On 7/28/2011 10:51 AM, Ask Bjørn Hansen wrote:
On Jul 27, 2011, at 16:41, Aleksandar Lazic wrote:
I use dnscache on my home network and would like to know why anybody
decide to move from dnscache.
Performance, IPv6 support, ease of maintenance (when using dnscache I often end
with subtly differently patched versions; frustrating). Also: Memory is much
more plentiful now than ten years ago, so dnscache's excellent memory
management is less important now than then.
Performance? Yah.
dnscache has a compile-time-fixed-size buffer for saving outbound
requests for which it doesn't have an answer for yet. ISTR it's 1K entries.
If this buffer overflows, it throws queries away (not sure if FIFO or LIFO).
The obvious "tweak" is to recompile with a larger buffer - say, 10K.
But... It's a _linear_ search of the buffer for the corresponding request!
Under high loads, dnscache simply starts losing queries. If you've
naively made the buffer too big, it becomes a CPU burner too.
[ISTR also that dnscache's matching heuristics in the buffer are
inadequate and _can_ be subject to a poisoning attack, but don't quote me.]
Now I may be expecting a bit much from it - having aimed massively
parallel DNS queries at it using async libraries. But, Unbound for
example manages that without hiccups.
Unbound made an _enormous_ improvement to our spam filtering
environment. Not to mention having documentation (fancy that!) that you
can read.
I'd not use dnscache in corporate/enterprise/high reliability
environments. Unbound is nice and hiccup-free. Bind9 is reasonable
enough. I hear good things about PowerDNS too.
