Caching resolver and options rotate

Chris Buxton cbuxton at menandmice.com
Sat May 17 02:22:29 UTC 2008 

On May 16, 2008, at 9:43 PM, Brent Jones wrote:
> On Fri, May 16, 2008 at 4:58 PM, Chris Buxton  
> <cbuxton at menandmice.com> wrote:
> Assuming your caching resolving is a BIND name server, it will  
> ignore resolv.conf.
>
> BIND 9.3 and later will use the RTT algorithm when choosing between  
> forwarders. It sounds like you're planning to use forwarders, as in:
>
> options {
>        [... other statements ...]
>        forwarders { 192.0.2.1; 192.0.2.2; 192.0.2.3; };
> };
>
> You may find it better, however, not to use forwarding at all - to  
> use your DNS server as the final recursion server, instead of  
> passing the buck upstream to your ISP. That way, you don't depend on  
> the stability and security of their name servers for anything. (If  
> you do decide to use forwarding, you should be absolutely sure that  
> your ISP's name servers run a current version of BIND 9 rather than  
> BIND 8, or a current version of MS DNS rather than MS DNS before  
> about Win2K3 SP1, before you set up forwarding. Otherwise, bad  
> things can come of forwarding, relating to DNS cache poisoning, and  
> therefore pharming attacks.)
>
> Chris Buxton
> Professional Services
> Men & Mice
>
>  The reason to make this caching server was to alleviate load from  
> our upstream DNS, they told us we are alone stressing their current  
> DNS servers, and to be respectful we were going to have an internal  
> caching DNS that would use them upstream for queries we havent  
> cached. Would still us their 4 NS's, but alleviate a lot of the  
> queries going upstream, and bring response time lower for ourselves.
>
> Wouldn't using root servers directly just add to the burdon of the  
> root servers?
No, for two reasons.

Number one is, there are a lot more root servers out there than there  
are resolvers at your ISP. I don't have the exact count, but due to  
anycast, the number is up around 100. And that's just the load  
balancers - there are several times that many actual authoritative  
name servers behind those load balancers.

Also, there's a significant difference in processing power required to  
process a recursive query vs. an iterative query. You would be sending  
occasional iterative queries to the root servers, whereas you have  
been sending (apparently) a constant and heavy stream of recursive  
queries to your ISP's resolvers.

Your ISP doesn't forward queries upstream; they resolve them  
recursively. The root servers do not handle the heavy lifting of DNS  
resolution (the job of recursion); they answer simple iterative  
requests from resolvers such as those provided by your ISP.

By not forwarding to your ISP, you would be shifting the bulk of the  
work to your own server(s). It sounds like your ISP would prefer this.

Chris Buxton
Professional Services
Men & Mice

More information about the bind-users mailing list