DNS - connection limit (without any extra hardware)
simonw at zynet.net
Mon Dec 11 17:29:21 UTC 2006
On Monday 11 December 2006 16:15, you wrote:
> > I use to slave "." which can save time on recursive DNS servers when they
> >a lot of dross to answer (assuming it is totally random dross).
> I'm not sure to understand your solution.
> You configure your name-server as a slave-root-server?
Yes. Most of the root server traffic is answering queries with "NXDOMAIN" for
non-existant top level domains, if you slave root on your recursive servers,
your recursive servers can answer those queries directly (from the 120KB root
zone file), rather than relying on negative caching, and a round trip to the
root servers, for every new non-existant domain.
The drawback is you provide the answer with the authority bit set, which isn't
what the world's DNS clients should expect, but DNS clients don't care about
that one bit (sorry).
If the root zone file changed quickly it might also cause other problems!
Paul V was very cautious about it as a method of running a DNS server, but if
the recursive servers are being barraged with queries for (different)
non-existent top level domains I think it is probably preferable to the
servers being flattened (and/or passing that load onto the root name
If the queries are for existing, or the same, domains each time, it won't
provide significant improvement.
I suppose any server issuing more than 2000 or so queries a day to the root
servers would potentially save bandwidth, and provide a more responsive
experience for the end user. But one also has to handle the case of the root
zone potentially expiring, not something I ever allowed to happen, but then
I'm not the average DNS administrator.
I've used this technique extensively myself in the past with no issues, but
I'm not using it operationally at the moment. Since the load average on our
DNS server is 0.00 to two decimal places I doubt it would make a lot of
difference, and we host websites, and email, not randomly misconfigured,
home, or business user PCs. So mostly we do lookups in in-addr.arpa, a
depressingly large proportion of which fail, or look-ups for a small set of
servers we forward email to (most of which exist, or I delete the forward).
More information about the NANOG