Tomoyuki Murakami:
> > - How long postscreen should wait for client hostname lookup to
> > complete before or after whitelist/blacklist/before-220/after-220
> > checks.
>
> I thought the dead line is end of the "deep protocol" tests.
And how much time would that be? Keep in mind that postscreen
does not always wait for the 6-second pregreet delay. It only
waits when the PREGREET or DNSBL test is not whitelisted.
> > - The impact of client hostname lookup on the number of dnsblog
> > processes, for the normal case and for the worst case.
>
> I assume that it adds 1 to DNSBL checking at worst. because
> in the postscreen process, reverse lookup opens one socket per
> session, and the number of dnsblog processes is the same as in
> normal and worst case.
The number of simultaneous dnsblog processes is proportional to
the number of connections/second AND the DNS lookup latency.
In the worst case, DNS lookups will time out after 5+ seconds.
While on average the DNS takes a fraction of a second, you don't
control where the client connects from, and you don't
control how quickly the client's reverse DNS responds.
So, what is the worst-case impact on the number of dnsblog processes?
If a bad guy makes 100 connections then postscreen will fire off
100 dnsblog queries that will do nothing for 5+ seconds.
Wietse
