SV: BIND 9.1.2 and TinyDNS???
Matt Simerson
mpsimerson at hostpro.com
Wed Jun 20 00:23:55 UTC 2001
> -----Original Message-----
> From: Markus Stumpf [mailto:maex-bind-users at Space.Net]
> Sent: Tuesday, June 19, 2001 3:20 PM
> To: Brad Knowles
> Cc: Johnny Damtoft; 'Adam Lang'; ISC DNS (E-mail)
> Subject: Re: SV: BIND 9.1.2 and TinyDNS???
>
> On Tue, Jun 12, 2001 at 11:02:46AM +0200, Brad Knowles wrote:
> > problem. IMO, most of the time, things like core dumps are a result
> > of old code, for which bugs have since been found and fixed.
>
> We had problems with all bind versions 4.x and 8.x when they hit the
> memory limit. These versions have no mechanism to expire/remove records
> from the cache and simply die.
> Dunno about bind 9.x though.
I do. Since BIND 9 actually performs faster than BIND 8 that means that I
can crash a caching BIND 9 server faster than a BIND 8 server. :-P I've
been testing with BIND 9.1.2. Folks will argue that you need to add more RAM
to your name server but that's a lame excuse for BIND's lack of memory
management. You can't stuff in enough RAM to cache the entire dns and thus
you cannot have enough RAM to prevent BIND from being subject to DoS attacks
by simply issuing valid queries to it.
Don't forget what happens if BIND ever does start swapping.... it never
stops because it will never relinquish memory that it claims.
> There are 2 solutions to this problem:
> - put more memory in the machine
I would argue that this isn't a solution, it's a band-aid[TM]. To make it a
solution you need to:
- put more memory in the machine
- run BIND as a supervised process so that it gets restarted when it
crashes. (see daemontools)
- Monitor the system so that if BIND ever starts swapping you can restart
it.
I'm looking at this from two perspectives. On one hand I'm working one of
the largest authoritative name server arrays in the world hosting several
hundred thousand zones (we've sucked the icann tld zone files into SQL
databases to gather all sorts of fun stats) and answering over 10 million
queries per hour. You'd be amazed how many gig's of RAM a bind server can
waste on a caching name server.
On the other hand, I don't want to monitor every BIND server I ever build. I
set up firewalls, mail servers, and web servers for all sorts of companies.
Almost all of them have a DNS cache and many a DNS server. I tell them how
to monitor the systems but we all know how much attention those don't get.
Until BIND gets some cache management, I don't consider it usable as a
caching name server and won't use it for anything but authoratative serving.
> - use dnscache. It replaces cached records on a fifo basis if
> it runs out of memory.
Yup, it works faster, runs supervised, and I haven't been able to crash it
yet.
Matt
More information about the bind-users
mailing list