DNS cache efficiency for low-TTL records (was Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01)

[David F. Skoll]

On Tue, 4 Jan 2011 06:18:55 -0800 (PST)
John Hardin <jhar...@impsec.org> wrote:

[DFS says all queries should be to authoritative name servers to avoid
cache blowouts.]

> You can't compare them. The nature of the queries is vastly different
> - the root nameservers only get queries like "where are the
> authoritative DNS servers for impsec.org?"

Well.  I ran a little experiment.  I took a day's worth of logs from our
small non-busy mail server and looked at all the incoming mail.  Spamhaus
appears to use a 15-minute TTL on its DNS records.  I wrote a script that
would tell me how many cache hits I would get if I were using a DNSBL
with a 15-minute TTL.  (Perl script appended, but it only works on
Sendmail logs using rsyslog's new RSYSLOG_FileFormat format.)

On our mail server, we received 1449 inbound SMTP connections one day.
Of those, 974 would not have hit the DNS cache, either because they
hadn't been seen before or because 15 minutes had passed since the
last sighting.  There were 475 cache hits.  So disabling caching
altogether would have increased my load on the authoritative servers
by about 50%.

I took a look at a somewhat busier mail server with 165,149 SMTP
connections / day.  If that had been using a DNSBL with a 15-minute TTL,
there would have been only 36,158 hits and 128,991 misses.  Doing
authoritative-only queries would increase the load by only ~30%.

In summary, I believe DNS caching is basically *useless* for any site
small enough to use Spamhaus for free.  And any very large site is
probably large enough to deserve an rsync feed.

Regards,

David.

#================ CUT HERE ======================
#!/usr/bin/perl
use strict;
use warnings;
use Time::Local;

my %last_seen;

while(<>) {
        my ($y, $m, $d, $h, $min, $sec, $relay) = 
/^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2}).*daemon=MTA, 
relay=.*\[(\d+\.\d+\.\d+\.\d+)\]/;
        next unless defined($relay);
        next if ($relay eq '127.0.0.1');
        my $unixtime = timelocal($sec, $min, $h, $d, $m-1, $y);
        if (!exists($last_seen{$relay})) {
                print "MISS for $relay: new entry\n";
                $last_seen{$relay} = $unixtime;
        } elsif ($unixtime - $last_seen{$relay} > 15*60) {
                my $secs = $unixtime - $last_seen{$relay};
                print "MISS for $relay: last seen $secs seconds ago\n";
                $last_seen{$relay} = $unixtime;
        } else {
                print "HIT for $relay\n";
                # Don't update $last_seen because DNS server would not increase 
TTL
        }
}