Re: root and in-addr.arpa zone transfers

2009-09-14 Thread Stephane Bortzmeyer 
On Fri, Sep 11, 2009 at 07:28:56AM +0200,
 Michael Monnerie  wrote 
 a message of 51 lines which said:

> Faster queries after a named restart. Reverse lookups faster too,
> good for the spam filters.

Did you measure it or is it, like most claims "X is faster", just a
guess?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: root and in-addr.arpa zone transfers

2009-09-14 Thread Michael Monnerie 
On Montag 14 September 2009 Stephane Bortzmeyer wrote:
> > Faster queries after a named restart. Reverse lookups faster too,
> > good for the spam filters.
>
> Did you measure it or is it, like most claims "X is faster", just a
> guess?

In normal Setup, we see lots of querie to the 3rd DNS entry in 
resolv.conf for quite some time after a restart.
With root/arpa copies local, even after a restart very quick 
normalisation occurs.

I wouldn't recommend doing the slaving if you have to start new, but we 
already have the infrastructure/scripts running and tested, so I'll just 
keep it. We had no negative side effects so far. While it's a small 
gain, keeping it doesn't hurt, so: I won't touch the running system.

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

forwarder that doesn't ask root servers

2009-09-14 Thread Marcos Lorenzo de Santiago 
I believe bind has some root servers hardcoded inside and bind always
looks for root servers even if you give it a list of forwarders, I see
this in the firewall blocked connections.

So the question is quite simple: Is there anyway to disable this? I
mean, I just want bind to forward queries related to not-owned maps to a
list of forwarders as FW will drop all packages going to non-local nets.

Does any of you know how to accomplish this? 

Thanks in advance.


-- 
,---.
| Son los inocentes y no los sabios los que resuelven las cuestiones|
| difíciles.|
| -- Pío Baroja. (1872-1956) Escritor español.  |
|---|
| Técnico de Sistemas|  |
| Departamento de Informática| Debian GNU/Linux Powerer |
| Ayuntamiento de Getafe |.--.  |
||   |o_o | |
|  _ |  .''`.|:_/ | |
| |~~  @| Marcos Lorenzo de Santiago | : :' :   //   \ \|
| |     | marcos.lore...@ayto-getafe.org | `. `'   (| | )   |
| |_| Teléfono: (+34) 91-202-79-48   |   `-   /'\_   _/`\   |
| Móvil:(+34)  608-300-935   |\___)=(___/   |
||  |
`---'

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarder that doesn't ask root servers

2009-09-14 Thread Adam Tkac 
On Mon, Sep 14, 2009 at 01:31:24PM +0200, Marcos Lorenzo de Santiago wrote:
> I believe bind has some root servers hardcoded inside and bind always
> looks for root servers even if you give it a list of forwarders, I see
> this in the firewall blocked connections.
> 
> So the question is quite simple: Is there anyway to disable this? I
> mean, I just want bind to forward queries related to not-owned maps to a
> list of forwarders as FW will drop all packages going to non-local nets.
> 
> Does any of you know how to accomplish this? 

options {
...
forward only;
...
};

Regards, Adam

-- 
Adam Tkac, Red Hat, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarder that doesn't ask root servers

2009-09-14 Thread Marcos Lorenzo de Santiago 
El lun, 14-09-2009 a las 15:01 +0200, Adam Tkac escribió:
> On Mon, Sep 14, 2009 at 01:31:24PM +0200, Marcos Lorenzo de Santiago wrote:
> > I believe bind has some root servers hardcoded inside and bind always
> > looks for root servers even if you give it a list of forwarders, I see
> > this in the firewall blocked connections.
> > 
> > So the question is quite simple: Is there anyway to disable this? I
> > mean, I just want bind to forward queries related to not-owned maps to a
> > list of forwarders as FW will drop all packages going to non-local nets.
> > 
> > Does any of you know how to accomplish this? 
> 
> options {
>   ...
>   forward only;
>   ...
> };
> 
> Regards, Adam
> 

Thanks a lot... I feel stupid now, but thanks for opening my eyes! :D

Cheers.

-- 
,---.
| Dejemos las conclusiones para los idiotas.|
| -- Pío Baroja. (1872-1956) Escritor español.  |
|---|
| Técnico de Sistemas|  |
| Departamento de Informática| Debian GNU/Linux Powerer |
| Ayuntamiento de Getafe |.--.  |
||   |o_o | |
|  _ |  .''`.|:_/ | |
| |~~  @| Marcos Lorenzo de Santiago | : :' :   //   \ \|
| |     | marcos.lore...@ayto-getafe.org | `. `'   (| | )   |
| |_| Teléfono: (+34) 91-202-79-48   |   `-   /'\_   _/`\   |
| Móvil:(+34)  608-300-935   |\___)=(___/   |
||  |
`---'

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: one DNS names to multiple IP Addresses(Round Robin DNS)

2009-09-14 Thread Sam Wilson 
In article ,
 Joseph S D Yao  wrote:

> On Wed, Sep 09, 2009 at 05:47:34PM +0100, Sam Wilson wrote:
> > In article ,
> >  Balanagaraju Munukutla <9ba...@sg.ibm.com> wrote:
> > > Hi
> > > 
> > > Anybody can help to explain the side effect of configuring the DNS name 
> > > to 
> > > multiple IP addresses(Round Robin DNS).
> > 
> > If you're planning to use it for load sharing, then the effect is very 
> > basic - requests get shared equally among the addresses irrespective of 
> > load on the target system or whether the system is offering the service 
> > or not.  If one of the target systems goes down then clients which are 
> > directed to that system will either get rejected or time out, depending 
> > on the type of failure.  You can mitigate this by using watchdog 
> > scripts, short TTLs and dynamic DNS updates.
> > 
> > In short it's cheap and cheerful load balancing.  A large commercial 
> > organisation might not want to rely on it, but depending on the 
> > application it can work well enough.
> 
> 
> There are several problems with using this for load balancing.
> 
> The first is, simply, it will not work unless the name server that is
> authoritative for this zone is also your resolving name server.  If
> there are ANY resolving name servers between the user and the
> authoritative name server - as there usually is/are - then it's the
> "round robin" policy - or lack thereof - of the last caching name server
> before your stub resolver that will dictate how the addresses are
> delivered.

In most of our cases the vast majority of clients are local so we do 
control the resolving servers, and observation shows that loads are 
fairly well balanced.

> Second, if one of the system goes down, then its IP address is still in
> the rotation, again, unless some clever dynamic-DNS insertion and
> deletion strategy is used.  This means that users will get frustrated
> when their Web browser sometimes gets the Web site and sometimes
> doesn't; or some automatic process that is trying to get your
> information will not fail cleanly.

We do exactly that - a watchdog script that can add and remove addresses 
by dynDNS.  It never removes the last entry, of course.

> ISTM, it's better to try and do failover some other way, such as with
> high-availability Linux, than to try to get DNS to do load balancing.

Certainly - if you need to balance load across highly stressed servers 
or if want real high availability or guaranteed response times then the 
DNS is not the way to achieve those things.  For cheap resilience and 
more or less good enough load balancing it *can* be useful.  Only the OP 
can say whether it would work for his/her situation.

Sam
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarder that doesn't ask root servers

2009-09-14 Thread Barry Margolin 
In article ,
 Marcos Lorenzo de Santiago  wrote:

> El lun, 14-09-2009 a las 15:01 +0200, Adam Tkac escribió:
> > On Mon, Sep 14, 2009 at 01:31:24PM +0200, Marcos Lorenzo de Santiago wrote:
> > > I believe bind has some root servers hardcoded inside and bind always
> > > looks for root servers even if you give it a list of forwarders, I see
> > > this in the firewall blocked connections.
> > > 
> > > So the question is quite simple: Is there anyway to disable this? I
> > > mean, I just want bind to forward queries related to not-owned maps to a
> > > list of forwarders as FW will drop all packages going to non-local nets.
> > > 
> > > Does any of you know how to accomplish this? 
> > 
> > options {
> > ...
> > forward only;
> > ...
> > };
> > 
> > Regards, Adam
> > 
> 
> Thanks a lot... I feel stupid now, but thanks for opening my eyes! :D

Don't feel stupid.  Older versions of BIND queried for the root servers 
even with this option set.

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users