[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bind: mine or my ISP's? + proxy propaganda (was: what'sinternet-zahav and NV's nameservers?)




On Wed, 20 Jan 1999, guy keren wrote:

> > I'd simply block port
> > 53/tcp for incoming connections and forget about over half your worries,
> > then I think there is a way to nicely block DNS responses from servers you
> > have not queried, etc.
> 
> up until this line, i thought i'd say "yes, do what he sais". but now that
> you mention that simple blocking is not enough.... oh well. 

well, 53/tcp is for zone transfers, caching nameservers don't need that
enabled. 53/udp is for standard queries, and I think bind-8 knows how to
ignore illegally pushed "replys". I can check.

> > difference in first lookup time is under 1ms, I wouldn't even give it a
> > thought, and as for memory... I have a busy server here, main DNS of the
> > intranet, and it's only 1.3 megs in memory. that's a good sacrifice for a
> > faster name resolution on dialups, especially with 32 megs and up of
> > system memory, and then it would probably take less memory too (how much
> > does it take on YOUR machine?)
> 
> sorry. there was an implicit (now to become explicit) assumption that the
> person who was asking this, was refering to a machine connected to the
> internet with a dialup connection (which has a 200ms or 300ms turn-around
> latency). all my 'calculation' and conclusions are relevant to such a
> situation. ofcourse if you have a faster connections, this is completely
> different. next time i'll try to state such implicit assumptions.

I meant:
program --> resolv.conf --> remote DNS --> reply back 
compared to:
program --> resolv.conf --> local DNS --> remote DNS --> reply --> reply

is 1 ms of difference, because in the latter, one query is local, and the
other remote one is the major delayer. the advantage is the caching for
later, the rest I wrote already.

> and btw, regarding the URL comment of frodo, i would add that one may even
> try to run a local proxy server, configured to pool data from their ISP's
> proxy server. i've done it once as a smallish excersize, and even with the
> small disk space i gave it, it had some advantages over using the cache of
> the web browser :

squid is definitely a boon, a must if more than 2-3 users are connected.

-- 
Ira Abramov ;  whois:IA58  ;  www.scso.com ;  all around Linux enthusiast 
`When you say "I wrote a program that crashed Windows", people just stare
at you blankly and say  "Hey, I got those with the system,  *for free*".'
                                                         (Linus Torvalds)