[106718] in North American Network Operators' Group
RE: maybe a dumb idea on how to fix the dns problems i don't know....
daemon@ATHENA.MIT.EDU (Tomas L. Byrnes)
Mon Aug 11 01:01:25 2008
Date: Sun, 10 Aug 2008 22:01:14 -0700
In-Reply-To: <200808102213.m7AMDsmH019592@aurora.sol.net>
From: "Tomas L. Byrnes" <tomb@byrneit.net>
To: "Joe Greco" <jgreco@ns.sol.net>,
"Chris Paul" <chris.paul@rexconsulting.net>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
Unix machines set up by anyone with half a brain run a local caching
server, and use forwarders. IE, the nameserver process can establish a
persistent TCP connection to its trusted forwarders, if we just let it.
That old sneer we used to use against Windows users of not having a
"full featured host" and all.
Windows stub resolvers multiplex through AD to a MS DNS server; which
can easily use TCP to its trusted forwarders; unless they have no DC,
which is not so common; in which case they just use standard queries,
presumably to a patched ISP host (often a Nominum box). =20
In both cases, the fix is in the local server, which serves only a few
(and in a "full featured host" only one) machines using TCP to its
forwarder, and the chain repeating itself.
I don't see the problem with going to TCP for the recursive queries
here. It's akin to the CDN scaling model, which has worked pretty well.
=20
> -----Original Message-----
> From: Joe Greco [mailto:jgreco@ns.sol.net]=20
> Sent: Sunday, August 10, 2008 3:14 PM
> To: Chris Paul
> Cc: nanog@merit.edu
> Subject: Re: maybe a dumb idea on how to fix the dns problems=20
> i don't know....
>=20
> > But we only care about TCP connection setup time in *interactive*=20
> > sessions (a human using something like the web). If you have a=20
> > persistent connection to your dns server from your dns resolver on=20
> > your browser machine, you just send the request.... no TCP setup=20
> > there at all. You can even pool connections. We do this=20
> stuff in LDAP all the time.
> >=20
> > How does TCP resolution work in most resolver libraries? A TCP=20
> > connection for each lookup? That is kind of dumb isn't it,=20
> speaking of=20
> > dumb.... I actually don't know. Not much of a coder, so=20
> I'll let you=20
> > coders check your code and get back to me on that...
> >=20
> > well.. maybe i'll fire up snort or wireshark and check it out later=20
> > with some different dns libs....
>=20
> Pretending for a moment that it was even possible to make=20
> such large scale changes and get them pushed into a large=20
> enough number of clients to matter, you're talking about=20
> meltdown at the recurser level, because it isn't just one=20
> connection per _computer_, but one connection per _resolver=20
> stub_ per _computer_ (which, on a UNIX machine, would tend to=20
> gravitate towards one connection per process), and this just=20
> turns into an insane number of sockets you have to manage.
>=20
> For your average ISP recurser where they only have 50,000=20
> people online at any given time, this could still be half a=20
> million open sockets. We already know this sort of thing=20
> doesn't scale well.
>=20
> This is very broken in any number of other ways. This=20
> message is not intended to imply otherwise.
>=20
> ... JG
> --
> Joe Greco - sol.net Network Services - Milwaukee, WI -=20
> http://www.sol.net "We call it the 'one bite at the apple'=20
> rule. Give me one chance [and] then I won't contact you=20
> again." - Direct Marketing Ass'n position on e-mail spam(CNN)=20
> With 24 million small businesses in the US alone, that's way=20
> too many apples.
>=20
>=20
