SV: BIND 9.1.2 and TinyDNS???
Brad Knowles
brad.knowles at skynet.be
Wed Jun 20 12:13:10 UTC 2001
At 6:23 PM -0600 6/19/01, Matt Simerson wrote:
> Folks will argue that you need to add more RAM
> to your name server but that's a lame excuse for BIND's lack of memory
> management. You can't stuff in enough RAM to cache the entire dns and thus
> you cannot have enough RAM to prevent BIND from being subject to DoS attacks
> by simply issuing valid queries to it.
If you run the externally accessible nameserver(s) as
non-recursive/non-caching, either on physically separate machines
(the easiest and best way to do the job), or using the BIND 9 "views"
mechanism, then this shouldn't be a problem.
Otherwise, you're mis-managing the machine and the system.
If you've got an internal-only caching/recursive-only nameserver
that is still running out of memory, then you've got a real problem.
This stuff doesn't get cached without a reason, so even if you had a
mechanism for causing LRU data to be thrown away (once a certain
memory limit had been reached), you'd simply cause a situation where
this information would probably need to be re-queried from the
Internet.
Thus, instead of doing swapping/paging thrashing, you'd be doing
data thrashing. However, the difference is that as you re-query for
that information, you'd be bottlenecked not on going to local disk,
but instead by going to remote sites on the Internet. If there's
*ANYTHING* that is slower than local disk latencies (which are
usually measured in milliseconds), it has to be Internet latencies
(which are frequently measured in tens or hundreds of milliseconds).
Therefore, this is most definitely a false economy.
IMO, the only potentially useful purpose for this kind of a limit
on a nameserver would be to prevent a runaway process from taking
over the whole machine, or preventing some sort of DoS attack that
causes data to be looked up and never forgotten (due to excessively
long TTLs) from taking over all the memory on the machine. And even
then, what will happen is that the system will be slowed down under
circusmtances like this, and perhaps slowed down sufficiently that it
might as well have stopped.
In situations like this, it's been my experience that it's better
to have the system outright stop, get noticed, and then get fixed,
than it is to have it silently continue to try to function in the
face of impossible circumstances, and fail to do the real job it
needs to be doing.
> On the other hand, I don't want to monitor every BIND server I ever build. I
> set up firewalls, mail servers, and web servers for all sorts of companies.
> Almost all of them have a DNS cache and many a DNS server. I tell them how
> to monitor the systems but we all know how much attention those don't get.
> Until BIND gets some cache management, I don't consider it usable as a
> caching name server and won't use it for anything but authoratative serving.
As stated above, the kind of "cache management" you're talking
about is a false economy at best. It's an attempt to place a
technical solution on either a mis-configured and mis-managed
nameserver, or to try to place unrealistic limitations on a server
under a DoS attack that it cannot reasonably satisfy and continue to
actually get its job done.
Worse, I believe that this sort of control is likely to mask the
real problem, until the problem gets so bad that there is no
possibility of being able to fix it. If the problem came to the
knowledge of the admins sooner, then perhaps they might have had a
chance.
Might as well hold canisters of propane in reserve, in case you
ever get into a situation where you need to fight a fire. Then, if
you do, you can throw them in and help make the fire a lot larger,
and then it's no longer your problem.
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list