DNS - connection limit (without any extra hardware)

Simon Waters simonw at zynet.net
Mon Dec 11 17:29:21 UTC 2006

On Monday 11 December 2006 16:15, you wrote:
> > I use to slave "." which can save time on recursive DNS servers when they 
> >a lot of dross to answer (assuming it is totally random dross).
> I'm not sure to understand your solution.
> You configure your name-server as a slave-root-server?

Yes. Most of the root server traffic is answering queries with "NXDOMAIN" for 
non-existant top level domains, if you slave root on your recursive servers, 
your recursive servers can answer those queries directly (from the 120KB root 
zone file), rather than relying on negative caching, and a round trip to the 
root servers, for every new non-existant domain.

The drawback is you provide the answer with the authority bit set, which isn't 
what the world's DNS clients should expect, but DNS clients don't care about 
that one bit (sorry).

If the root zone file changed quickly it might also cause other problems!

Paul V was very cautious about it as a method of running a DNS server, but if 
the recursive servers are being barraged with queries for (different) 
non-existent top level domains I think it is probably preferable to the 
servers being flattened (and/or passing that load onto the root name 

If the queries are for existing, or the same, domains each time, it won't 
provide significant improvement.

I suppose any server issuing more than 2000 or so queries a day to the root 
servers would potentially save bandwidth, and provide a more responsive 
experience for the end user. But one also has to handle the case of the root 
zone potentially expiring, not something I ever allowed to happen, but then 
I'm not the average DNS administrator.

I've used this technique extensively myself in the past with no issues, but 
I'm not using it operationally at the moment. Since the load average on our 
DNS server is 0.00 to two decimal places I doubt it would make a lot of 
difference, and we host websites, and email, not randomly misconfigured, 
home, or business user PCs. So mostly we do lookups in in-addr.arpa, a 
depressingly large proportion of which fail, or look-ups for a small set of 
servers we forward email to (most of which exist, or I delete the forward).

More information about the NANOG mailing list