The ongoing DNS issues bug me. For most uses these days I disable bind entirely, as the 12-20MB it uses up are better used for packets. I do use it on 3800s but not on 3700v2s.
0) the circular time issue (bug #113) remains a PITA. I was really scarred by trying to fix that one last year and keep hoping someone else will fix it... 1) The luci gui has hooks for dnsmasq's "use dns servers advertised by peer" and "use custom dns servers", which are not tied into the bind configuration. This is confusing users. The way to do that manually is to get the advertisement once, validate that those servers do NXDOMAIN and DNSSEC, and toss them into forwarders.conf and enable forwarders.conf 2) Going the the DNS roots with bind, is OK, but it is always faster, and more reliable to use the ISP provided DNS servers, if they can be trusted to send DNSSEC information. Comcast's (if you are on comcast) are fast as heck. I also recently discovered that google DNS does indeed do dnssec, and although much further away than comcast on the networks I have access to, they are universally available. So I am thinking of enabling forwarding by default to google DNS. This reduces enabling forwarding to another set of servers provided by the ISP, if usable.... I would like a test of some sort that would prove a delegated ISP's DNS server was "worthy", this test would include NXDOMAIN, DNSSEC, and whatever else would be required to validate it as a potential forwarder to overwrite the forwarders.conf file with that information. I wouldn't mind establishing a global white/blacklist of DNS servers that did NXDOMAIN/DNSSEC right/wrong somewhere, either... dnsmasq may gain DNSSEC by the winter, btw.... 3) A related problem is that when behind many walled gardens (a hotel, for example), going to the DNS roots via bind doesn't work at all, neither do things like google dns, and usually the forwarder is pretty crappy in the first place. dnsmasq works in this scenario just fine... 4) A final alternative is to drop bind by default and install it optionally. While this would lose DNSSEC, and split views and local delegations, it would buy the integration with dnsmasq, which includes things like AAAA naming, etc., and get some memory back. (I note that the OOM issues we're encountering are USEFUL to encounter in that optimizing for memory use throughout the system is very important, and I have similar issues on 32MB routers like the picostation/nanostation even without bind) Given the amount of time, energy, and money (all 0) I personally have to deal with these issues, I'm mostly tempted to save on hair by making dnsmasq the default going forward, and write off bind for now. Certainly continue to make it available for advanced users, but install it optionally. The advantages of having something closer to full blown dns in the home are not apparent without tighter integration with dhcp, dhcpv6, ahcp, etc, than presently exists anywhere. -- Dave Täht http://www.bufferbloat.net/projects/cerowrt/wiki - "3.3.8-17 is out with fq_codel!" _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
