Re: question about dns query distribution
In message , Barry Mar golin writes: > In article , > "Barry S. Finkel" wrote: > > > > HI Lawrence, > > > > > > We have recursive / caching name server for our Broadband internet > > > services. And we have 60-40 traffic ratio. I mean 60 % queries comes > > > on primary and 40% on secondary. > > > > > > Why primary does not getting 100% ? There are lots of potential reasons. Here are some of them: Because sometimes it takes longer that the client waits for a response from the authoritative servers on a cache miss. If you are validating you also have to take into account the additional queries required to validate. Because sometimes the authoritatives servers are broken so the first server returns SERVFAIL and falls back to the second server which inturn returns SERVFAIL. Because queries/response are sent over UDP and UDP doesn't guarentee delivery. Because the first server may be overloaded. Because the nameservers are listed in different orders for different clients. Because some clients randomise which servers they use. Because some clients lock onto a server until it fails then lock onto the next one that works until it fails . Because some clients use the fastest server. . > > > Is there any way to do it ? or what is the reason behind it that both > > > servers' having queries ? > > > > > > BR > > > Ben > > > > In DNS there is no concept of a "primary" and "secondary" name server. > > All of the name servers listed in the NS records for a zone are equal, > > and any can be used to handle a DNS query (assuming, of course, that > > each server has the zone properly configured). BIND will use the server > > that has the shortest response time, but I do not know what other DNS > > implementations do. > > His question is about a caching NS, not the authoritative servers listed > in NS records. So the distribution is dependent on how client resolvers > behave, not how other BIND servers operate. > > -- > Barry Margolin > Arlington, MA > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: question about dns query distribution
In article , "Barry S. Finkel" wrote: > > HI Lawrence, > > > > We have recursive / caching name server for our Broadband internet > > services. And we have 60-40 traffic ratio. I mean 60 % queries comes > > on primary and 40% on secondary. > > > > Why primary does not getting 100% ? > > > > Is there any way to do it ? or what is the reason behind it that both > > servers' having queries ? > > > > BR > > Ben > > In DNS there is no concept of a "primary" and "secondary" name server. > All of the name servers listed in the NS records for a zone are equal, > and any can be used to handle a DNS query (assuming, of course, that > each server has the zone properly configured). BIND will use the server > that has the shortest response time, but I do not know what other DNS > implementations do. His question is about a caching NS, not the authoritative servers listed in NS records. So the distribution is dependent on how client resolvers behave, not how other BIND servers operate. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: libbind 6.0
On 08/02/13 18:07, Jack Tavares wrote: I have been using libbind(6.0) to do dynamic updates via res_mkupdate() Out of curiosity, is there any reason not to port the code to something running in a higher-level language (or wrapper/script "nsupdate"?) FWIW we use dns-python for this. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
libbind 6.0
I have been using libbind(6.0) to do dynamic updates via res_mkupdate() libbind is not currently under development. Is there are replacement in bind9 that I should move to? I see the LWRES but that does not appear to have any update support. Thank you -- Jack Tavares ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: question about dns query distribution
HI Lawrence, We have recursive / caching name server for our Broadband internet services. And we have 60-40 traffic ratio. I mean 60 % queries comes on primary and 40% on secondary. Why primary does not getting 100% ? Is there any way to do it ? or what is the reason behind it that both servers' having queries ? BR Ben In DNS there is no concept of a "primary" and "secondary" name server. All of the name servers listed in the NS records for a zone are equal, and any can be used to handle a DNS query (assuming, of course, that each server has the zone properly configured). BIND will use the server that has the shortest response time, but I do not know what other DNS implementations do. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv6 Only NS
On 2/8/2013 10:44 AM, Matt wrote:
Also, is there a way to specify a backup parent NS
and ONLY use it if primary fails?
Do you mean "NS" here? Or "forwarder"? I know of no way to manually
"preference" the forwarders in a list, although you might find that the
forwarder that responds fastest -- and thus gets automatically selected for
the vast majority of the queries, according to its round-trip-time
statistics -- is the one you would want to manually preference anyway...
Looking at this further:
forward only;
forwarders { 192.168.10.10; };
If I do not set 'forward only', it will try the forwarder first and if
it fails it will do the lookup itself. If this is right it suits my
purpose perfectly. If the forwarder is down it will fall back and do
the lookup itself. Is that right?
The key difference to understand, though, is that "forward first" (the
default mode if "forward only" isn't set) will fail over from
*recursive* resolution to *non-recursive* (aka iterative) resolution.
Iterative resolution assumes a couple of things:
- a properly-primed root zone (meaning, your hints information must be
sufficiently up-to-date for the priming process to be successful)
- connectivity to all of the authoritative nameservers encountered
during the course of resolving the name (which might be several
delegation levels deep). NAT usually isn't a problem for DNS resolution,
but trying to resolve Internet names iteratively from behind heavy
firewall restrictions doesn't generally work.
If those things are in place already, I'm wondering why you're
forwarding in the first place (?) To achieve some sort of performance
enhancement? You might try ditching the forwarding, and see if your
performance is as good as (or possibly better than) your requirements.
How "forward first" helps you with your IPv4-versus-IPv6 challenge, I'm
not sure. I think Mark's suggestion to use the "dual-stack-servers"
feature (which quite frankly I didn't know existed until Mark's
suggestion) is probably your best bet.
- Kevin
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv6 Only NS
>> Also, is there a way to specify a backup parent NS
>> and ONLY use it if primary fails?
>
> Do you mean "NS" here? Or "forwarder"? I know of no way to manually
> "preference" the forwarders in a list, although you might find that the
> forwarder that responds fastest -- and thus gets automatically selected for
> the vast majority of the queries, according to its round-trip-time
> statistics -- is the one you would want to manually preference anyway...
Looking at this further:
forward only;
forwarders { 192.168.10.10; };
If I do not set 'forward only', it will try the forwarder first and if
it fails it will do the lookup itself. If this is right it suits my
purpose perfectly. If the forwarder is down it will fall back and do
the lookup itself. Is that right?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: question about dns query distribution
On 08.02.13 20:01, benjamin fernandis wrote: We have recursive / caching name server for our Broadband internet services. And we have 60-40 traffic ratio. I mean 60 % queries comes on primary and 40% on secondary. Why primary does not getting 100% ? Is there any way to do it ? or what is the reason behind it that both servers' having queries ? there are cases where DNS resolver sorts IP addresses and thus prefersone of them. There are also cases where DNS resolver measures response time and uses the faster DNS server. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Performance impact of a large ACL list.
Augie, On Monday, 2013-02-04 19:01:38 -0600, "Jeremy C. Reed" wrote: > On Mon, 4 Feb 2013, Augie Schwer wrote: > > > Does anyone have any experience using a large ( 1k ) entry ACL list? > > Was there any performance degradation? > > > > I haven't implemented my ACL yet, but it has quickly ballooned up, > > and I am hoping to get some advice from others in a similar > > situation. > > It has been a few years since I researched this. (I should re-add > this to my existing performance and resource usage tests.) > > BIND 9.5 had various ACL improvements including support for O(1) ACL > processing, based on radix tree code. As one example, with 20,000 to > 100,000 ACLs some of my tests for 9.4 only has around 80 to 400 qps, > while the new version has around 21,000 qps. This specific change should mean that adding IP-based ACL will not slow down ACL performance. However, if you are using TSIG-based ACL then we can't store them in a radix tree, and these still scale linearly with the number of entries, IIRC. I suppose we can change this to a tree-based structure at some point if there is a real need for large TSIG-based ACL. It still won't be as fast as IP-based ACL, but it should be much faster than the simple list-based implementation we have now. Cheers, -- Shane ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: question about dns query distribution
Casey, Lots of good questions :). Many zones on the servers. Just comparing total query count for all domains for which they are auth servers. They are almost identical in every way although I can see a slight possibility that ns2 has a bit slower network connection. Yup, the names of the servers are as similar as suggested here. And both nameservers have glue records. Thanks for the feedback! Marty Date: Wed, 6 Feb 2013 12:06:36 -0800 Subject: Re: question about dns query distribution From: ca...@deccio.net To: sun-g...@live.com CC: bind-users@lists.isc.org On Wed, Feb 6, 2013 at 11:32 AM, M. Meadows wrote: Recently noticed that for 2 nameservers ns1.tbd.com and ns2.tbd.com (names are changed to protect the innocent) the first nameserver consistently receives twice as many queries as the 2nd nameserver. Who can tell me why queries are distributed this way? I assume you are comparing queries for names within the same zone on both servers? If so, do either (or both) of the name servers have glue? Are the names of the servers as similar as you suggest (e.g., within the same domain), or are they different? How different are the servers in terms of their network connectivity (i.e., to compare response time)? Casey ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: question about dns query distribution
They are authoritative nameservers. Thanks for the reply! Date: Wed, 6 Feb 2013 16:12:51 -0500 From: lkc...@ksu.edu To: bind-users@lists.isc.org Subject: Re: question about dns query distribution Are these authoritative nameservers or resolving DNS servers? If the latter, its probably because everybody has resolv.conf's listing ns1.tbd.com first and ns2.tbd.com second. We used to have 3 recursive/caching servers x.x.x.2, x.x.x.3, x.x.x.4. x.x.x.2 would get heavily used , with the other two practically being idle. Later the networking group changed DHCP to hand out x.x.x.3 as the first nameserver. So '2' mainly sees queries from most systems not using DHCP and '3' mainly sees queries from systems using DHCP. And, most of my systems use '4' :) They had talked about having DHCP use 3 first or 4 first for different parts of campus, but... they probably don't want to touch it, since it hasn't been updated since it was turned on 6+ years ago (its running ISC dhcpd v3.0.4.) Though '4' is out in our powerplant where it only has 100BaseT. '2' & '3' are in our datacenter with gigabit. They all used to live out in the powerplant originally. But, as the old hardware started failing, I scrounged up some old servers in the datacenter to replace them, but didn't get very far on doing the physical replacement process Perhaps I'll do better as these current hardware nears EOL. Recently noticed that for 2 nameservers ns1.tbd.com and ns2.tbd.com (names are changed to protect the innocent) the first nameserver consistently receives twice as many queries as the 2nd nameserver. Who can tell me why queries are distributed this way? Any ideas? I assume it's something relatively simple. Thank you. Marty ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- & SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
