tcp limitations

[Brad Knowles]

At 9:50 AM +0200 6/12/01, Guy Pazi wrote:

>  and to the question: What is the scale of concurrent tcp connections a dns
>  server can support? ~1000? ~100000?

	This would depend greatly on a number of factors which I don't 
think anyone has begun to consider.  I know that large-scale web 
servers can handle into the multiple tens of thousands of TCP 
connections, because we did just this during the time I worked at 
AOL.  However, the application is totally different, and a nameserver 
might be able to handle much more or much fewer total simultaneous 
connections.

>  Of course it depends on the servers capabilities, so lets take the root
>  servers for measurement. To my knowledge, root servers handle 5-10k
>  queries/sec and probably capable of many more.

	Currently, I believe that the peak is closer to 2-3k per second, 
but Rick Jones has done some benchmarking to show that a properly 
configured single machine should be scalable up to as high as 12,000 
queries per second.

>                                                  Will a root server answer 10k
>  TCP queries/sec?

	No.  Absolutely not.  99.9999999% of all DNS queries are purely 
UDP, although this percentage is reducing as more and more sites make 
use of things like DNSSEC, having too many MXes advertised, etc... 
and cause truncation of the UDP response, which should then be 
restarted with TCP.


	Of course, note that we recently discussed on this list that 
TinyDNS does not support doing TCP by default, so odds are that you 
will not be able to reach any sites that are running TinyDNS.

	Of course, probably at least ten times or a hundred times more 
sites block TCP to port 53 at their firewalls, as run TinyDNS, so you 
would be totally unable to access those sites, too.  This would 
include ASP and e-mail outsourcing companies like Critical Path, one 
of the busiest e-mail sites in the world (they handle mail for 
mac.com, for example).  Also note that hotmail.com blocks port 53 
TCP.  As does MSN.  Indeed, the only extremely large site I know of 
that *doesn't* stupidly block TCP to port 53 is AOL.

	I strongly suspect that you are simply going to have to give up 
the idea of blocking all UDP traffic -- it's just not practical.

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'