if you are trying to insult people at all costs
really?
you would recognize it when i intend to do so
Please read your previous reply again. You will find that you used a
very harsh tone against someone who comes here asking questions in a
reasonable and moderate tone. Yes - maybe I *am* doing something wrong -
that's even likely, since otherwise I'd be not the first to find such an
issue in such a widely used software. But I expect the same reasonable
tone in the answers to my question like I'm writing my questions in.
*any* expierienced mailadmin out there has a local recursion nameserver
on his MTA or at least somewhere in his LAN to use a central local cache
but only you can't do it?
I am - it's the very same setup you describe like I'm using. The only
difference is that I do not rely on a dedicated DNS resolver I setup
myself, but the centralized nameserver of my ISP, which works exactly
like any nameserver I'd setup myself.
Although, the intended setup with exemptions by defining empty
forwarders for DNSBL zones was not my idea - this scenario is described
on the SA wiki as a working solution:
http://wiki.apache.org/spamassassin/CachingNameserver#Non-forwarding
This seems to not be working, so I'm heading for this ML to find out why.
you should read and
understand their posts in full before doing so at least, to not look
like a jackass additional to an impolite person.
obviously it don't work
That's right - so let's work out the reasons for it and not fight
against each other. This setup is described in the official SA wiki and
not working. So let's improve this public resource together.
What I wrote is:
>> ... but created the exemptions as listed at the very bottom of that
>> site, to make sure my bind don't forward requests on these services
>> to my ISP's DNS ...
but it does forward otherwise the problem would be solved
You are right. I double-checked in the meantime (and awaited some spams
to arrive) by disabling forwarding completely. It does work then.
I do and did not doubt this - but the issue remains: I'd still like to
forward all of my requests to take the advantage of my ISPs DNS caches.
But those queries to the DNSBL zones should be resolved exceptionally by
my local recursion nameserver.
Why is the example in the SA wiki not working?
> and *no* the ISP nameserver is *not* a lot faster in most cases
Also, you shouldn't make assumptions without measuring something:
1. without forwarding:
;; Query time: 543 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
2. with forwarding to my ISP's servers:
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
That's 271 times faster than root-servers's lookup.
*lol* yes, the second hit already in your local cache when you don't
clear it before, you never ever have 2 ms with a forwarding reslover on
the internet asked - never ever!
for *that* one specific request if you have the luck it's in his cache
it *can* be faster, otherwise the ISP would need to do the whole
recursion itself and then answer to your cache with one additional hop
what you also ignore is the fact that you get the lowered TTL depending
on how old the cache entry on the forwarder is while you own cache entry
with recursion would be valid the whole TTL of the SOA
in other words: you don't look at the whole picture
I do - and you are right with what you described. But all you mentioned
is not important for my setup and specific application. Fast resolution
and a huge DNS cache is. I know, that those aren't the times achieved
when my ISPs DNS servers initiate a recursive query on the data, but
deliver what they already have cached, only. But that is OK for me. I
only need these cached data.
When I would do the recursive resolvings on my own, not only my initiate
queries would take quite a long time compared to those my ISPs does, but
I would "waste" a lot of resources needed to provide these caches on my
own servers. My setup simply isn't big enough to reasonably dedicate a
box on it's own or use that resources of my apps host, only to provide
nearly the same my ISP already serves.
anyways 543 msec is high
;; Query time: 121 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Di Sep 15 13:27:59 CEST 2015
;; MSG SIZE rcvd: 57
That's correct and one of the reasons I'd like to rely on my ISPs data,
since changing this is out of my hands.
Best regards,
Marc
