At 8:46 PM -0700 3/8/07, [EMAIL PROTECTED] wrote: > Maybe this is a good time to ask just how DNS-intensive the > non-sendmail MTA's are. I am finishing off the basics on installing > sendmail with Mailman, and am including some discussion of the need to > install a good fast-response caching DNS server to work with sendmail.
All MTAs I know of are pretty DNS-intensive in their operation. The more anti-spam or anti-virus filtering you do, or the more other things you do to check the incoming mail, the more DNS-intensive that work is going to be. Of course, most MTAs should give you options on how to configure them so that they don't generate any DNS traffic at all, but then what you're doing is effectively turning off about 99.99% of what the MTA is intended to do when handling mail. In this respect, I don't think that sendmail is necessarily much worse or much better than any other MTA. > Since then I've installed master and slave servers for my Intranet > LAN, but I would heartly recommend having at least a plain caching > server on the box that's running the MTA. Years ago, this was actually a bit of a sore point amongst the experts. Some said that you were better off having a smaller number of centralized caching nameservers, which handled all DNS traffic for the entire network. Others said that you're better off having caching nameservers running on each box, to spread that load out. Of course, the issue there is that Box A might do a DNS query of some sort, and retrieve data that could later be used by Box B, but if both machines are running their own nameservers as opposed to a centralized caching nameserver, then both machines will end up doing the same query, causing increased load on the remote end, etc.... Moreover, large caching nameservers can take up hundreds of megabytes (or even a couple of gigabytes) of RAM, so if you've got servers that are already using lots of RAM to process all their "real" work, then you may not have enough RAM to also run a large caching nameserver on the box. Finally, sometimes consistency is more important than raw speed. In other words, sometimes it's more important that the clients see that they get the same answers regardless of which server they ask, and the actual raw performance is not quite so important. For example, when an AOL user sends e-mail to a remote recipient, it would be really bad for that user to get "okay, message accepted" on the first try and then "invalid domain" on the second try, and then get "okay, message accepted" on the third try, or whatever. Since the DNS changes frequently, you could easily wind up with some pretty radically different views of the world on different servers, based on when they asked what questions. To solve all these issues, what was recommended was a hybrid approach. Run local caching-only servers on each box, but then have them forward all outgoing queries to a central set of caching-only nameservers. The local nameserver would short-circuit all the repetitive queries from the same application to talk to the same remote system, while the centralized caching nameservers would ensure that everyone gets the same answer to a particular question, and would ensure that you don't actually send your queries to the outside world unless no machine at that site had asked that question within the time-to-live of the answer. DNS experts now agree that it's a generally a bad idea to have hierarchies of nameservers, although the overall problems have not otherwise changed. So, pick your poison, but don't try to go with the hybrid approach. It creates too much of a central bottleneck and slows things down, and it also reduces your overall reliability of the system. Of course, all detailed DNS questions should be asked on the appropriate mailing lists and/or newsgroups, although I can try to summarize as best I can -- I was a technical reviewer of 2nd edition of Cricket's book, and I'm in the process of writing my own book on DNS security. > While all of my experience is with sendmail, I'm inclined to suspect > that the other MTA's all can stand a shot of local DNS service. > Anybody who can confirm this for Postfix, Exim, etc.? All MTAs I know of make intensive use of the DNS -- sendmail, postfix, Exim, etc.... -- Brad Knowles <[EMAIL PROTECTED]>, Consultant & Author LinkedIn Profile: <http://tinyurl.com/y8kpxu> Slides from Invited Talks: <http://tinyurl.com/tj6q4> ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
