wouldn't know it's waste (with the exception of those BL lookups which are redundant with other tests or which rarely find listings -- and those are lookups you should eliminate). > Yes, I run local DNS on the Declude Machines, but I've notcied that > the caching isn't all that effective. To the perimeter firewall, a > lookup is a lookup, not matter what resource asked for it. When a result is in the local DNS cache, there is no remote lookup, so nothing goes through the firewall. Can you check the size of the cache throughout the day and verify that you haven't turned something off so that lookups are being passed through and not cached? It is of course possible that you have few IPs that reconnect before their TTLs expire, but that should be verified. And my other recommendation stands -- look into which BLs will let you replicate their zone/s locally. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [email protected], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
