Re: Bypassing DNS?
Ben Scott [EMAIL PROTECTED] writes: On 2/23/06, Paul Lussier [EMAIL PROTECTED] wrote: If you want more immediate response, I would suggest running a local instance of BIND as a caching server. Probably not. This is for an embedded system, for which the desire is a little complexity as possible. Configuring a caching name server would a significant layer of complexity for which our support people are not qualified to deal with. You really think so? A caching-only nameserver requires no configuration with BIND, about all you have to do is install it. You might want to pre-configure a restriction that it only listens to the localhost, but that config file would be the same everywhere. Even if you wanted to configure forwarders, you could do that with a simple included file. What's the big deal? If you're worried about footprint, DJB's tinydns caching-only resolver is, well, pretty tiny. What I'm concerned about is the number of packages listed dependencies for the package which will have to be dragged in, the addition of config files, the amount of additional testing required for adding this package and it's config files, etc. This isn't just a matter of adding a single package and tweaking a file once. This is about drastically changing the makeup of a whole product and the manpower behind delivering said product. I'm not saying it's not the right choice, just that a) it's a lot more than just doing it b) it's not necessarilly my call, c) people with less technical understanding than engineers are the ones requiring justification and who ultimately control the expenditure of the required resources (i.e. my or other's time). -- Seeya, Paul ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Bypassing DNS?
I believe this is by design, the host command is specifically intended to query DNS. The following quick test tends to confirm what MWL is saying and apparently shows the host tool using only libresolv while another tool (ping, in this example) then proceeds to libnss: % strace host bogusHostName 21 | fgrep -i -e resolv -e nss open(/lib/tls/libresolv.so.2, O_RDONLY) = 3 open(/etc/resolv.conf, O_RDONLY) = 3 % strace ping bogusHostName 21 | fgrep -i -e resolv -e nss open(/lib/tls/libresolv.so.2, O_RDONLY) = 3 open(/etc/resolv.conf, O_RDONLY) = 3 open(/etc/nsswitch.conf, O_RDONLY)= 3 read(3, # /etc/nsswitch.conf\n#\n# Example..., 4096) = 465 open(/lib/tls/libnss_files.so.2, O_RDONLY) = 3 open(/lib/tls/libnss_dns.so.2, O_RDONLY) = 3 ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Bypassing DNS?
On 2/24/06, mike ledoux [EMAIL PROTECTED] wrote: At least on my system, 'host' doesn't use /etc/nsswitch.conf at all: Good point. I believe this is by design, the host command is specifically intended to query DNS. Yes. host, dig, and nslookup all come from the BIND suite (part of bind-utils on Red Hat). They're DNS diagnostic tools, not programs which use DNS as an application. Most programs (ping, Firefox, etc.) are going to use the gethostby*() library calls, which is where NSS (the name service switch) comes in. In effect, Firefox calls gethostbyname(www.google.com) to get the host information for Google. NSS might check local files, NIS, DNS, LDAP, SMB, or any number of other things to get that information. The attached Perl script provides a command-line interface to the gethostby*() calls. gethost Description: Binary data
Bypassing DNS?
Hi all, Is there a way to tell the resolver libs that if you can't connect to the DNS service, to just abort and return? Setting /etc/nsswitch.conf to hosts: dns [unavail=continue|return] files still seems to result in a slight hang while the lookup occurs... -- Seeya, Paul ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Bypassing DNS?
On Thursday 23 February 2006 12:41 pm, Paul Lussier wrote: Hi all, Is there a way to tell the resolver libs that if you can't connect to the DNS service, to just abort and return? Setting /etc/nsswitch.conf to hosts: dns [unavail=continue|return] files still seems to result in a slight hang while the lookup occurs... That slight hang would be the timeout of the DNS request. I'm guessing it's about 2 seconds. If you want more immediate response, I would suggest running a local instance of BIND as a caching server. It can even just forward all requests to your primary DNS servers if you'd like. The benefit of doing this is that you can set more aggressive timeouts on your local instance without affecting other users of the real DNS server. Then, your resolv.conf can point to localhost and your nsswitch will fail back to files more quickly. Would that work? -N ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Bypassing DNS?
hosts: files [NOTFOUND=continue] dns [NOTFOUND=return]On 2/23/06, Paul Lussier [EMAIL PROTECTED] wrote:Hi all,Is there a way to tell the resolver libs that if you can't connect to the DNS service, to just abort and return? Setting /etc/nsswitch.conf tohosts: dns [unavail=continue|return] filesstill seems to result in a slight hang while the lookup occurs...--Seeya, Paul___gnhlug-discuss mailing listgnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss-- A strong conviction that something must be done is the parent of many bad measures.- Daniel Webster
Re: Bypassing DNS?
Tom Buskey [EMAIL PROTECTED] writes: hosts: files [NOTFOUND=continue] dns [NOTFOUND=return] Nope, still hangs: # time host foo Nameserver not responding eg.foo.com A record not found, try again real0m14.996s user0m0.000s sys 0m0.000s -- Seeya, Paul ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Bypassing DNS?
Neil Schelly [EMAIL PROTECTED] writes: That slight hang would be the timeout of the DNS request. Yeah, I know what it is, I need a work around for it :) I'm guessing it's about 2 seconds. More like 15: # time host foo Nameserver not responding foo.foo.com A record not found, try again real0m14.996s user0m0.000s sys 0m0.000s If you want more immediate response, I would suggest running a local instance of BIND as a caching server. It can even just forward all requests to your primary DNS servers if you'd like. snip Would that work? Probably not. This is for an embedded system, for which the desire is a little complexity as possible. Configuring a caching name server would a significant layer of complexity for which our support people are not qualified to deal with. Additionally, the configuration of the caching server would be a royal pain to build into our installation process. -- Seeya, Paul ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Bypassing DNS?
Paul Lussier wrote: Neil Schelly [EMAIL PROTECTED] writes: That slight hang would be the timeout of the DNS request. Yeah, I know what it is, I need a work around for it :) I'm guessing it's about 2 seconds. More like 15: # time host foo Nameserver not responding foo.foo.com A record not found, try again real0m14.996s user0m0.000s sys 0m0.000s If you want more immediate response, I would suggest running a local instance of BIND as a caching server. It can even just forward all requests to your primary DNS servers if you'd like. snip Would that work? Probably not. This is for an embedded system, for which the desire is a little complexity as possible. Configuring a caching name server would a significant layer of complexity for which our support people are not qualified to deal with. Additionally, the configuration of the caching server would be a royal pain to build into our installation process. Try swapping the order of hosts and dns in /etc/nsswitch. Also, have you tried options timeout:1 in /etc/resolv.conf? (This will give you a 1 second timeout). --Bruce ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Bypassing DNS?
On 2/23/06, Paul Lussier [EMAIL PROTECTED] wrote: Is there a way to tell the resolver libs that if you can't connect to the DNS service, to just abort and return? Setting /etc/nsswitch.conf to hosts: dns [unavail=continue|return] files still seems to result in a slight hang while the lookup occurs... The real issue here is: How does the stub resolver library know it can't connect to the DNS service? If the full-service resolver (the nameserver configured in /etc/resolv.conf) is unresponsive for some reason, the resolver has no way of knowing that. Remember, UDP is stateless, so all the stub can do is send a query and wait for a reply. If the query packet goes into a black hole, the stub will never know that. You can set a timeout in the resolver that says, in effect, If you don't hear back within X seconds, give up. Bruce posted the config option for that, but that small timeout may cause false timeout errors when things really are working. DNS can take a couple seconds even when everything is working right, and unusual conditions can make things worse. On 2/23/06, Paul Lussier [EMAIL PROTECTED] wrote: If you want more immediate response, I would suggest running a local instance of BIND as a caching server. Probably not. This is for an embedded system, for which the desire is a little complexity as possible. Configuring a caching name server would a significant layer of complexity for which our support people are not qualified to deal with. You really think so? A caching-only nameserver requires no configuration with BIND, about all you have to do is install it. You might want to pre-configure a restriction that it only listens to the localhost, but that config file would be the same everywhere. Even if you wanted to configure forwarders, you could do that with a simple included file. What's the big deal? If you're worried about footprint, DJB's tinydns caching-only resolver is, well, pretty tiny. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss