BIND caches ENUM NAPTR records irrespective of TTL 0
Hi, I am using BIND 9.6 to enable my application to act as a ENUM server. The ENUM server performs routing and responds to ENUM NAPTR records. The NAPTR responses are sent with a TTL zero without any authority section. When I trigger a ENUM NAPTR load(using dig) with same digits, I could see some of the responses are not forwarded to the application for routing, instead handled by the BIND stack on its own. The same behavior is not seen when the digits are different in a load, wherein the requests are all forwarded to the application for routing. Is there any option available in BIND to enable the traffic to be forwarded always to the application? I tried setting the options max-cache-ttl and max-cache-size to zero, but didn't help. Any suggestions on this would be appreciated. regards, Ramprakash ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND Performance with Huge RPZ
Dear All, We are building a server for recursive DNS Server, this server will be acted as a cache for our network. (several user-side DNS Server will forward to this server) Using Ubuntu Server with latest BIND version, we are trying to have RPZ incuded in this BIND, with around 800k blacklisted sites. Has anyone have experience, how RPZ with huge list will impact BIND performance, will it reduce DNS response time? we have six DNS server that will point to this server, each server is serving about 15Mbps of DNS Traffic on peak hour. this server is a Ubuntu box with 2 Xeon (total of 12 core, 24 if include HT), 16GB RAM. Appreciate any information given. Best Regards, Arie Lendra Putra ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Performance with Huge RPZ
On 12 July 2013 11:11, Arie L. Putra wrote: > > Has anyone have experience, how RPZ with huge list will impact BIND performance, will it reduce DNS response time? we have six DNS server that will point to this server, each server is serving about 15Mbps of DNS Traffic on peak hour. > > this server is a Ubuntu box with 2 Xeon (total of 12 core, 24 if include HT), 16GB RAM. It's very difficult to predict the impact on performance in general. But every query will hit the RPZ zone to be checked against, so make sure you have enough RAM to hold all 800k records in memory then that will significantly speed things up. The guidance figures that I've seen banded around by a BIND based DNS appliance is that it will have ~30% impact on query performance per RPZ feed that has to be looked up against. Steve ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Performance with Huge RPZ
On 12/07/13 11:11, Arie L. Putra wrote: Has anyone have experience, how RPZ with huge list will impact BIND performance, will it reduce DNS response time? we have six DNS server that will point to this server, each server is serving about 15Mbps of DNS Traffic on peak hour. We don't have that kind of load, but we do have a large (~550k) RPZ setup. It doesn't seem to have any noticeable performance impact, although I should note we're running bind 9.9.2 with the RRL+RPZ patches, which contain some RPZ performance improvements in certain configs: http://ss.vix.su/~vjs/rrlrpz.html Our query load is in the 400-800qps range, with occasional spikes to >1500qps. I had a few problems with RPZ in the past, and it was suggested that our using bind 9.8 (at the time) might have been an issue; we never determined the exact cause, but they don't seem to have recurred on 9.9. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse Lookups with Forwarders
Along the same lines as that of ipv4 address:
i have the following zone file configuration for reverse lookup:
Goal: 192.168.100.128/26 to be directed to 10.213.246.15
In this, the network part it 192.168.100.128 and
network range is 191.168.100.129 - 191.168.100.190
in this specific case, this is what i end up with zone file configuration:
zone "128.100.168.192.in-addr.arpa" IN {
type forward;
forwarders {10.213.246.15;};
forward only;
};
In other cases, where my network is 192.168.100, the configuration is as
follows and this works
zone "128.100.168.192.in-addr.arpa" IN {
type forward;
forwarders {10.213.246.15;};
forward only;
};
When i do a dig -x 191.168.100.129 it does not go to the configured DNS.
Any way, i can get this to be looked up for the correct specified DNS, as
there is distinction between the network and the host configuration for
this specific case.
Could you please help on this.
On Tue, Jul 9, 2013 at 1:03 PM, Matus UHLAR - fantomas wrote:
> On 09.07.13 11:51, sumsum 2000 wrote:
>
>> I have a reverse lookup zone file configuration as follows:
>> zone "0/24.110.252.173.in-addr.**arpa" {
>>
> [...]
>
> When I do dig -x 172.252.110.27, I expect it to forward it to
>> 10.10.96.1, but instead, it uses the default resolver.
>>
> [...]
>
> So if DNS Server X is configured against this zone
>> , then any reverse DNS request for 173.252.110.0-173.252.110.255
>> should be forwarded via DNS Server X
>>
>
> Currently this is not the case. There is no forwarding in the above
>> scenario ( where CIDR notation x.x.x.x/Mask is used)
>>
>
> Neither the BIND nor DNS does use the CIDR format.
> the resursive resolution searches for 27.110.252.173.in-addr.arpa which
> does
> NOT belong into 0/24.110.252.173.in-addr.arpa, they are two separate names.
>
> You would have to set up either zone 27.110.252.173.in-addr.arpa or
> 110.252.173.in-addr.arpa.
>
>> Only when the zone file is changed to
>>zone "110.252.173.in-addr.arpa" IN {
>>
>> All the requests for
>>
>> 173.252.110.0-173.252.110.255 is forwarded to 10.10.96.1.
>>
>
> Use 110.252.173.in-addr.arpa then. You should be aware that the IP range
> belongs to facebook, as already noted.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> 99 percent of lawyers give the rest a bad name.
> __**_
>
> Please visit
> https://lists.isc.org/mailman/**listinfo/bind-usersto
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Performance with Huge RPZ
Hi there, On Fri, 12 Jul 2013, Arie L. Putra wrote: We are building a server for recursive DNS Server, this server will be acted as a cache for our network. (several user-side DNS Server will forward to this server) Using Ubuntu Server with latest BIND version, we are trying to have RPZ incuded in this BIND, with around 800k blacklisted sites. Has anyone have experience, how RPZ with huge list will impact BIND performance, will it reduce DNS response time? we have six DNS server that will point to this server, each server is serving about 15Mbps of DNS Traffic on peak hour. I wonder if you've considered using iptables in addition to BIND/RPZ? Using the ipsets extension to iptables, on very modest hardware, we routinely block over one thousand million IP addresses with negligible impact on performance. I understand that it's not the same thing at all, but I still wonder if it might be of some use to you. -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
In article , Steven Carr wrote: > On 2 July 2013 14:42, Sam Wilson wrote: > > Can anyone here give examples of the types of various software that will > > not operate without a PTR record? > > There have already been numerous listings of software that require > reverse lookups. SMTP being the main one. Other services like IRC and > some databases (Oracle/MySQL) can also be configured to require > properly working reverse lookups. "... can also be configured ..." - see below. > > I agree that if PTR records exist then they should match an A record. > > My experience (and IIRC correctly the word of several RFCs) is that PTRs > > are not required for most things to work. > > RFC1912 [http://tools.ietf.org/html/rfc1912] section 2.1... > > Every Internet-reachable host should have a name... Make sure your PTR > and A records match. For every IP address, there should be a matching > PTR record in the in-addr.arpa domain. If a host is multi-homed, > (more than one IP address) make sure that all IP addresses have a > corresponding PTR record (not just the first one). Failure to have > matching PTR and A records can cause loss of Internet services similar > to not being registered in the DNS at all. Also, PTR records must > point back to a valid A record, not a alias defined by a CNAME. Sorry for the delay in returning to this. RFC 1912 says: Status of this Memo This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind. ... To make myself clear, I'm a big fan of correct PTR records and we try to make sure that our reverse DNS is fully populated. I do not regard lack of a valid PTR record to be a reason to refuse connection except, perhaps, in very particular circumstances, for instance where it might be part of a trust stance. That would be by agreement between consenting adults, not the law of Internetland in general. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
In article , Daniel McDonald wrote: > On 7/2/13 8:42 AM, "Sam Wilson" wrote: > > > There may be a subtle language thing going on here. I read the original > > post above as saying, literally, "you need PTR records because various > > software tries to match A and PTR records". It doesn't say "you need > > PTR records because some systems require PTR records (and if you have > > them they will also need to match the A records)". PTR records are nice > > but they aren't a general requirement. > > > > Can anyone here give examples of the types of various software that will > > not operate without a PTR record? > > I've had trouble with OSI-Soft PI historian without reverse entries. If > there is no reverse, then the PI software would spend about 30 seconds > looking in vain for a DNS answer before sending a SYN-ACK packet. Since the > embryonic timer on a Cisco firewall is usually 20 seconds, the sessions > would simply not come up. I've seen similar things with openssh. That seems fairly weird. If there is no DNS entry then that should be determinable in the same time as getting a valid entry. If there's broken DNS resolution that's much more likely to cause the 30s timeout, which is very likely due to the system trying to log the name of the incoming client. > The other place reverse DNS is routinely queried is SMTP. If you care > enough to send mail, you should care enough to set up your reverse entries > realistically so that spam filters will recognize that you are trying to > actively manage your email server and this isn't mail from a BOT... Routine query, yes; refusal of service based (solely?) on lack of a PTR record is not, so far as I can tell, widespread. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/12/2013 11:23 AM, Sam Wilson wrote: > In article > , Steven > Carr wrote: > >> On 2 July 2013 14:42, Sam Wilson wrote: >>> Can anyone here give examples of the types of various software >>> that will not operate without a PTR record? >> >> There have already been numerous listings of software that >> require reverse lookups. SMTP being the main one. Other services >> like IRC and some databases (Oracle/MySQL) can also be configured >> to require properly working reverse lookups. > > "... can also be configured ..." - see below. > >>> I agree that if PTR records exist then they should match an A >>> record. My experience (and IIRC correctly the word of several >>> RFCs) is that PTRs are not required for most things to work. >> >> RFC1912 [http://tools.ietf.org/html/rfc1912] section 2.1... >> >> Every Internet-reachable host should have a name... Make sure >> your PTR and A records match. For every IP address, there should >> be a matching PTR record in the in-addr.arpa domain. If a host >> is multi-homed, (more than one IP address) make sure that all IP >> addresses have a corresponding PTR record (not just the first >> one). Failure to have matching PTR and A records can cause loss >> of Internet services similar to not being registered in the DNS >> at all. Also, PTR records must point back to a valid A record, >> not a alias defined by a CNAME. > > Sorry for the delay in returning to this. RFC 1912 says: > > Status of this Memo > > This memo provides information for the Internet community. This > memo does not specify an Internet standard of any kind. ... > > To make myself clear, I'm a big fan of correct PTR records and we > try to make sure that our reverse DNS is fully populated. I do not > regard lack of a valid PTR record to be a reason to refuse > connection except, perhaps, in very particular circumstances, for > instance where it might be part of a trust stance. That would be > by agreement between consenting adults, not the law of Internetland > in general. Came across another instance where it may matter: TCP Wrappers. Although the case there was a bit more peculiar -- rr.net does not appear to have FORWARD DNS for at least some of its dynamic address space. So you can get a PTR, and then address validation fails on the forward address. I guess perhaps if you had no PTR it would never go that far. - -- *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences* || \\UTGERS |-*O*- ||_// Biomedical | Ryan Novosielski - Sr. Systems Programmer || \\ and Health | novos...@rutgers.edu - 973/972.0922 (2x0922) || \\ Sciences | OIT/EI-Academic Svcs. - ADMC 450, Newark `' -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlHgIxoACgkQmb+gadEcsb4E7ACgzTQeo6E2lLrzu5ld7DhWWYq8 9VAAoKpte8yzfY/aXQIEsvlOLDfKv7qz =Dk3L -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse Lookups with Forwarders
On Jul 12, 2013, at 09.14, sumsum 2000 wrote:
> Along the same lines as that of ipv4 address:
> i have the following zone file configuration for reverse lookup:
>
> Goal: 192.168.100.128/26 to be directed to 10.213.246.15
>
> In this, the network part it 192.168.100.128 and
> network range is 191.168.100.129 - 191.168.100.190
>
> in this specific case, this is what i end up with zone file configuration:
> zone "128.100.168.192.in-addr.arpa" IN {
> type forward;
> forwarders {10.213.246.15;};
> forward only;
> };
>
> In other cases, where my network is 192.168.100, the configuration is as
> follows and this works
> zone "128.100.168.192.in-addr.arpa" IN {
> type forward;
> forwarders {10.213.246.15;};
> forward only;
> };
>
>
>
> When i do a dig -x 191.168.100.129 it does not go to the configured DNS.
please don't hijack existing threads for your questions, even if they're
similar.
if you declare a zone for 128.100.168.192.in-addr.arpa, that is only for the
single ip address 192.168.100.128. nothing else [e.g. not 191.168.100.129].
for netblocks smaller than /24, you'll need to use classless arpa delegation.
see rfc 2317 for details on this concept. also please make note of the
paragraph at the end of section 4 suggesting you not actually use "/" as is
used in the examples. too many people seem to miss this.
-ben
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind classless slave from microsoft dns classful SOA?
Bind-users; I have been asked to slave a /24 from a microsoft SOA, however, their authority for the /24 is false in that they really only have authority to 192/26. Am I correct in that there is no way to slave said zone [x.y.z.in-addr.arpa] but serve it as a different zone [192/26.x.y.z.in-addr.arpa] without relying on some outside scripts to do the translation? For what it's worth, I am running the 9.8X series of BIND. Thanks- -Michael ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Performance with Huge RPZ
On Jul 12, 2013, at 3:11 AM, Arie L. Putra wrote: > We are building a server for recursive DNS Server, this server will be acted > as a cache for our network. (several user-side DNS Server will forward to > this server) > Using Ubuntu Server with latest BIND version, we are trying to have RPZ > incuded in this BIND, with around 800k blacklisted sites. > > Has anyone have experience, how RPZ with huge list will impact BIND > performance, will it reduce DNS response time? we have six DNS server that > will point to this server, each server is serving about 15Mbps of DNS Traffic > on peak hour. > > this server is a Ubuntu box with 2 Xeon (total of 12 core, 24 if include HT), > 16GB RAM. I've seen well over 1 million entries in an RPZ. The performance impact with BIND 9.8 was noticeable but not horrible. The memory requirements were roughly 300 MB for this one zone, compared to over 3 GB for the equivalent in the form of somewhere north of 500 thousand individual zones (two A records each, for the zone apex and a wildcard, all loading from the same file). I'm not used to considering DNS traffic in terms of Mb/s (nor MB/s). I'm more used to considering q/s. The servers with the aforementioned RPZ each handled a relatively large number of queries, possibly as high as 20Kq/s. In my experience, it's impossible to know how a given server will perform without seeing all of the configuration, as lots of configuration settings can impact performance. Once such example is query logging to file (instead of to syslog), which can completely gut performance. Regards, Chris Buxton BLUECAT ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind classless slave from microsoft dns classful SOA?
On Jul 12, 2013, at 9:09 AM, Michael Hare wrote: > Bind-users; > > I have been asked to slave a /24 from a microsoft SOA, however, their > authority for the /24 is false in that they really only have authority to > 192/26. > > Am I correct in that there is no way to slave said zone [x.y.z.in-addr.arpa] > but serve it as a different zone [192/26.x.y.z.in-addr.arpa] without relying > on some outside scripts to do the translation? Yes, that is correct. A zone is itself, not some other zone. A slave's job is to faithfully reproduce the zone as published by its master server. Were I you, I would refuse to slave the /24 reverse zone. Regards, Chris Buxton BLUECAT ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Performance with Huge RPZ
> From: Steven Carr > It's very difficult to predict the impact on performance in general. Yes, the reasonable tactic is to build a representative list of queries from your query logs and use queryperf to hit a test server with those 800K policy zone labels. > But > every query will hit the RPZ zone to be checked against, so make sure you > have enough RAM to hold all 800k records in memory then that will > significantly speed things up. RAM for all 800K records would be sufficient, but might not unnecessary. Names in policy zones are kept in the same kind of red/black trees that are used for ordinary DNS zones, because policy zones are ordinary BIND9 DNS zones. Policy zone IP addresses are kept in radix or patricia trees. Sufficent RAM is the size of the working set. For example, if you have 800K labels below obscure.example.com and almost never resolve any of them, then keeping them in RAM would not help your server's average performance. > The guidance figures that I've seen banded around by a BIND based DNS > appliance is that it will have ~30% impact on query performance per RPZ > feed that has to be looked up against. RPZ performance with zones with NSIP or NSDNAME policies is significantly improved in versions of the RPZ code with the new min-ns-dots parameter with a default value 1. This turns off checking the many server names and IP addresses of TLDs. The version after that has min-ns-dots and also no longer hits every policy zone with every IP address and name in every response, but instead hits a summary red/black tree of names or radix tree of IP addresses summarizing all policy zones once for each address and name. This radically improves RPZ performance with multiple policy zones. The BIND9 tests in bin/tests/system/rpz include a quick and dirty performance test to ensure that nothing is not unexpectedly broken. This is typical output from that test: I:checking performance with RPZ I:checking performance without RPZ I:17758 qps with RPZ is 75% of 23596 qps without RPZ Previous versions of that test did not turn off some very expensive run time checks and so produced much smaller numbers for both cases. Patches for both of those versions of RPZ speed improvements for some BIND9 releases can be with the BIND RRL patches by following the link labeled "Patch files for BIND9" on http://www.redbarn.org/dns/ratelimits Both of those versions are or will be in official BIND releases. I've lost track of which releases have or will have which of those two RPZ sets of performance improvements. Vernon Schryverv...@rhyolite.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Which Forwarder Does Bind Pick?
In a simple fowarding only name server config:
options {
forward first;
forwarders {
10.220.0.34;
10.220.0.38;
};
}
How does the named process determine when to use one forwarder or both
forwarders? I'm sniffing the traffic and on some queries, it goes for the
first one. On other queries, it goes for both. Thanks for any clarification.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Which Forwarder Does Bind Pick?
On 12 July 2013 18:44, Jiann-Ming Su wrote: > How does the named process determine when to use one forwarder or both > forwarders? I'm sniffing the traffic and on some queries, it goes for the > first one. On other queries, it goes for both. Thanks for any > clarification. > BIND will query both. It will then look at the response time and go with the one with the shortest time for future resolutions. Every so often it will again send queries to both and check the one it picked before is still the faster of the two and either stay with it or switch accordingly. Steve ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse Lookups with Forwarders
Sumsum--
Using the technique you document, you will need a zone for each of
128.100.168.192.in-addr.arpa through 190.100.168.192.in-addr.arpa
Or you might want to serve the entire class C 100.168.192.in-addr.arpa,
especially if you can get a feed for the zone excluding your portion.
Hope this helps,
Len
>
> From: sumsum 2000
>To: bind-users@lists.isc.org
>Sent: Friday, July 12, 2013 6:14 AM
>Subject: Re: Reverse Lookups with Forwarders
>
>
>
>Along the same lines as that of ipv4 address:
>i have the following zone file configuration for reverse lookup:
>
> Goal: 192.168.100.128/26 to be directed to 10.213.246.15
>
>In this, the network part it 192.168.100.128 and
>network range is 191.168.100.129 - 191.168.100.190
>
>in this specific case, this is what i end up with zone file configuration:
> zone "128.100.168.192.in-addr.arpa" IN {
> type forward;
> forwarders {10.213.246.15;};
> forward only;
> };
>
>
>
>In other cases, where my network is 192.168.100, the configuration is as
>follows and this works
> zone "128.100.168.192.in-addr.arpa" IN {
> type forward;
> forwarders {10.213.246.15;};
> forward only;
> };
>
>
>
>
>
>
>When i do a dig -x 191.168.100.129 it does not go to the configured DNS.
>
>Any way, i can get this to be looked up for the correct specified DNS, as
>there is distinction between the network and the host configuration for this
>specific case.
>
>
>Could you please help on this.
>
>
>
>
>On Tue, Jul 9, 2013 at 1:03 PM, Matus UHLAR - fantomas
>wrote:
>
>On 09.07.13 11:51, sumsum 2000 wrote:
>>
>>I have a reverse lookup zone file configuration as follows:
>>>zone "0/24.110.252.173.in-addr.arpa" {
>>>
[...]
>>
>>
>>When I do dig -x 172.252.110.27, I expect it to forward it to
>>>10.10.96.1, but instead, it uses the default resolver.
>>>
[...]
>>
>>
>>So if DNS Server X is configured against this zone
>>>, then any reverse DNS request for 173.252.110.0-173.252.110.255
>>>should be forwarded via DNS Server X
>>>
>>
>>Currently this is not the case. There is no forwarding in the above
>>>scenario ( where CIDR notation x.x.x.x/Mask is used)
>>>
>>
Neither the BIND nor DNS does use the CIDR format.
>>the resursive resolution searches for 27.110.252.173.in-addr.arpa which does
>>NOT belong into 0/24.110.252.173.in-addr.arpa, they are two separate names.
>>
>>You would have to set up either zone 27.110.252.173.in-addr.arpa or
>>110.252.173.in-addr.arpa.
>>
>>Only when the zone file is changed to
>>> zone "110.252.173.in-addr.arpa" IN {
>>>
>>>
>>>All the requests for
>>>
>>>173.252.110.0-173.252.110.255 is forwarded to 10.10.96.1.
>>>
>>Use 110.252.173.in-addr.arpa then. You should be aware that the IP range
>>belongs to facebook, as already noted.
>>
>>--
>>Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
>>Warning: I wish NOT to receive e-mail advertising to this address.
>>Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>>99 percent of lawyers give the rest a bad name.
>>___
>>
>>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>>from this list
>>
>>bind-users mailing list
>>bind-users@lists.isc.org
>>https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
>
>___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Performance with Huge RPZ
On Fri, 2013-07-12 at 16:31 +, Vernon Schryver wrote: > Patches for both of those versions of RPZ speed improvements for some > BIND9 releases can be with the BIND RRL patches by following the link > labeled "Patch files for BIND9" on http://www.redbarn.org/dns/ratelimits > > Both of those versions are or will be in official BIND releases. > I've lost track of which releases have or will have which of those > two RPZ sets of performance improvements. > 9.9.4 will have them signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND Performance with Huge RPZ
Hi, Thanks for the information, really appreciate it, In qps term, each of my server around 10k qps. Currentlt now we are just using simple query logging to file, no syslog yet :( BR, Arie L. Putra 陈维文 -Original Message- From: "Chris Buxton" Sent: 7/12/2013 11:12 PM To: "Arie L.Putra" Cc: "bind-users@lists.isc.org" Subject: Re: BIND Performance with Huge RPZ On Jul 12, 2013, at 3:11 AM, Arie L. Putra wrote: > We are building a server for recursive DNS Server, this server will be acted > as a cache for our network. (several user-side DNS Server will forward to > this server) > Using Ubuntu Server with latest BIND version, we are trying to have RPZ > incuded in this BIND, with around 800k blacklisted sites. > > Has anyone have experience, how RPZ with huge list will impact BIND > performance, will it reduce DNS response time? we have six DNS server that > will point to this server, each server is serving about 15Mbps of DNS Traffic > on peak hour. > > this server is a Ubuntu box with 2 Xeon (total of 12 core, 24 if include HT), > 16GB RAM. I've seen well over 1 million entries in an RPZ. The performance impact with BIND 9.8 was noticeable but not horrible. The memory requirements were roughly 300 MB for this one zone, compared to over 3 GB for the equivalent in the form of somewhere north of 500 thousand individual zones (two A records each, for the zone apex and a wildcard, all loading from the same file). I'm not used to considering DNS traffic in terms of Mb/s (nor MB/s). I'm more used to considering q/s. The servers with the aforementioned RPZ each handled a relatively large number of queries, possibly as high as 20Kq/s. In my experience, it's impossible to know how a given server will perform without seeing all of the configuration, as lots of configuration settings can impact performance. Once such example is query logging to file (instead of to syslog), which can completely gut performance. Regards, Chris Buxton BLUECAT___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Performance with Huge RPZ
> From: Noel Butler > > BIND9 releases can be with the BIND RRL patches by following the link > > labeled "Patch files for BIND9" on http://www.redbarn.org/dns/ratelimits > > > > Both of those versions are or will be in official BIND releases. > > I've lost track of which releases have or will have which of those > > two RPZ sets of performance improvements. > > 9.9.4 will have them Not exactly. Checking source finds the min-ns-dots speed-up in 9.8.5-P1, 9.9.3-P1, and 9.9.4b1 and so in 9.9.4. On the other hand, I think the more substantial set of RPZ speed improvements for multiple policy zones is in none of those and so will not be in 9.9.4. My bet would be on 9.10 along with client IP address triggers and "drop" and "truncate" actions. I think the multiple zone speed-up is in the subscription-only 9.9.4-S and so will be in 9.9.4-S1. Vernon Schryverv...@rhyolite.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
