[Dnsmasq-discuss] Cache improvements
Hello, I wondering what would be the effort, and if there'd actually be any interest for some dnsmasq cache improvements. Two things i'd love to see: - Cache size in memory instead of lines I'd rather set 1GB than 1 lines, could 1 max be at least increased? - Granular purging of cache entries. I sometimes - if not often - need to purge a single entry or a single domain from the cache, would be nice to be able to do so without clearing the whole cache. Thanks, Olivier ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Stats improvement
Hello, I was wondering what would be the effort, and if there'd actually be any interest for some dnsmasq statistics improvements. (Yes i'm splitting dicussions ^^) For monitoring/graph purposes, actual dnsmasq stats are a bit difficult to use and completely unusable if using log_queries as it takes too long to retrieve them inside logs. I'd love to see a stats interface that would output total_queries, cache_hits, cache_misses, memory used by cache, etc Thanks, Olivier ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Stats improvement
On 2014-03-24 12:25, Olivier Mauras wrote: I'd love to see a stats interface that would output total_queries, cache_hits, cache_misses, memory used by cache, etc What's wrong with: kill -SIGUSR1 `pidof dnsmasq` Olaf ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Stats improvement
Mainly that it's barely usable with log_queries as greping log files of 4 to 6GB tends to not be that responsive... On 2014-03-24 13:33, Olaf Westrik wrote: On 2014-03-24 12:25, Olivier Mauras wrote: I'd love to see a stats interface that would output total_queries, cache_hits, cache_misses, memory used by cache, etc What's wrong with: kill -SIGUSR1 `pidof dnsmasq` Olaf ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] dnsmasq-2.68 vs. dnsmasq-2.69rc1 Coverity scan diff
Hi.
I did a version diff scan between 2.68 and 2.69rc1 version.
From my point of view there is one thing worth of fixing,
I'm attaching the patch.
I'm also attaching the coverity scan log.
Regards,
Tomas Hozza
csdiff_dnsmasq_2.68-2.69rc1.err
Description: Binary data
From d9eb8adbcaec4018f9d39d676d32a02c16f22371 Mon Sep 17 00:00:00 2001
From: Tomas Hozza tho...@redhat.com
Date: Mon, 24 Mar 2014 14:43:14 +0100
Subject: [PATCH] Add check for the return value of recvfrom.
recvfrom return signed value which is then passed to functions
that take unsigned value as an argument.
Coverity log:
Error: NEGATIVE_RETURNS (CWE-394):
dnsmasq-2.69rc1/src/forward.c:683: negative_return_fn: Function
recvfrom(fd, dnsmasq_daemon-packet, dnsmasq_daemon-packet_buff_sz, 0,
__SOCKADDR_ARG({ .__sockaddr__ = serveraddr.sa}), addrlen) returns a
negative number.
dnsmasq-2.69rc1/src/forward.c:683: var_assign: Assigning: signed
variable n = recvfrom(int, void * restrict, size_t, int,
__SOCKADDR_ARG, socklen_t * restrict).
dnsmasq-2.69rc1/src/forward.c:713: negative_returns: n is passed to a
parameter that cannot be negative.
dnsmasq-2.69rc1/src/rfc1035.c:364:62: sizet: plen is a size_t
parameter.
Signed-off-by: Tomas Hozza tho...@redhat.com
---
src/forward.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/src/forward.c b/src/forward.c
index 3f4ec62..e4690a0 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -688,6 +688,12 @@ void reply_query(int fd, int family, time_t now)
unsigned int crc;
#endif
+ if (n 0)
+{
+ my_syslog(LOG_WARNING, _(Failed to receive DNS reply from remote server - (%d) %s), errno, strerror(errno));
+ return;
+}
+
/* packet buffer overwritten */
daemon-srv_save = NULL;
--
1.8.5.3
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Announce: dnsmasq-2.69rc1
openbsd 5.4: pkg_add libnettle (ew) [make] $ ./src/dnsmasq --version Dnsmasq version 2.69rc1 Copyright (c) 2000-2014 Simon Kelley Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset auth DNSSEC Would you please explain why the dependencies with nettle , cant we use the crypto of openSSH ? Here's the running setup : - - - - - - - - - - root 31974 0.0 0.1 992 1304 p5 I+ 6:40PM0:00.01 dnsmasq -d -C /etc/dnsmasq.conf --log-queries # cat /etc/dnsmasq.conf domain-needed bogus-priv # Uncomment these to enable DNSSEC validation and caching: # (Requires dnsmasq to be built with DNSSEC option.) conf-file=/etc/trust-anchors.conf dnssec filterwin2k # cat /etc/trust-anchors.conf # The root DNSSEC trust anchor, valid as at 30/01/2014 # Note that this is a DS record (ie a hash of the root Zone Signing Key) # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 - - - - - - - - - - and a request output : dnsmasq: query[A] google.fr from 10.0.0.42 dnsmasq: forwarded google.fr to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: reply google.fr is 173.194.34.183 dnsmasq: reply google.fr is 173.194.34.191 dnsmasq: reply google.fr is 173.194.34.184 dnsmasq: query[] google.fr from 10.0.0.42 dnsmasq: forwarded google.fr to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: reply google.fr is 2a00:1450:4009:805::1017 dnsmasq: query[MX] google.fr from 10.0.0.42 dnsmasq: forwarded google.fr to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: forwarded thekelleys.org to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: reply thekelleys.org is 216.239.32.21 dnsmasq: reply thekelleys.org is 216.239.34.21 dnsmasq: reply thekelleys.org is 216.239.36.21 dnsmasq: reply thekelleys.org is 216.239.38.21 dnsmasq: query[] thekelleys.org from 10.0.0.42 dnsmasq: forwarded thekelleys.org to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: reply thekelleys.org is NODATA-IPv6 dnsmasq: query[MX] thekelleys.org from 10.0.0.42 dnsmasq: forwarded thekelleys.org to 8.8.8.8 dnsmasq: validation result is INSECURE Best regards, On Sat, Mar 22, 2014 at 4:03 PM, Simon Kelley si...@thekelleys.org.uk wrote: It's time to start the release process for 2.69 The big new for this release is DNSSEC validation. I've made a first release-candidate, available at http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.69rc1.tar.gz Please run it if you can, and report any problems. If you can configure DNSSEC and test that, all the better. CHANGELOG attached below. Cheers, Simon. - Implement dynamic interface discovery on *BSD. This allows the contructor: syntax to be used in dhcp-range for DHCPv6 on the BSD platform. Thanks to Matthias Andree for valuable research on how to implement this. Fix infinite loop associated with some --bogus-nxdomain configs. Thanks fogobogo for the bug report. Fix missing RA RDNS option with configuration like --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer for spotting the problem. Add [fd00::] and [fe80::] as special addresses in DHCPv6 options, analogous to [::]. [fd00::] is replaced with the actual ULA of the interface on the machine running dnsmasq, [fe80::] with the link-local address. Thanks to Tsachi Kimeldorfer for championing this. DNSSEC validation and caching. Dnsmasq needs to be compiled with this enabled, with make dnsmasq COPTS=-DHAVE_DNSSEC this add dependencies on the nettle crypto library and the gmp maths library. It's possible to have these linked statically with make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' which bloats the dnsmasq binary to over a megabyte, but saves the size of the shared libraries which are five times that size. To enable, DNSSEC, you will need a set of trust-anchors. Now that the TLDs are signed, this can be the keys for the root zone, and for convenience they are included in trust-anchors.conf in the dnsmasq distribution. You should of course check that these are legitimate and up-to-date. So, adding conf-file=/path/to/trust-anchors.conf dnssec to your config is all thats needed to get things working. The upstream nameservers have to be DNSSEC-capable too, of course. Many ISP nameservers aren't, but the Google public nameservers (8.8.8.8 and 8.8.4.4) are.
[Dnsmasq-discuss] Running a script after a resolution request
Hi everybody, I'd like to know if it is possible to configure dnsmasq to execute a script after a name resolution request. The ideia is having a script that updates a firewall each time someone asks for the resolution of www.somedomain.com. Any help would be appreciated. Thanks in advance ... -- Ronaldo Afonso Sistemas Embarcados Oi: 55 (11) 95252-0484 Fixo: 55 (11) 3065-9949 www.oiwifi.com.br Esta mensagem, incluindo seus anexos, pode conter informacoes privilegiadas e/ou de carater confidencial, nao podendo ser retransmitida sem autorizacao do remetente. Se voce nao e o destinatario ou pessoa autorizada a recebe-la, informamos que o seu uso, divulgacao, copia ou arquivamento sao proibidos. Portanto, se você recebeu esta mensagem por engano, por favor, nos informe respondendo imediatamente a este e-mail e em seguida apague-a. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Announce: dnsmasq-2.69rc1
On Mon, Mar 24, 2014 at 2:07 PM, Dave Taht dave.t...@gmail.com wrote: On Mon, Mar 24, 2014 at 10:45 AM, sven falempin sven.falem...@gmail.com wrote: openbsd 5.4: pkg_add libnettle (ew) [make] $ ./src/dnsmasq --version Dnsmasq version 2.69rc1 Copyright (c) 2000-2014 Simon Kelley Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset auth DNSSEC Would you please explain why the dependencies with nettle , cant we use the crypto of openSSH ? Openssl has a lousy API. Libnettle is much better, and (if staticlly linked) doesn't add much size to the dnsmasq binary. how far is the nettle code audited ? openSSH is high quality software. Here's the running setup : - - - - - - - - - - root 31974 0.0 0.1 992 1304 p5 I+ 6:40PM0:00.01 dnsmasq -d -C /etc/dnsmasq.conf --log-queries # cat /etc/dnsmasq.conf domain-needed bogus-priv # Uncomment these to enable DNSSEC validation and caching: # (Requires dnsmasq to be built with DNSSEC option.) conf-file=/etc/trust-anchors.conf dnssec filterwin2k # cat /etc/trust-anchors.conf # The root DNSSEC trust anchor, valid as at 30/01/2014 # Note that this is a DS record (ie a hash of the root Zone Signing Key) # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 - - - - - - - - - - and a request output : dnsmasq: query[A] google.fr from 10.0.0.42 dnsmasq: forwarded google.fr to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: reply google.fr is 173.194.34.183 dnsmasq: reply google.fr is 173.194.34.191 dnsmasq: reply google.fr is 173.194.34.184 dnsmasq: query[] google.fr from 10.0.0.42 dnsmasq: forwarded google.fr to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: reply google.fr is 2a00:1450:4009:805::1017 dnsmasq: query[MX] google.fr from 10.0.0.42 dnsmasq: forwarded google.fr to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: forwarded thekelleys.org to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: reply thekelleys.org is 216.239.32.21 dnsmasq: reply thekelleys.org is 216.239.34.21 dnsmasq: reply thekelleys.org is 216.239.36.21 dnsmasq: reply thekelleys.org is 216.239.38.21 dnsmasq: query[] thekelleys.org from 10.0.0.42 dnsmasq: forwarded thekelleys.org to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: reply thekelleys.org is NODATA-IPv6 dnsmasq: query[MX] thekelleys.org from 10.0.0.42 dnsmasq: forwarded thekelleys.org to 8.8.8.8 dnsmasq: validation result is INSECURE Best regards, On Sat, Mar 22, 2014 at 4:03 PM, Simon Kelley si...@thekelleys.org.uk wrote: It's time to start the release process for 2.69 The big new for this release is DNSSEC validation. I've made a first release-candidate, available at http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.69rc1.tar.gz Please run it if you can, and report any problems. If you can configure DNSSEC and test that, all the better. CHANGELOG attached below. Cheers, Simon. - Implement dynamic interface discovery on *BSD. This allows the contructor: syntax to be used in dhcp-range for DHCPv6 on the BSD platform. Thanks to Matthias Andree for valuable research on how to implement this. Fix infinite loop associated with some --bogus-nxdomain configs. Thanks fogobogo for the bug report. Fix missing RA RDNS option with configuration like --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer for spotting the problem. Add [fd00::] and [fe80::] as special addresses in DHCPv6 options, analogous to [::]. [fd00::] is replaced with the actual ULA of the interface on the machine running dnsmasq, [fe80::] with the link-local address. Thanks to Tsachi Kimeldorfer for championing this. DNSSEC validation and caching. Dnsmasq needs to be compiled with this enabled, with make dnsmasq COPTS=-DHAVE_DNSSEC this add dependencies on the nettle crypto library and the gmp maths library. It's possible to have these linked statically with make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' which bloats the dnsmasq binary to over a megabyte, but saves the size of the shared libraries which are five times that size. To enable, DNSSEC, you will need a set of trust-anchors. Now that the TLDs are signed, this can be the keys for the root zone, and for convenience they are included in trust-anchors.conf in the dnsmasq distribution. You should of course check that
Re: [Dnsmasq-discuss] Announce: dnsmasq-2.69rc1
On 24/03/14 17:45, sven falempin wrote: openbsd 5.4: pkg_add libnettle (ew) [make] $ ./src/dnsmasq --version Dnsmasq version 2.69rc1 Copyright (c) 2000-2014 Simon Kelley Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset auth DNSSEC Would you please explain why the dependencies with nettle , cant we use the crypto of openSSH ? To be able to use openSSL, the license for dnsmasq would have to be changed: http://en.wikipedia.org/wiki/OpenSSL#Licensing Here's the running setup : - - - - - - - - - - root 31974 0.0 0.1 992 1304 p5 I+ 6:40PM0:00.01 dnsmasq -d -C /etc/dnsmasq.conf --log-queries # cat /etc/dnsmasq.conf domain-needed bogus-priv # Uncomment these to enable DNSSEC validation and caching: # (Requires dnsmasq to be built with DNSSEC option.) conf-file=/etc/trust-anchors.conf dnssec filterwin2k # cat /etc/trust-anchors.conf # The root DNSSEC trust anchor, valid as at 30/01/2014 # Note that this is a DS record (ie a hash of the root Zone Signing Key) # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 - - - - - - - - - - and a request output : dnsmasq: query[A] google.fr from 10.0.0.42 dnsmasq: forwarded google.fr to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: reply google.fr is 173.194.34.183 dnsmasq: reply google.fr is 173.194.34.191 dnsmasq: reply google.fr is 173.194.34.184 dnsmasq: query[] google.fr from 10.0.0.42 dnsmasq: forwarded google.fr to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: reply google.fr is 2a00:1450:4009:805::1017 dnsmasq: query[MX] google.fr from 10.0.0.42 dnsmasq: forwarded google.fr to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: forwarded thekelleys.org to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: reply thekelleys.org is 216.239.32.21 dnsmasq: reply thekelleys.org is 216.239.34.21 dnsmasq: reply thekelleys.org is 216.239.36.21 dnsmasq: reply thekelleys.org is 216.239.38.21 dnsmasq: query[] thekelleys.org from 10.0.0.42 dnsmasq: forwarded thekelleys.org to 8.8.8.8 dnsmasq: validation result is INSECURE dnsmasq: reply thekelleys.org is NODATA-IPv6 dnsmasq: query[MX] thekelleys.org from 10.0.0.42 dnsmasq: forwarded thekelleys.org to 8.8.8.8 dnsmasq: validation result is INSECURE That's what I would expect. The google domains are not, in general, signed (neither are most others). My domain is in fact thekelleys.org.uk, but that's not signed either. Try ietf.org or paypal.com or isc.org Note that you may want to add --dnssec-check-unsigned to the configuration. That will cause dnsmasq to ensure that unsigned replies are legit by ensuring that there exists secure denial of existence of a DS record somewhere on the path from the DNS root to the domain. That should be added to the example config file before the final release. Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Announce: dnsmasq-2.69rc1
Simon Kelley si...@thekelleys.org.uk writes: Note that you may want to add --dnssec-check-unsigned to the configuration. That will cause dnsmasq to ensure that unsigned replies are legit by ensuring that there exists secure denial of existence of a DS record somewhere on the path from the DNS root to the domain. That should be added to the example config file before the final release. It's also missing from the man page in the rc... :) -Toke signature.asc Description: PGP signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] IPv6 configuration question
On 24/03/14 17:44, John Newlin wrote: Is it required to set a global ipv6 address on the interface that dnsmasq is serving in order for ipv6 information requests to work? It is. Currently this system works by requesting a DP and IA from the upstream dhcpv6 server, setting the WAN port address to the IA and setting a route to get packets from the LAN to WAN. We've been using radvd to send RA's to the LAN but want to switch everything over to dnsmasq. My fumbling around so far has found that it seems necessary to assign a global IPv6 address to the LAN port to make dnsmasq happy. FWIW my config files looks like: # cat *.conf # Set flag cwmp, when vendor-class contains dslform.org dhcp-vendorclass=cwmp,dlsforum.org # Sends option 1 with option space cwmp if the flag cwmp is set dhcp-option=cwmp,vendor:cwmp,1,https://acs.foobar.com/cwmp dhcp-range=192.168.42.5,192.168.42.250,86400 dhcp-range=2605:a601:0:5201::,ra-stateless enable-ra Is there a way to get this working without setting a global address on the LAN port? I don't think so, but possibly there should. The current state of affairs has been inherited from the IPv4 world, and it maybe sensible to change it. Cheers, Simon. thanks, -john ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Cache improvements
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 24/03/14 11:07, Olivier Mauras wrote: Hello, I wondering what would be the effort, and if there'd actually be any interest for some dnsmasq cache improvements. Two things i'd love to see: - Cache size in memory instead of lines I'd rather set 1GB than 1 lines, could 1 max be at least increased? Note that there's a direct linear relationship between no of cache entries and memory use. The exact factor depends on 32/64 bit platform and if IPv6 support is compiled in. The 1 limit is there because performance may degrade with very large caches, it's not clear that there would be any performance advantage from making it very large. - Granular purging of cache entries. I sometimes - if not often - need to purge a single entry or a single domain from the cache, would be nice to be able to do so without clearing the whole cache. The cost of refilling the cache is small, and the interface to allow selective deletion could be cumbersome. I'm not convinced it's worth the code-size and complexity cost. Cheers, Simon. Thanks, Olivier ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMwpUcACgkQKPyGmiibgrclewCgjtaoqCH+2U1F5w37PljHn+lL L2oAn1jnUxJT8kBFLsShXsfT5Fe4+VvA =acux -END PGP SIGNATURE- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Stats improvement
I would certainly like to have a standard way of getting these statistics, through the dns, perhaps one unified with whatever bind and unbound use (or don't use.) Not a lot of people seem to be aware of why dns caching forwarders are so great, although benchmarks like namebench against your chrome or firefox cache are quite revealing, parsing huge network captures as I am presently to try to get a grip on timings for dns/response pairing is a pita and not router centric. However: Do check out namebench, it's pretty cool. It does bug me that in tests against the alexa top 2000 that it invariably selects some other dns server besides your local one as being the best, because it has the best average - as if you regularly go to websites in timbuktu and care about the response time more than, say, google. Example against alexa top 2000 with a fresh cache: http://snapon.lab.bufferbloat.net/~d/namebench/namebench_2014-03-20_1255.html It is much better to test against your more common query set, which I don't have a snapshot of on that site presently - usually 40% or more of queries are resolved in a ms, 30% or so via your ISP in under 20ms. I'd love to see people posting namebench results from against their firefox/chrome caches... it's in apt on ubuntu at least the version I have is buggy, you have to hit control-C at least once for the gui to come up. On Mon, Mar 24, 2014 at 2:55 PM, Simon Kelley si...@thekelleys.org.uk wrote: On 24/03/14 11:25, Olivier Mauras wrote: Hello, I was wondering what would be the effort, and if there'd actually be any interest for some dnsmasq statistics improvements. (Yes i'm splitting dicussions ^^) For monitoring/graph purposes, actual dnsmasq stats are a bit difficult to use and completely unusable if using log_queries as it takes too long to retrieve them inside logs. I'd love to see a stats interface that would output total_queries, cache_hits, cache_misses, memory used by cache, etc Thanks, Olivier There's an idea to make this available as a DNS query, in the same way that dig chaos txt version.bind returns the version number. Comments? Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -- Dave Täht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Stats improvement
On Mon, 2014-03-24 at 21:55 +, Simon Kelley wrote: On 24/03/14 11:25, Olivier Mauras wrote: Hello, I was wondering what would be the effort, and if there'd actually be any interest for some dnsmasq statistics improvements. (Yes i'm splitting dicussions ^^) For monitoring/graph purposes, actual dnsmasq stats are a bit difficult to use and completely unusable if using log_queries as it takes too long to retrieve them inside logs. I'd love to see a stats interface that would output total_queries, cache_hits, cache_misses, memory used by cache, etc Thanks, Olivier There's an idea to make this available as a DNS query, in the same way that dig chaos txt version.bind returns the version number. Comments? Cheers, Simon. That would be a really good way of doing it! signature.asc Description: This is a digitally signed message part ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Stats improvement
It would be very interesting to see the differences between dnsmasq without DNSSEC, with DNSSEC and with DNSSEC and --dnssec-check-unsigned Cheers, Simon. On 24/03/14 22:50, Dave Taht wrote: On Mon, Mar 24, 2014 at 3:21 PM, Dave Taht dave.t...@gmail.com wrote: I would certainly like to have a standard way of getting these statistics, through the dns, perhaps one unified with whatever bind and unbound use (or don't use.) Not a lot of people seem to be aware of why dns caching forwarders are so great, although benchmarks like namebench against your chrome or firefox cache are quite revealing, parsing huge network captures as I am presently to try to get a grip on timings for dns/response pairing is a pita and not router centric. However: Do check out namebench, it's pretty cool. It does bug me that in tests against the alexa top 2000 that it invariably selects some other dns server besides your local one as being the best, because it has the best average - as if you regularly go to websites in timbuktu and care about the response time more than, say, google. Example against alexa top 2000 with a fresh cache: http://snapon.lab.bufferbloat.net/~d/namebench/namebench_2014-03-20_1255.html It is much better to test against your more common query set, which I don't have a snapshot of on that site presently - usually 40% or more of queries are resolved in a ms, 30% or so via your ISP in under 20ms. I'd love to see people posting namebench results from against their firefox/chrome caches... it's in apt on ubuntu at least the version I have is buggy, you have to hit control-C at least once for the gui to come up. I just did a namebench test against my local firefox cache (without clearing dnsmasq's caches) http://snapon.lab.bufferbloat.net/~d/namebench/namebench_2014-03-24_1541.html note that I have three dns servers in place - one on my local machine, a dnsmasq locally that is sending stuff over ipv6 to another dnsmasq which is then connected over ipv4 and ipv6 to comcasts forwarders. On Mon, Mar 24, 2014 at 2:55 PM, Simon Kelley si...@thekelleys.org.uk wrote: On 24/03/14 11:25, Olivier Mauras wrote: Hello, I was wondering what would be the effort, and if there'd actually be any interest for some dnsmasq statistics improvements. (Yes i'm splitting dicussions ^^) For monitoring/graph purposes, actual dnsmasq stats are a bit difficult to use and completely unusable if using log_queries as it takes too long to retrieve them inside logs. I'd love to see a stats interface that would output total_queries, cache_hits, cache_misses, memory used by cache, etc Thanks, Olivier There's an idea to make this available as a DNS query, in the same way that dig chaos txt version.bind returns the version number. Comments? Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -- Dave Täht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
