Caching resolver and options rotate
Chris Buxton
cbuxton at menandmice.com
Sat May 17 02:22:29 UTC 2008
On May 16, 2008, at 9:43 PM, Brent Jones wrote:
> On Fri, May 16, 2008 at 4:58 PM, Chris Buxton
> <cbuxton at menandmice.com> wrote:
> Assuming your caching resolving is a BIND name server, it will
> ignore resolv.conf.
>
> BIND 9.3 and later will use the RTT algorithm when choosing between
> forwarders. It sounds like you're planning to use forwarders, as in:
>
> options {
> [... other statements ...]
> forwarders { 192.0.2.1; 192.0.2.2; 192.0.2.3; };
> };
>
> You may find it better, however, not to use forwarding at all - to
> use your DNS server as the final recursion server, instead of
> passing the buck upstream to your ISP. That way, you don't depend on
> the stability and security of their name servers for anything. (If
> you do decide to use forwarding, you should be absolutely sure that
> your ISP's name servers run a current version of BIND 9 rather than
> BIND 8, or a current version of MS DNS rather than MS DNS before
> about Win2K3 SP1, before you set up forwarding. Otherwise, bad
> things can come of forwarding, relating to DNS cache poisoning, and
> therefore pharming attacks.)
>
> Chris Buxton
> Professional Services
> Men & Mice
>
> The reason to make this caching server was to alleviate load from
> our upstream DNS, they told us we are alone stressing their current
> DNS servers, and to be respectful we were going to have an internal
> caching DNS that would use them upstream for queries we havent
> cached. Would still us their 4 NS's, but alleviate a lot of the
> queries going upstream, and bring response time lower for ourselves.
>
> Wouldn't using root servers directly just add to the burdon of the
> root servers?
No, for two reasons.
Number one is, there are a lot more root servers out there than there
are resolvers at your ISP. I don't have the exact count, but due to
anycast, the number is up around 100. And that's just the load
balancers - there are several times that many actual authoritative
name servers behind those load balancers.
Also, there's a significant difference in processing power required to
process a recursive query vs. an iterative query. You would be sending
occasional iterative queries to the root servers, whereas you have
been sending (apparently) a constant and heavy stream of recursive
queries to your ISP's resolvers.
Your ISP doesn't forward queries upstream; they resolve them
recursively. The root servers do not handle the heavy lifting of DNS
resolution (the job of recursion); they answer simple iterative
requests from resolvers such as those provided by your ISP.
By not forwarding to your ISP, you would be shifting the bulk of the
work to your own server(s). It sounds like your ISP would prefer this.
Chris Buxton
Professional Services
Men & Mice
More information about the bind-users
mailing list