Re: [vox-tech] Fwd: Very slow off net
All of his info on DNS is valuable but not relevant to my problem as it happens when I'm not connected to the net. To show how serious this is, I did a few timings. boot-up to login prompt: 4 minutes, 5 seconds login till ready to use: 4 minutes shutdow: 1 minute plus when connected to the net boot-up to login prompt: 42 seconds login till ready to use: 15 seconds shutdown: 15 seconds These long delays use up 10 percent of my battery before I can even start to work! That it happens during boot-up exonerates gnome but seems to mean the problem is in some very fundemental part of the system. I tried to upgrade to "lenny" with apt-get upgrade but this did not change the kernel and the problem remained. I finally did a full, new install of lenny and he problem is gone. As a side benefit, it appears my built-in broadcom wi-fi may now work. Richard On Thu, Oct 29, 2009 at 4:47 PM, Bill Broadley wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Rick Moen wrote: > > Quoting Bill Broadley (b...@broadley.org): > > > >> I'd suggest adding caching in there somewhere, probably assumed. > > > > I've yet to find a nameserver package of any sort, recursive, > > authoritative, or even merely forwarding, that doesn't do caching. > > Right, you know that, I know that, figured someone else might not. > > >> Agreed. Large ISPs (like pacbell) often have overloaded DNS, not to > mention > >> the DNS is often on the wrong end of a busy network. > > > > That's only the beginning of their problems. To the predominant > > dog-slow performance would add pervasive cache poisoning, e.g., the > > quality of being a security menace, as the next obvious problem to > > mention. But better to just skip them. > > Agreed. > > >> I suggest unbound. > > > > I like Unbound, despite its relative youth. PowerDNS Recursor is also > > good, and perhaps a bit better tested. I would also consider MaraDNS. > > > > I'm extremely happy with the authoritative-only server published for > > quite a while by the same .nl TLD people who've more recently followed > > up with Unbound, FWIW. > > Good to know. > > >>> It'll also improve performance over using OpenDNS, > >> Sort of. For cache hits, yes. For cache misses, not to much. > > > > Obviously, I was talking about cache hits -- which predominate if you > > run a recursive nameserver for a long while. > > Sure. But that doesn't mean that fairly often some random site gets > popular, > over loaded even, and then is not in your cache. > > >> Sure, so only your ISP instead of opendns and your ISP knowing > everywhere you > >> visit. > > > > The problem of your upstream link(s) being able to traffic analysis on > > where your packets are sent to, and inspection in cases where you don't > > bother to encrypt them, is a separate problem. But you knew that. > > Also, unlike OpenDNS, they have fiduciary obligations to you under > > contract. But you knew that, too. > > Both good points. Opendns does try to give you protection against various > other things, depending on your choices you get any collection of: > * no protection/blocking > * protection/blocking against phishing > * protection/blocking against porn > * protection/blocking against illegal activity > * protection/blocking against social networking sites. > > > Use OpenDNS, and a party who owes you no loyalty whatsoever has a > > central record of all DNS queries your IP has attempted. > > Yup. > > >> NXDOMAIN does bug me, I believe that optional if you login/create an > account. > > > > That deliberate RFC violation _should_ bug you. It's essentially saying > > "Nothing but the Web counts. Correct DNS information for SMTP mail > > doesn't matter, because it's not the Web." > > Yup. Although I'd expect that the IP they give you for a typo'd domain > doesn't have an SMTP port open. There is the option to select: > * Enable typo correction (and NX Domain redirection) > > So it's up to you, I agree I wish the default was the other way. > > > I'm not clear on why a login would remove that misfeature. They use the > > ads on their "Site not found" Web pages to generate the revenue stream > > that underwrites the service. > > They seem pretty friendly and well implemented. > > >> Oh, almost forgot. I'd recommend unbound as a local caching recursive > >> server. It's DNSSEC and DLV aware > > > > I'm no DJB fan, but I think he's right about the reasons why DNSSEC is > > never going to be used on any significant enough scale to matter. The > DLV > > lookaside kludge (that partially works around lack of a signed root > > zone) to an overengineered and impractical based spec strikes me as just > > another deck-chair on the sinking ship. > > Dunno, seems to be gaining significant ground lately. .gov and .org are in > the dlv, as well as a bunch of others top level domains (granted none as > popular as .com.) DNS is really important and many people place much more > trust in it than they should. > > I agree that DNSSEC is
Re: [vox-tech] Fwd: Very slow off net
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rick Moen wrote: > Quoting Bill Broadley (b...@broadley.org): > >> I'd suggest adding caching in there somewhere, probably assumed. > > I've yet to find a nameserver package of any sort, recursive, > authoritative, or even merely forwarding, that doesn't do caching. Right, you know that, I know that, figured someone else might not. >> Agreed. Large ISPs (like pacbell) often have overloaded DNS, not to mention >> the DNS is often on the wrong end of a busy network. > > That's only the beginning of their problems. To the predominant > dog-slow performance would add pervasive cache poisoning, e.g., the > quality of being a security menace, as the next obvious problem to > mention. But better to just skip them. Agreed. >> I suggest unbound. > > I like Unbound, despite its relative youth. PowerDNS Recursor is also > good, and perhaps a bit better tested. I would also consider MaraDNS. > > I'm extremely happy with the authoritative-only server published for > quite a while by the same .nl TLD people who've more recently followed > up with Unbound, FWIW. Good to know. >>> It'll also improve performance over using OpenDNS, >> Sort of. For cache hits, yes. For cache misses, not to much. > > Obviously, I was talking about cache hits -- which predominate if you > run a recursive nameserver for a long while. Sure. But that doesn't mean that fairly often some random site gets popular, over loaded even, and then is not in your cache. >> Sure, so only your ISP instead of opendns and your ISP knowing everywhere you >> visit. > > The problem of your upstream link(s) being able to traffic analysis on > where your packets are sent to, and inspection in cases where you don't > bother to encrypt them, is a separate problem. But you knew that. > Also, unlike OpenDNS, they have fiduciary obligations to you under > contract. But you knew that, too. Both good points. Opendns does try to give you protection against various other things, depending on your choices you get any collection of: * no protection/blocking * protection/blocking against phishing * protection/blocking against porn * protection/blocking against illegal activity * protection/blocking against social networking sites. > Use OpenDNS, and a party who owes you no loyalty whatsoever has a > central record of all DNS queries your IP has attempted. Yup. >> NXDOMAIN does bug me, I believe that optional if you login/create an account. > > That deliberate RFC violation _should_ bug you. It's essentially saying > "Nothing but the Web counts. Correct DNS information for SMTP mail > doesn't matter, because it's not the Web." Yup. Although I'd expect that the IP they give you for a typo'd domain doesn't have an SMTP port open. There is the option to select: * Enable typo correction (and NX Domain redirection) So it's up to you, I agree I wish the default was the other way. > I'm not clear on why a login would remove that misfeature. They use the > ads on their "Site not found" Web pages to generate the revenue stream > that underwrites the service. They seem pretty friendly and well implemented. >> Oh, almost forgot. I'd recommend unbound as a local caching recursive >> server. It's DNSSEC and DLV aware > > I'm no DJB fan, but I think he's right about the reasons why DNSSEC is > never going to be used on any significant enough scale to matter. The DLV > lookaside kludge (that partially works around lack of a signed root > zone) to an overengineered and impractical based spec strikes me as just > another deck-chair on the sinking ship. Dunno, seems to be gaining significant ground lately. .gov and .org are in the dlv, as well as a bunch of others top level domains (granted none as popular as .com.) DNS is really important and many people place much more trust in it than they should. I agree that DNSSEC is scarily useless today, a shared key means you have to control both client and server rare. The DLV fixes this, with just a 1-2 line change to your local DNS you can take advantage of anyone using DLV. Say even to verify the contents of this email from paypal, gmail, or an even from me. > I don't know why I should trust DLV repositories (Trust Anchor > repositories), and the largest one that makes something like a > meaningful effort to validate that they belong to whom they claim to > (ISC's) had a whopping total of 25 DLV records in it a year ago, when I > last looked into this. (SecSpidor collects DLVs, but doesn't validate > them.) I don't have any numbers, but my domains have the serial number around 850. Seems reasonable to trust dlv.isc.org if you trust isc.org. Nothing stops you from running your own dlv if you so choose, I've seen a couple collections of dlv records that could easily be downloaded as needed. If anyone has a good idea of how many domains are using DLV please speak up. > So, good luck making that stuff practical and useful. Do send a >
Re: [vox-tech] Fwd: Very slow off net
Quoting Bill Broadley (b...@broadley.org): > I'd suggest adding caching in there somewhere, probably assumed. I've yet to find a nameserver package of any sort, recursive, authoritative, or even merely forwarding, that doesn't do caching. > Agreed. Large ISPs (like pacbell) often have overloaded DNS, not to mention > the DNS is often on the wrong end of a busy network. That's only the beginning of their problems. To the predominant dog-slow performance would add pervasive cache poisoning, e.g., the quality of being a security menace, as the next obvious problem to mention. But better to just skip them. > I suggest unbound. I like Unbound, despite its relative youth. PowerDNS Recursor is also good, and perhaps a bit better tested. I would also consider MaraDNS. I'm extremely happy with the authoritative-only server published for quite a while by the same .nl TLD people who've more recently followed up with Unbound, FWIW. > > It'll also improve performance over using OpenDNS, > > Sort of. For cache hits, yes. For cache misses, not to much. Obviously, I was talking about cache hits -- which predominate if you run a recursive nameserver for a long while. > Sure, so only your ISP instead of opendns and your ISP knowing everywhere you > visit. The problem of your upstream link(s) being able to traffic analysis on where your packets are sent to, and inspection in cases where you don't bother to encrypt them, is a separate problem. But you knew that. Also, unlike OpenDNS, they have fiduciary obligations to you under contract. But you knew that, too. Use OpenDNS, and a party who owes you no loyalty whatsoever has a central record of all DNS queries your IP has attempted. > NXDOMAIN does bug me, I believe that optional if you login/create an account. That deliberate RFC violation _should_ bug you. It's essentially saying "Nothing but the Web counts. Correct DNS information for SMTP mail doesn't matter, because it's not the Web." I'm not clear on why a login would remove that misfeature. They use the ads on their "Site not found" Web pages to generate the revenue stream that underwrites the service. > Oh, almost forgot. I'd recommend unbound as a local caching recursive > server. It's DNSSEC and DLV aware I'm no DJB fan, but I think he's right about the reasons why DNSSEC is never going to be used on any significant enough scale to matter. The DLV lookaside kludge (that partially works around lack of a signed root zone) to an overengineered and impractical based spec strikes me as just another deck-chair on the sinking ship. I don't know why I should trust DLV repositories (Trust Anchor repositories), and the largest one that makes something like a meaningful effort to validate that they belong to whom they claim to (ISC's) had a whopping total of 25 DLV records in it a year ago, when I last looked into this. (SecSpidor collects DLVs, but doesn't validate them.) So, good luck making that stuff practical and useful. Do send a postcard. ;-> Anyway, FWIW: http://linuxmafia.com/faq/Network_Other/dns-servers.html ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Fwd: Very slow off net
Rick Moen wrote: > By the way, IMO, you really should consider running and using a local > recursive DNS nameserver. I'd suggest adding caching in there somewhere, probably assumed. > Doing so improve performance a great deal > over using your "router on your home network", which almost certainly is > merely a forwarder. Agreed. Large ISPs (like pacbell) often have overloaded DNS, not to mention the DNS is often on the wrong end of a busy network. I suggest unbound. > It'll also improve performance over using OpenDNS, Sort of. For cache hits, yes. For cache misses, not to much. OpenDNS tries to keep a rather large fraction of the zones caches. So just when things are the worst (say a site is so busy it's having a hard time keeping up with dns requests) opendns often will quickly give you the dns record you need. > along with not giving the operators of that service detailed > information about your Internet activity Sure, so only your ISP instead of opendns and your ISP knowing everywhere you visit. , _and_ (unlike OpenDNS) it > would actually implement DNS technical standards correctly (i.e., > correctly answering "NXDOMAIN" when that's the truth). NXDOMAIN does bug me, I believe that optional if you login/create an account. Oh, almost forgot. I'd recommend unbound as a local caching recursive server. It's DNSSEC and DLV aware, seems to be rather well written for a specific purpose. Lean, mean, easy to configure, and more secure than many defaults. Apt-get install unbound if you are on ubuntu. ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Fwd: Very slow off net
For example, the solitaire card game. Bu it appears to happen with all applications. I don't believe it is coming from the application but somewhere in the system code that launches the app. I used wireshark. let wireshark run. no traffic. Launch an app. As soon as it is up, check wireshark. There are several packets shone, including the DNS queries. Also, it appears no use is made of the DNS queries in that I do not see follow up traffic. Since it is not a particular application I don't know how I would use strace. I did forget to mention one important difference between my laptop and desktop. The laptop is running gnome while my desktop is running KDE. When I thought about this I began to think maybe gnome is responsible but I don't know how to check this. Richard On Wed, Oct 28, 2009 at 1:24 AM, Rick Moen wrote: > Quoting Richard Harke (paleopeng...@gmail.com): > > > That leaves the question: why access DNS at all for a application launch? > > Again, what application, for example? And by what means do you know > that that application is doing DNS lookups? You say "I've done some > tracing", but I don't know what you've done to associate DNS lookups > with particular non-network-oriented applicaitons. > > Once you know what application binary you're talking about, you can run > it under strace to determine what system calls it's making. > > By the way, IMO, you really should consider running and using a local > recursive DNS nameserver. Doing so improve performance a great deal > over using your "router on your home network", which almost certainly is > merely a forwarder. It'll also improve performance over using OpenDNS, > along with not giving the operators of that service detailed > information about your Internet activity, _and_ (unlike OpenDNS) it > would actually implement DNS technical standards correctly (i.e., > correctly answering "NXDOMAIN" when that's the truth). > > Possibly of related interest: > http://linuxmafia.com/pipermail/sf-lug/2008q3/005308.html > http://linuxmafia.com/pipermail/sf-lug/2008q3/005309.html > ___ > vox-tech mailing list > vox-tech@lists.lugod.org > http://lists.lugod.org/mailman/listinfo/vox-tech > ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Fwd: Very slow off net
Quoting Richard Harke (paleopeng...@gmail.com): > That leaves the question: why access DNS at all for a application launch? Again, what application, for example? And by what means do you know that that application is doing DNS lookups? You say "I've done some tracing", but I don't know what you've done to associate DNS lookups with particular non-network-oriented applicaitons. Once you know what application binary you're talking about, you can run it under strace to determine what system calls it's making. By the way, IMO, you really should consider running and using a local recursive DNS nameserver. Doing so improve performance a great deal over using your "router on your home network", which almost certainly is merely a forwarder. It'll also improve performance over using OpenDNS, along with not giving the operators of that service detailed information about your Internet activity, _and_ (unlike OpenDNS) it would actually implement DNS technical standards correctly (i.e., correctly answering "NXDOMAIN" when that's the truth). Possibly of related interest: http://linuxmafia.com/pipermail/sf-lug/2008q3/005308.html http://linuxmafia.com/pipermail/sf-lug/2008q3/005309.html ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Fwd: Very slow off net
I have confirmed that Borders hotspot sets resolv.conf to use openDNS. Which by the way, seems to work better than my router on my home network. Maybe another example of the problems with earthlink. That leaves the question: why access DNS at all for a application launch? My desktop doesn't do it. Its debian lenny for x86 while my laptop is debian etch for amd-64 Richard On Tue, Oct 27, 2009 at 4:57 PM, Rick Moen wrote: > Quoting Richard Harke (paleopeng...@gmail.com): > > > When I use my laptop without a network connection, it becomes very, > > very slow launching applications. I've done some tracing and > > apparently it sends some kind of request to a DNS server. Not just any > > DNS but openDNS in particular. When it's off-net, it waits for the > > time-out before continuing. So two quesions Why contact DNS for any > > app launch? (This includes apps that have no possibility of using the > > net) > > This is difficult to answer without specifics. > > > 2nd. Why openDNS? I had never heard of them before and certainly > > haven't signed up for their service. > > You'll have to answer this question from local knowledge. Obviously, > somebody using your laptop at some point did something that re-pointed > /etc/resolv.conf to them -- and nothing's overridden that, since. > > > ___ > vox-tech mailing list > vox-tech@lists.lugod.org > http://lists.lugod.org/mailman/listinfo/vox-tech > ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Fwd: Very slow off net
On Tue, Oct 27, 2009 at 07:00:11PM -0500, Ken Bloom wrote: > On Tue, 2009-10-27 at 15:16 -0700, Richard Harke wrote: > > Sorry. I was trying to keep it short. > > Linux, of course. Debian etch for amd-64 > > > > /etchosts has a 127.0.0.1 localhost grassmann > > line plus a line 192.168.0.21 grassmann.harke.org grassmann > > and similar for my other machines on this lan > > every thing on this lan has fixed IP address > > > > One mystery solved. /etc/resolv.conf has the IP addresses for openDNS > > But I don't know how they got there. The file is dated 10/20 so it > > might be > > from when I used the wifi at Borders. I had to change my interfaces > > file > > and do a ifup ath0=borders to get connected. Could that have given > > permission to rewrite /etc/resolv.conf? > > I guess I could check this out the next time I'm at Borders. > > DHCP clients by default overwrite /etc/resolv.conf to use their own DNS > settings unless you have the resolvconf package installed (which > provides a more principled way to reconcile automatic changes by > creating a whole directory of resolv.conf, one per client, then > creating /etc/resolv.conf as the union of all of those files, and hooks > into all of the programs that have reasons to change /etc/resolv.conf) > > If /etc/resolv.conf is a symlink, then the resolvconf package is > installed. You can also edit /etc/dhcp/dhclient.conf to add a specific name server to resolv.conf when it retrieves its name servers. -- Brian Lavender http://www.brie.com/brian/ ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Fwd: Very slow off net
On Tue, 2009-10-27 at 15:16 -0700, Richard Harke wrote: > Sorry. I was trying to keep it short. > Linux, of course. Debian etch for amd-64 > > /etchosts has a 127.0.0.1 localhost grassmann > line plus a line 192.168.0.21 grassmann.harke.org grassmann > and similar for my other machines on this lan > every thing on this lan has fixed IP address > > One mystery solved. /etc/resolv.conf has the IP addresses for openDNS > But I don't know how they got there. The file is dated 10/20 so it > might be > from when I used the wifi at Borders. I had to change my interfaces > file > and do a ifup ath0=borders to get connected. Could that have given > permission to rewrite /etc/resolv.conf? > I guess I could check this out the next time I'm at Borders. DHCP clients by default overwrite /etc/resolv.conf to use their own DNS settings unless you have the resolvconf package installed (which provides a more principled way to reconcile automatic changes by creating a whole directory of resolv.conf, one per client, then creating /etc/resolv.conf as the union of all of those files, and hooks into all of the programs that have reasons to change /etc/resolv.conf) If /etc/resolv.conf is a symlink, then the resolvconf package is installed. --Ken ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Fwd: Very slow off net
Quoting Richard Harke (paleopeng...@gmail.com): > When I use my laptop without a network connection, it becomes very, > very slow launching applications. I've done some tracing and > apparently it sends some kind of request to a DNS server. Not just any > DNS but openDNS in particular. When it's off-net, it waits for the > time-out before continuing. So two quesions Why contact DNS for any > app launch? (This includes apps that have no possibility of using the > net) This is difficult to answer without specifics. > 2nd. Why openDNS? I had never heard of them before and certainly > haven't signed up for their service. You'll have to answer this question from local knowledge. Obviously, somebody using your laptop at some point did something that re-pointed /etc/resolv.conf to them -- and nothing's overridden that, since. ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Fwd: Very slow off net
Sorry. I was trying to keep it short. Linux, of course. Debian etch for amd-64 /etchosts has a 127.0.0.1 localhost grassmann line plus a line 192.168.0.21 grassmann.harke.org grassmann and similar for my other machines on this lan every thing on this lan has fixed IP address One mystery solved. /etc/resolv.conf has the IP addresses for openDNS But I don't know how they got there. The file is dated 10/20 so it might be from when I used the wifi at Borders. I had to change my interfaces file and do a ifup ath0=borders to get connected. Could that have given permission to rewrite /etc/resolv.conf? I guess I could check this out the next time I'm at Borders. I used wireshark to trace the net happenings. I just retried with the net connected to see if there was any follow up to the DNS query. For firfox, er iceweasel, there was but for a card game no follow up. On Tue, Oct 27, 2009 at 1:46 AM, Bill Broadley wrote: > Bill Kendrick wrote: > >When I use my laptop without a network connection, it becomes very, > very > >slow launching applications. I've done some tracing and apparently it > >sends > > Very strange. Operating system? Distribution? Anything unusual? What > does > hostname report? What is in /etc/hosts? > > My best guess (with very little info) is that you are trying to find > localhost > and failing. > > >some kind of request to a DNS server. Not just any DNS but openDNS in > > Apparently? Strace? Wireshark? How you tracked it down would be helpful. > > >particular. When its off net, it waits for the time-out before > continuing. > > Ugly. Try adding your hostname to the /etc/hosts entry for 127.0.0.1 > > >So two quesions Why contact DNS for any app launch? (This includes > >apps that have no possibility of using the net) > > Anything that displays X (or runs inside of a new xterminal) needs to find > the > $DISPLAY, which might well do a hostname lookup to set/check the display. > > >2nd. Why openDNS? I had never heard of them before and certainly > >haven't signed up for their service. > > I'm a fan, certainly much faster on average than what pacbell provides. > Where > does your laptop/router get it's IP? Static? DHCP from your network > provider? If it's dhcp then you are getting the DNS servers from your dhcp > provider, if not then someone likely followed the opendns directions for > your > router/laptop. > > I wouldn't be terribly surprised if say a linksys router installed with a > community linux distribution like openwrt defaulted to using opendns as a > server. > ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Fwd: Very slow off net
Bill Kendrick wrote: >When I use my laptop without a network connection, it becomes very, very >slow launching applications. I've done some tracing and apparently it >sends Very strange. Operating system? Distribution? Anything unusual? What does hostname report? What is in /etc/hosts? My best guess (with very little info) is that you are trying to find localhost and failing. >some kind of request to a DNS server. Not just any DNS but openDNS in Apparently? Strace? Wireshark? How you tracked it down would be helpful. >particular. When its off net, it waits for the time-out before continuing. Ugly. Try adding your hostname to the /etc/hosts entry for 127.0.0.1 >So two quesions Why contact DNS for any app launch? (This includes >apps that have no possibility of using the net) Anything that displays X (or runs inside of a new xterminal) needs to find the $DISPLAY, which might well do a hostname lookup to set/check the display. >2nd. Why openDNS? I had never heard of them before and certainly >haven't signed up for their service. I'm a fan, certainly much faster on average than what pacbell provides. Where does your laptop/router get it's IP? Static? DHCP from your network provider? If it's dhcp then you are getting the DNS servers from your dhcp provider, if not then someone likely followed the opendns directions for your router/laptop. I wouldn't be terribly surprised if say a linksys router installed with a community linux distribution like openwrt defaulted to using opendns as a server. ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech