G'day, From: "Russell Coker" <[EMAIL PROTECTED]> > On Wed, 27 Oct 2004 18:07, Donovan Baarda <[EMAIL PROTECTED]> wrote: > > Sorry to subvert a thread like this, but has anyone else decided that > > nscd is pretty much essential for all systems, regardless of nss, or > > local nameservers? > > No. > > > It seems without it there is _no_ dns caching of any kind (except for > > Run named on localhost.
I actually run pdnsd. I find it leaner and simpler than named. However, is "run named on all hosts" really better than "run nscd on all hosts"? I have the gut feeling nscd is a lighter simpler and faster solution than named, but I could be wrong. > > apps like squid that explicitly have it). If you ping, every single ping > > packet triggers an nslookup. > > Which ping program have you seen doing this? The ping program in iputils-ping I am using the ping from iputils-ping in sarge. It definitely does ns lookups for every packet... using iptraf to monitor traffic, I see the following repeated for every ping packet. ICMP echo req (84 bytes) from 192.168.2.33 to 203.12.237.50 on eth1 ICMP echo rply (84 bytes) from 203.12.237.50 to 192.168.2.33 on eth1 UDP (72 bytes) from 127.0.0.1:54815 to 127.0.0.1:53 on lo UDP (72 bytes) from 127.0.0.1:54815 to 127.0.0.1:53 on lo UDP (188 bytes) from 127.0.0.1:53 to 127.0.0.1:54815 on lo UDP (188 bytes) from 127.0.0.1:53 to 127.0.0.1:54815 on lo ICMP echo req (84 bytes) from 192.168.2.33 to 203.12.237.50 on eth1 ICMP echo rply (84 bytes) from 203.12.237.50 to 192.168.2.33 on eth1 UDP (72 bytes) from 127.0.0.1:54815 to 127.0.0.1:53 on lo UDP (72 bytes) from 127.0.0.1:54815 to 127.0.0.1:53 on lo UDP (188 bytes) from 127.0.0.1:53 to 127.0.0.1:54815 on lo UDP (188 bytes) from 127.0.0.1:53 to 127.0.0.1:54815 on lo Note you only see this when you ping hosts not found in your /etc/hosts file (obviously). If you don't have a local name server, this triggers remote nslookups. Even worse, if you have multiple remote nameservers in your resolve.conf, and the first is down, It waits for the first nslookup to time-out before trying the second... for _every_ lookup. This is when I first noticed this behaviour... ping was taking ~10secs between each ping packet... it turns out waiting for nslookups to time out before trying the second nameserver between each ping. > only does a DNS lookup before sending the first packet and I expect that all > other ping programs do the same. Run tcpdump while running ping and check > what your ping program does. see above... > > Even if you have a local caching name > > server, the UDP traffic on the loopback interface hurts. > > How does UDP traffic on the loopback hurt more than Unix domain socket access? Unix domain socket access doesn't show up in iptraf? :-) I would have though that since nscd hooks in at the libc level, it would be more efficient... again unfounded speculation on my part... > > Is there any reason why nscd should not be installed on a system? > > It wastes RAM on small machines. Caches get stale some times. It's one more > thing that can go wrong or have a security issue. Most people don't need it. but does running named instead really avoid all these issues, or make them worse? ---------------------------------------------------------------- Donovan Baarda http://minkirri.apana.org.au/~abo/ ---------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]