tcp limitations
Brad Knowles
brad.knowles at skynet.be
Tue Jun 12 09:15:26 UTC 2001
At 9:50 AM +0200 6/12/01, Guy Pazi wrote:
> and to the question: What is the scale of concurrent tcp connections a dns
> server can support? ~1000? ~100000?
This would depend greatly on a number of factors which I don't
think anyone has begun to consider. I know that large-scale web
servers can handle into the multiple tens of thousands of TCP
connections, because we did just this during the time I worked at
AOL. However, the application is totally different, and a nameserver
might be able to handle much more or much fewer total simultaneous
connections.
> Of course it depends on the servers capabilities, so lets take the root
> servers for measurement. To my knowledge, root servers handle 5-10k
> queries/sec and probably capable of many more.
Currently, I believe that the peak is closer to 2-3k per second,
but Rick Jones has done some benchmarking to show that a properly
configured single machine should be scalable up to as high as 12,000
queries per second.
> Will a root server answer 10k
> TCP queries/sec?
No. Absolutely not. 99.9999999% of all DNS queries are purely
UDP, although this percentage is reducing as more and more sites make
use of things like DNSSEC, having too many MXes advertised, etc...
and cause truncation of the UDP response, which should then be
restarted with TCP.
Of course, note that we recently discussed on this list that
TinyDNS does not support doing TCP by default, so odds are that you
will not be able to reach any sites that are running TinyDNS.
Of course, probably at least ten times or a hundred times more
sites block TCP to port 53 at their firewalls, as run TinyDNS, so you
would be totally unable to access those sites, too. This would
include ASP and e-mail outsourcing companies like Critical Path, one
of the busiest e-mail sites in the world (they handle mail for
mac.com, for example). Also note that hotmail.com blocks port 53
TCP. As does MSN. Indeed, the only extremely large site I know of
that *doesn't* stupidly block TCP to port 53 is AOL.
I strongly suspect that you are simply going to have to give up
the idea of blocking all UDP traffic -- it's just not practical.
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list