Hello again BIND-users,
Sorry for asking for help twice in one day.
We are setting up a new resolver performance test bed, one that we hope will be
a better simulation of real-world deployment. Once we have this working, we
should be able to profile BIND performance using DoH and DoT as well as Do53.
We are using the DNS Shotgun tool for this purpose.
(https://dns-shotgun.readthedocs.io/en/stable/
<https://dns-shotgun.readthedocs.io/en/stable/>)
Anyway, we need to feed this test bed with some PCAPS. We have only a few
samples right now, and if we could get a few more, our test bed would be more
representative of the actual Internet.
We don’t want to publish how to upload files to us, because that will
immediately be filled with spam, so if you are willing to submit some of your
resolver packet captures, please email me and I will give you instructions on
where to put your file so that we can retrieve it. I have included some
instructions on capturing the packets below so you can see what is involved.
Thank you for considering this.
Vicky
---------
If you are able to share some pcaps, here are some generic instructions.
dnscap \
-z 192.0.2.1 \
-z 2001:db8::1 \
-i any \
-p \
-s i \
-w /output/pcap \
-C 1073741824 \
-k 'xz -9' \
-B '2021-01-08 11:40:00' \
-E '2021-01-08 21:40:00' \
-S \
-6 \
-P /usr/lib/dnscap/anonaes128.so \
-4 \
-K /dev/urandom \
-I /dev/urandom
Explanation:
dnscap - https://www.dns-oarc.net/tools/dnscap
<https://www.dns-oarc.net/tools/dnscap>
-z # IP address of the DNS resolver uses to receive client queries, duplicate
-z if it has more IP addresses - this is crucial to filter queries from BIND
itself to the Internet
-i any # network interface name receiving client queries ("any" should be fine
so they do not need to bother with explicit names)
-p # ask for interface not be put into promiscuous mode, it's not needed as we
capture only the traffic directed to this server
-s i # capture only queries but not answers (thus
making the output file smaller) - has to be combined with -z above
-w # output file name base
-C # maximum individual file size in bytes, 1 GB recommended
-k 'xz -9' # compression command, feel free to change
-B -E # starts/stops capture times, please do not forget to modify
-S # print statistics, optional
-6 # enable IPv6 support, omit for dnscap version 2.0.0 and newer
-P -4 ... # anonymizing IPv6 and also IPv4 addresses using random AES key, i.e.
key is forgotten when process exits
A good sample size is 10 hours but shorter samples can be also useful, we can
eventually combine samples from multiple submitters.
Bonus points if we can get the command running in parallel on multiple servers,
e.g. on 10 servers for 1 hour, or 5 servers for 2 hours, etc.
If running on multiple servers please replace
-K /dev/urandom -I /dev/urandom
with
-k putrandomkeyhere -i putrandomkeyhere
and use the same 16-character string on all servers.
-k -i specify explicit anonymization keys so the same clients are anonymized in
the same way across all servers. They should not tell us what values they were
using during capture otherwise we could partially deanonymize the data.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users