Re: netstat performance
On Ma, 05 iul 11, 18:13:06, William Hopkins wrote: The primary reasons are 1) reliability separate from your ISP and 2) verified correct results without NXDOMAIN spam and other such things. [...] Please believe point 2 is based in verified and somewhat commonly-known fact, and not paranoia (: Well, my ISP has proven generally quite reliable, so I'm not terribly worried here. Regarding point 2) so far I've heard only of bad configuration (was that too long caching time?) from one ISP in Romania. What I really don't like is my ISP's OpenDNS-like feature of returning some search page whenever I'm looking for the wrong domain or just mistype. My local setup is pending a reconfiguration (new machine + new wireless router) and I'll consider your suggestion again at the time ;) Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: netstat performance
On Sb, 02 iul 11, 12:23:39, William Hopkins wrote: On 07/02/11 at 02:06pm, Andrei POPESCU wrote: On Sb, 02 iul 11, 09:35:35, Erwan David wrote: That's what I do : I have unbound locally for recursive, and it caches for the local network + bind for authoritative. Not sure what recursive means [...] [snip recursive explanation] Thanks a lot for this explanation, DNS is still a bit like dark magic to me :) My understanding is that a recursive DNS server (especially one with DNSSec support) would make sense in networks with more then just a couple of devices, especially since you need a separate DHCP server anyway. Of course, this doesn't account for the I want to tinker factor ;) Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: netstat performance
On 07/05/11 at 10:09pm, Andrei POPESCU wrote: On Sb, 02 iul 11, 12:23:39, William Hopkins wrote: On 07/02/11 at 02:06pm, Andrei POPESCU wrote: On Sb, 02 iul 11, 09:35:35, Erwan David wrote: That's what I do : I have unbound locally for recursive, and it caches for the local network + bind for authoritative. Not sure what recursive means [...] [snip recursive explanation] Thanks a lot for this explanation, DNS is still a bit like dark magic to me :) My understanding is that a recursive DNS server (especially one with DNSSec support) would make sense in networks with more then just a couple of devices, especially since you need a separate DHCP server anyway. Of course, this doesn't account for the I want to tinker factor ;) The primary reasons are 1) reliability separate from your ISP and 2) verified correct results without NXDOMAIN spam and other such things. For 1, although your ISPs routers may be up their DNS may go down or become incorrectly configured, and then you wouldn't be able to browse or use most internet services. For 2, you cannot trust your ISP to give you accurate results.. NXDOMAIN spam is almost universal now and in many cases ISPs have been caught blocking websites via DNS resolution which is in a very grey legal area in the US, but I consider blatantly unethical. Both of these reasons apply whether you have one box or one hundred. The DNSsec issue also plays into 'you can't trust ISPs' and applies, but I won't go into it, this is a wall of text as it is. Please believe point 2 is based in verified and somewhat commonly-known fact, and not paranoia (: -- Liam signature.asc Description: Digital signature
Re: netstat performance
On Tue 05 Jul 2011 at 22:09:38 +0300, Andrei POPESCU wrote: [snip recursive explanation] It was a really good explanation, wasn't it? Thanks a lot for this explanation, DNS is still a bit like dark magic to me :) I suspect you may be doing yourself an injustice. :) My understanding is that a recursive DNS server (especially one with DNSSec support) would make sense in networks with more then just a couple of devices, especially since you need a separate DHCP server anyway. Of course, this doesn't account for the I want to tinker factor ;) A single device is sufficient. The question to answer is: who do you want to do resolving for you and why? I do not see a connection between having a DHCP server and operating a nameserver. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110705221839.GZ15615@desktop
Re: netstat performance
On 07/05/11 at 11:18pm, Brian wrote: On Tue 05 Jul 2011 at 22:09:38 +0300, Andrei POPESCU wrote: [snip recursive explanation] It was a really good explanation, wasn't it? Thanks a lot for this explanation, DNS is still a bit like dark magic to me :) I suspect you may be doing yourself an injustice. :) My understanding is that a recursive DNS server (especially one with DNSSec support) would make sense in networks with more then just a couple of devices, especially since you need a separate DHCP server anyway. Of course, this doesn't account for the I want to tinker factor ;) A single device is sufficient. The question to answer is: who do you want to do resolving for you and why? You put it better than I managed, haha. I do not see a connection between having a DHCP server and operating a nameserver. Dnsmasq provides both services in an effort to be a single-utility solution for small networks. Of course, in networks that small I usually forego both DHCP *and* local DNS. -- Liam signature.asc Description: Digital signature
Re: netstat performance
On Tue 05 Jul 2011 at 18:13:06 -0400, William Hopkins wrote: The primary reasons are 1) reliability separate from your ISP and 2) verified correct results without NXDOMAIN spam and other such things. For 1, although your ISPs routers may be up their DNS may go down or become incorrectly configured, and then you wouldn't be able to browse or use most internet services. For 2, you cannot trust your ISP to give you accurate results.. NXDOMAIN spam is almost universal now and in many cases ISPs have been caught blocking websites via DNS resolution which is in a very grey legal area in the US, but I consider blatantly unethical. Both of these reasons apply whether you have one box or one hundred. The DNSsec issue also plays into 'you can't trust ISPs' and applies, but I won't go into it, this is a wall of text as it is. I'm not overly bothered about my home ISP (yet). Response times to a query are of the order of 26 ms and overall they are reliable and, from their track record, trustworthy. But the market evolves so . . . Away from them the experiences you relate in 1) and 2) are not unknown to me. Some ISPs even attempt directing all port 53 traffic through their own servers. Tunnelling to a trusted home machine comes in useful there. And setting up a basic nameserver is so easy. From memory - install BIND9 and put 'nameserver 127.0.0.1' in /etc/resolv.conf. Actually, resolv.conf can even be empty! Ok, there may have to some fiddling with dhclient.conf but it is not hard. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110705234503.GA15615@desktop
Re: netstat performance
On 01/07/11 23:21, William Hopkins wrote: On 07/02/11 at 12:01am, Andrei POPESCU wrote: On Mi, 29 iun 11, 20:08:16, Brian wrote: On Wed 29 Jun 2011 at 12:22:26 -0600, Glenn English wrote: For a good time, 'apt-get install bind' :-) For an even better time (and to escape the monoculture) apt-get install unbound If caching is all you need then apt-get install dnsmasq Good point. Caching-only: dnsmasq. Recursive+caching: unbound. Recursive+caching+authoritative: BIND. There's something to be said for at least implementing local recursion, which avoids nasty ISP NXDOMAIN spam. Installing this on a local server/router probably obviates the need for dnsmasq on every client, I think. Then again, I have no issue running BIND. That's what I do : I have unbound locally for recursive, and it caches for the local network + bind for authoritative. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e0eca47.2080...@rail.eu.org
Re: netstat performance
On Sb, 02 iul 11, 09:35:35, Erwan David wrote: That's what I do : I have unbound locally for recursive, and it caches for the local network + bind for authoritative. Not sure what recursive means, but dnsmasq shines on your gateway, where it can provide DHCP too and make sure your local machines are reachable via their hostname (with several ways to configure where the hostname is taken from). Kind regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: netstat performance
On 07/02/11 at 02:06pm, Andrei POPESCU wrote: On Sb, 02 iul 11, 09:35:35, Erwan David wrote: That's what I do : I have unbound locally for recursive, and it caches for the local network + bind for authoritative. Not sure what recursive means [...] Recursive queries are what actual DNS servers perform to find the answer. Your OS stub resolver performs forwarding, sometimes caching. It knows about a DNS server (from /etc/resolv.conf) and passes your request to it. This continues until it reaches a machine willing to recurse, or until it reaches a machine unwilling to either recurse or forward and then you will receive an error because your request was not completed. Once your request reaches a recursing server, it queries the root servers to find the nameserver for the TLD, then the TLD nameserver to find the nameserver for the domain in question, then the nameserver for the domain in question for your actual result. It then passes it back to the client or forwarder who requested, and it ultimately returns to you. So you see, if you install a local recursive DNS server, and not just a forwarder/DHCP-helper like dnsmasq, you do not need to rely on your ISP's DNS servers. Your machine will return results directly from the internet even if your ISPs nameservers go down, and it will return accurate results even if your ISP poisons their DNS. They frequently do this by returning spam records instead of NXDOMAIN results, which imo ought to be illegal (at least in the U.S.) -- Liam signature.asc Description: Digital signature
Re: netstat performance
On Mi, 29 iun 11, 20:08:16, Brian wrote: On Wed 29 Jun 2011 at 12:22:26 -0600, Glenn English wrote: For a good time, 'apt-get install bind' :-) For an even better time (and to escape the monoculture) apt-get install unbound If caching is all you need then apt-get install dnsmasq ;) Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: netstat performance
On 07/02/11 at 12:01am, Andrei POPESCU wrote: On Mi, 29 iun 11, 20:08:16, Brian wrote: On Wed 29 Jun 2011 at 12:22:26 -0600, Glenn English wrote: For a good time, 'apt-get install bind' :-) For an even better time (and to escape the monoculture) apt-get install unbound If caching is all you need then apt-get install dnsmasq Good point. Caching-only: dnsmasq. Recursive+caching: unbound. Recursive+caching+authoritative: BIND. There's something to be said for at least implementing local recursion, which avoids nasty ISP NXDOMAIN spam. Installing this on a local server/router probably obviates the need for dnsmasq on every client, I think. Then again, I have no issue running BIND. -- Liam signature.asc Description: Digital signature
Re: netstat performance
On Sat 02 Jul 2011 at 00:01:29 +0300, Andrei POPESCU wrote: If caching is all you need then apt-get install dnsmasq I quite like unbound's DNSSEC aspect. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110701214244.GM15615@desktop
netstat performance
I notice that the following two invocations of netstat have drastically different execution times: netstat netstat -n When you just use numerical addresses, it executes almost instantly, but with the domain names and whatever you call those logical names for the port numbers, such as 'www', it takes quite while ( 5-10 seconds). Not a big deal, but just made me think. Surely the name resolution isn't that costly is it? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/BANLkTi==1biom+qm_ebr0jl+mmk4oaf...@mail.gmail.com
Re: netstat performance
On Wed, 29 Jun 2011 10:15:58 -0600, ChadDavis wrote: I notice that the following two invocations of netstat have drastically different execution times: netstat netstat -n When you just use numerical addresses, it executes almost instantly, but with the domain names and whatever you call those logical names for the port numbers, such as 'www', it takes quite while ( 5-10 seconds). Not a big deal, but just made me think. Surely the name resolution isn't that costly is it? That's normal... yes, resolving names takes some time :-) Another example: sm01@stt008:~$ time /sbin/route (...) real0m5.018s user0m0.000s sys 0m0.000s sm01@stt008:~$ time /sbin/route -n (...) real0m0.001s user0m0.000s sys 0m0.000s Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.06.29.17.16...@gmail.com
Re: netstat performance
On 06/29/11 at 10:15am, ChadDavis wrote: I notice that the following two invocations of netstat have drastically different execution times: netstat netstat -n When you just use numerical addresses, it executes almost instantly, but with the domain names and whatever you call those logical names for the port numbers, such as 'www', it takes quite while ( 5-10 seconds). Not a big deal, but just made me think. Surely the name resolution isn't that costly is it? Depends on latency and distance to your DNS server, how long it takes the DNS server to perform the recursive query or forward to a server which does, whether you have the answer cached locally or at any of the servers along the way, etc. So it can vary wildly.. 5 seconds seems high to me, it takes about 1 for me and I have a lot of active connections. -- Liam signature.asc Description: Digital signature
Re: netstat performance
On Jun 29, 2011, at 11:51 AM, William Hopkins wrote: On 06/29/11 at 10:15am, ChadDavis wrote: Not a big deal, but just made me think. Surely the name resolution isn't that costly is it? Depends on latency and distance to your DNS server, how long it takes the DNS server to perform the recursive query or forward to a server which does, whether you have the answer cached locally or at any of the servers along the way, etc. So it can vary wildly. Exactly. If you keep a well populated /etc/hosts, it'll be snappy as hail -- it's a disk hit (if your resolver is configured to go to hosts first, and you keep hosts updated). If your computer has to go to your ISP for cached info, that's a 'Net hit, and can take some time, depending on your latency and bandwidth. If your ISP doesn't have the lookup cached, there are several 'Net hits involved. If you have a cacheing DNS server locally, you can save significant time on DNS lookups -- cached stuff is (best case) a RAM hit, worst case, Ethernet. For a good time, 'apt-get install bind' :-) -- Glenn English -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1ce428af-0ff0-42c4-b216-9f606d431...@slsware.com
Re: netstat performance
On Wed 29 Jun 2011 at 12:22:26 -0600, Glenn English wrote: For a good time, 'apt-get install bind' :-) For an even better time (and to escape the monoculture) apt-get install unbound :-) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110629190816.GA15615@desktop
Re: netstat performance
On 06/29/11 at 08:08pm, Brian wrote: On Wed 29 Jun 2011 at 12:22:26 -0600, Glenn English wrote: For a good time, 'apt-get install bind' :-) For an even better time (and to escape the monoculture) apt-get install unbound Monoculture is one thing, but that is not a comparable product. Unbound is for recursive-only, so you can't have your own zone. Also, the Debian package name for ISC BIND is bind9. -- Liam signature.asc Description: Digital signature
Re: netstat performance
On Wed 29 Jun 2011 at 15:27:53 -0400, William Hopkins wrote: Monoculture is one thing, but that is not a comparable product. Unbound is for recursive-only, so you can't have your own zone. Within the context of the thread I thought it a good fit and worth a mention. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110629194402.GB15615@desktop
Re: netstat performance
On Jun 29, 2011, at 1:27 PM, William Hopkins wrote: Also, the Debian package name for ISC BIND is bind9. Good point, well taken. Oops... -- Glenn English -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/c22f3ce4-6acb-43a8-873b-ae99d865d...@slsware.com
Re: netstat performance
On 06/29/11 at 08:44pm, Brian wrote: On Wed 29 Jun 2011 at 15:27:53 -0400, William Hopkins wrote: Monoculture is one thing, but that is not a comparable product. Unbound is for recursive-only, so you can't have your own zone. Within the context of the thread I thought it a good fit and worth a mention. Agreed, I was just replying to your monoculture comment.. running a local recursive server is still a great idea (and thread contribution). Sorry if I implied otherwise! -- Liam signature.asc Description: Digital signature
Re: netstat performance
On Wed 29 Jun 2011 at 16:36:51 -0400, William Hopkins wrote: Agreed, I was just replying to your monoculture comment.. running a local recursive server is still a great idea (and thread contribution). Sorry if I implied otherwise! I didn't take it that way. You made a fair technical point and I could have made my recommendation without including a value judgement. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110629215603.GC15615@desktop
