Re: Excessive DNS Requests
On Tue, 22 Mar 2005, List Mail User stipulated:
> 2) If you do mone than 10K messages a day, make your server "stub"
> the roots of the bl domains.
I'd be amazed if this was useful: if you're querying them, your nameserver
should have queried them and cached them as a side-effect of looking up
names in those zones.
--
This is like system("/usr/funky/bin/perl -e 'exec sleep 1'");
--- Peter da Silva
Re: Excessive DNS Requests
>>From [EMAIL PROTECTED] Wed Mar 23 08:41:38 2005
>To: List Mail User <[EMAIL PROTECTED]>
>Cc: [EMAIL PROTECTED], users@spamassassin.apache.org
>Subject: Re: Excessive DNS Requests
>...
>From: Nix <[EMAIL PROTECTED]>
>...
>...
>Date: Wed, 23 Mar 2005 16:41:22 +
>
>On Tue, 22 Mar 2005, List Mail User stipulated:
>> 2) If you do mone than 10K messages a day, make your server "stub"
>> the roots of the bl domains.
>
>I'd be amazed if this was useful: if you're querying them, your nameserver
>should have queried them and cached them as a side-effect of looking up
>names in those zones.
>
>--
>This is like system("/usr/funky/bin/perl -e 'exec sleep 1'");
> --- Peter da Silva
>
It depends entirely of the various TTLs codes for the "refresh",
"minimum" and "expire" values and the distinction between the way they
are treated - for some lists you gain nothing, for others, you can cut
the "base" domain lookups significantly. A quick check seems like you
might do more work for SURBLs, but less for the sbl.spamhaus.org. I
really shouldn't have made a blanket statement, because even in the group
of people who administer these lists, the meanings of the various TTL values
doesn't seem clear to everybody. My point was that the base domain should
not change often and you *should* gain beyond simple caching; But a real
check show that is true for some and not for others. (There is no significant
savings by doing just a 'SOA' lookup and testing the serial number vs. a fill
lookup if the TTLs are all the same - but they never seem to be.) If they
are "properly" (my definition) administered, you would do far fewer lookups
by "stub"'ing the domains (only the serial number check of the 'SOA' record
at "refresh" time, instead of a full lookup at the "minimum" TTL).
Paul Shupak
[EMAIL PROTECTED]
Re: Excessive DNS Requests
>... >Subject: Excessive DNS Requests >From: lister lynch <[EMAIL PROTECTED]> >To: users@spamassassin.apache.org > >Our ISP, Covad, is periodically claiming that we have excessive DNS >requests and is threatening to turn off our service. It's primarily due >to SA, I think. Looked around for answers, and already set a bunch of >the BL checks to 0.0 to turn off the rules. Any idea how to further >prevent the excessive DNS requests? > >Setup: >SA running on FC1 as firewall, passing mail thru to an Exchange server >on the inside. > >Thanks a bunch for any insight, 1) run your own caching name server. 2) If you do mone than 10K messages a day, make your server "stub" the roots of the bl domains. 3) If you do 50K+ or 100K+, consider rsync and local secondary service for those lists who allow it. Of the above, "1" will get you the most, the fastest; "2" never seems to be discussed anywhere, but if you are a bind/named user, it will take off 5-10% of your load; If "3" is appropriate, you *really* need some long term planning also. You could always "buy" DNS service, lots of companies sell it. But please do not abuse a public server (there still are quite a few - mainly academic, but a few corporate). Paul Shupak [EMAIL PROTECTED] P.S. Just curious, but do you have any idea how many lookups you are doing and/or how many Covad thinks is excessive? (I *was* a Covad customer a few bankruptcies ago, but they could keep the line up reliably for my site.)
RE: Excessive DNS Requests
David Brodbeck wrote:
> lister lynch wrote:
>> I checked the PDC of the domain (W2003), and it was running DNS for
>> forward and reverse lookup zones, as well as caching lookup. There
>> shouldn't be any problem installing caching-nameserver on the FC box
>> as well, should there?
>
> No, but why not just make the FC box use the PDC as its DNS server?
You could, but it might be faster - and save resources on the PDC - to run a
caching name server on the FC box instead. The FC box is going to look up all
kinds of things that no-one in the domain will be remotely interested in.
Does the PDC query the root name servers directly (for domains it doesn't host)
or does it use the ISP's name servers?
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
Re: Excessive DNS Requests
lister lynch wrote: I checked the PDC of the domain (W2003), and it was running DNS for forward and reverse lookup zones, as well as caching lookup. There shouldn't be any problem installing caching-nameserver on the FC box as well, should there? No, but why not just make the FC box use the PDC as its DNS server?
Re: Excessive DNS Requests
On Tue, 2005-03-22 at 17:25, Kelson wrote: > Bob McClure Jr wrote: > > On Tue, Mar 22, 2005 at 04:49:24PM -0500, David Brodbeck wrote: > >>I can't give you specific instructions for FC1, but I know older versions of > >>RedHat had a package specifically for this, all preconfigured. > > > > I think it was pdnsd, but it appears not to be in the FC sets. Google > > for it. It was very easy to set up. I still use it. > > I believe the package is just called caching-nameserver. With FC you > should be able to just do "yum install caching-nameserver" and it'll > pull in bind and any other dependencies. Thank you all for your prompt, knowledgeable replies. I checked the PDC of the domain (W2003), and it was running DNS for forward and reverse lookup zones, as well as caching lookup. There shouldn't be any problem installing caching-nameserver on the FC box as well, should there? Mike
Re: Excessive DNS Requests
Kelson wrote: Bob McClure Jr wrote: On Tue, Mar 22, 2005 at 04:49:24PM -0500, David Brodbeck wrote: I can't give you specific instructions for FC1, but I know older versions of RedHat had a package specifically for this, all preconfigured. I think it was pdnsd, but it appears not to be in the FC sets. Google for it. It was very easy to set up. I still use it. I believe the package is just called caching-nameserver. With FC you should be able to just do "yum install caching-nameserver" and it'll pull in bind and any other dependencies. That sounds familiar. Sorry to be so vague, but it's been a while since I last ran RedHat.
Re: Excessive DNS Requests
Bob McClure Jr wrote: On Tue, Mar 22, 2005 at 04:49:24PM -0500, David Brodbeck wrote: I can't give you specific instructions for FC1, but I know older versions of RedHat had a package specifically for this, all preconfigured. I think it was pdnsd, but it appears not to be in the FC sets. Google for it. It was very easy to set up. I still use it. I believe the package is just called caching-nameserver. With FC you should be able to just do "yum install caching-nameserver" and it'll pull in bind and any other dependencies. -- Kelson Vibber SpeedGate Communications
Re: Excessive DNS Requests
lister lynch wrote: Our ISP, Covad, is periodically claiming that we have excessive DNS requests and is threatening to turn off our service. It's primarily due to SA, I think. Looked around for answers, and already set a bunch of the BL checks to 0.0 to turn off the rules. Any idea how to further prevent the excessive DNS requests? I'll echo what the others have said - caching-only DNS server will work. FC1 comes with BIND, iirc. Do you also have a bunch of clients behind the firewall? Setting up a caching DNS server might be a good idea for your LAN in general. You can point the PC clients to the DNS server and hopefully make Covad happy. :) I'm wondering how many requests they consider to be "excessive" tho..
Re: Excessive DNS Requests
On Tue, Mar 22, 2005 at 04:49:24PM -0500, David Brodbeck wrote: > On Tue, 22 Mar 2005 15:49:01 -0500, lister lynch wrote > > Our ISP, Covad, is periodically claiming that we have excessive DNS > > requests and is threatening to turn off our service. It's primarily > > due to SA, I think. Looked around for answers, and already set a > > bunch of the BL checks to 0.0 to turn off the rules. Any idea how > > to further prevent the excessive DNS requests? > > Run your own caching DNS server. A side benefit will be faster DNS lookups. > You'll be able to turn your DNS-based blacklists back on, too. > > I can't give you specific instructions for FC1, but I know older versions of > RedHat had a package specifically for this, all preconfigured. I think it was pdnsd, but it appears not to be in the FC sets. Google for it. It was very easy to set up. I still use it. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Worry is a waste of the imagination.
Re: Excessive DNS Requests
On Tue, 22 Mar 2005 15:49:01 -0500, lister lynch wrote > Our ISP, Covad, is periodically claiming that we have excessive DNS > requests and is threatening to turn off our service. It's primarily > due to SA, I think. Looked around for answers, and already set a > bunch of the BL checks to 0.0 to turn off the rules. Any idea how > to further prevent the excessive DNS requests? Run your own caching DNS server. A side benefit will be faster DNS lookups. You'll be able to turn your DNS-based blacklists back on, too. I can't give you specific instructions for FC1, but I know older versions of RedHat had a package specifically for this, all preconfigured.
Re: Excessive DNS Requests
Quoting Matt Kettler <[EMAIL PROTECTED]>: > lister lynch wrote: > > >Our ISP, Covad, is periodically claiming that we have excessive DNS > >requests and is threatening to turn off our service. It's primarily due > >to SA, I think. Looked around for answers, and already set a bunch of > >the BL checks to 0.0 to turn off the rules. Any idea how to further > >prevent the excessive DNS requests? > > > >Setup: > >SA running on FC1 as firewall, passing mail thru to an Exchange server > >on the inside. > > > >Thanks a bunch for any insight, > >Mike > > > > > > > > Don't bother setting them all to 0. That works, but there's a much > easier way to turn off all the RBL tests in one shot: > in /etc/mail/spamassassin/local.cf add: > > skip_rbl_checks 1 > > Another option is to just force ALL network tests to be off. Add the -L > flag to spamd or spamassassin (depending on which one you use). > > Of course, my question is if you are a network of any reasonable size, > why are you using your ISP's DNS servers for resolution and not your own > local DNS resolver? (And even if you are a "small fry" you might > consider having a caching-only local nameserver) Setting up local cache is great for performance (once you start hitting the cache) as well. Simplest thing to set up. djbdns or bind are the 2 I use, I prefer the former for simplicity and small foot print but this is no place for a DNS religious war, use what you know or someone is willing to help you with. brian
Re: Excessive DNS Requests
lister lynch wrote: >Our ISP, Covad, is periodically claiming that we have excessive DNS >requests and is threatening to turn off our service. It's primarily due >to SA, I think. Looked around for answers, and already set a bunch of >the BL checks to 0.0 to turn off the rules. Any idea how to further >prevent the excessive DNS requests? > >Setup: >SA running on FC1 as firewall, passing mail thru to an Exchange server >on the inside. > >Thanks a bunch for any insight, >Mike > > > Don't bother setting them all to 0. That works, but there's a much easier way to turn off all the RBL tests in one shot: in /etc/mail/spamassassin/local.cf add: skip_rbl_checks 1 Another option is to just force ALL network tests to be off. Add the -L flag to spamd or spamassassin (depending on which one you use). Of course, my question is if you are a network of any reasonable size, why are you using your ISP's DNS servers for resolution and not your own local DNS resolver? (And even if you are a "small fry" you might consider having a caching-only local nameserver)
Re: Excessive DNS Requests
lister lynch wrote: Our ISP, Covad, is periodically claiming that we have excessive DNS requests and is threatening to turn off our service. It's primarily due to SA, I think. Looked around for answers, and already set a bunch of the BL checks to 0.0 to turn off the rules. Any idea how to further prevent the excessive DNS requests? Setup: SA running on FC1 as firewall, passing mail thru to an Exchange server on the inside. Thanks a bunch for any insight, Hi, Run a local caching DNS server ? Is Covad complaining about you hitting their DNS to do the lookups or something else ? Regards, Rick
Re: Excessive DNS Requests
lister lynch wrote: Our ISP, Covad, is periodically claiming that we have excessive DNS requests and is threatening to turn off our service. It's primarily due to SA, I think. Looked around for answers, and already set a bunch of the BL checks to 0.0 to turn off the rules. Any idea how to further prevent the excessive DNS requests? Put your own caching DNS on your mail server, so you're not always banging Covad's DNS. Your spam checks will run a lot faster, too. Cheers, Mojo -- Morris Jones Monrovia, CA http://www.whiteoaks.com Old Town Astronomers: http://www.otastro.org
Excessive DNS Requests
Our ISP, Covad, is periodically claiming that we have excessive DNS requests and is threatening to turn off our service. It's primarily due to SA, I think. Looked around for answers, and already set a bunch of the BL checks to 0.0 to turn off the rules. Any idea how to further prevent the excessive DNS requests? Setup: SA running on FC1 as firewall, passing mail thru to an Exchange server on the inside. Thanks a bunch for any insight, Mike
