Moin! On 20 Mar 2020, at 19:39, Rob Sayre wrote: > Yes, at which point one can switch to user space networking if really > necessary. Which has been done for DNS, but usually with special cards that did offload other UDP functions also.
> I've never studied DNS server implementations closely (I was talking about > protocol performance), but I have seen web servers that do this. They have, but all of this is again effort to be done. > What level of throughput would that be? Web server benchmarks have to be > designed to avoid saturating a 10gE NIC. (e.g. > https://www.techempower.com/benchmarks/#section=data-r18&hw=ph&test=json). Web throughput is vastly different from DNS throughput. While the typical web page or picture usually is a couple of kilobytes or megabytes, the typical DNS question/answer is around 100 bytes on the wire. Even with DNSSEC enabled it usually is below 500 bytes. So the parameter you look at is packets per seconds and not saturation. You can easily saturate whatever link size you desire with large packets, even with DNS, which is what amplification attacks do. When I now look at DoH packets on the wire, even with discounting the initial TLS setup they are for the same questions/answers between 40% and 100% bigger. Now of course that overall means they have 40 to a 100 bytes more which is not much in the overall traffic, but a protocol that has to put more bits on the wire has to do more work, which is the point I was trying to bring across. So long -Ralf —-- Ralf Weber _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
