Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

SpamTips.org: Why run your own DNS server?

 

 

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


wtogami at gmail

Jul 4, 2011, 3:46 AM

Post #1 of 18 (951 views)
Permalink
SpamTips.org: Why run your own DNS server?

Hey folks,

http://www.spamtips.org/2011/07/spamassassin-why-run-your-own-dns.html
I wrote this article about why it can be important to run your own DNS
server if you have a busy Spamassassin deployment.

Anyone have any better tips of an alternate DNS resolver, or
configuration options to improve this suggested configuration?

http://www.spamtips.org/p/ultimate-setup-guide.html
Please see my Ultimate Setup Guide for all the latest tweaks to maximize
your Spamassassin effectiveness and safety. Do you have any tips or
tricks that are not mentioned here?

https://admin.fedoraproject.org/mailman/listinfo/spamassassin-news
Subscribe here for my Spamassassin for Sysadmins Newsletter

Thanks,
Warren Togami
warren [at] togami


support-spamassassin at oeko

Jul 4, 2011, 3:58 AM

Post #2 of 18 (939 views)
Permalink
Re: SpamTips.org: Why run your own DNS server? [In reply to]

Hi Warren,

On Mon, 04.07.2011 at 00:46:15 -1000, Warren Togami Jr. <wtogami [at] gmail> wrote:
> http://www.spamtips.org/2011/07/spamassassin-why-run-your-own-dns.html
>
> Anyone have any better tips of an alternate DNS resolver, or
> configuration options to improve this suggested configuration?

while I do agree that it is generally a very good idea to run your own
DNS resolver, even if you have less than one mail per day, I am
thorougly unconvinced about the qualities of PowerDNS. I do have a
suggested alternative, though.

http://unbound.net/

This server doesn't go to proprietary changes to the DNS protocol (like
inventing new record types that noone else understands), but
concentrates on delivering DNS according to the latest specs instead.


You can most likely install this software via your favourite package
management system.



Kind regards,
--Toni++


wtogami at gmail

Jul 4, 2011, 4:03 AM

Post #3 of 18 (939 views)
Permalink
Re: SpamTips.org: Why run your own DNS server? [In reply to]

On 7/4/2011 12:58 AM, Toni Mueller wrote:
>
> Hi Warren,
>
> On Mon, 04.07.2011 at 00:46:15 -1000, Warren Togami Jr.<wtogami [at] gmail> wrote:
>> http://www.spamtips.org/2011/07/spamassassin-why-run-your-own-dns.html
>>
>> Anyone have any better tips of an alternate DNS resolver, or
>> configuration options to improve this suggested configuration?
>
> while I do agree that it is generally a very good idea to run your own
> DNS resolver, even if you have less than one mail per day, I am
> thorougly unconvinced about the qualities of PowerDNS. I do have a
> suggested alternative, though.
>
> http://unbound.net/
>
> This server doesn't go to proprietary changes to the DNS protocol (like
> inventing new record types that noone else understands), but
> concentrates on delivering DNS according to the latest specs instead.

I heard others recommend unbound, but I haven't tried it yet. Is it
more RAM efficient than other alternatives, and fast?

I don't believe pdns-recursor is guilty of this particular complaint as
it is ONLY a recursor?

Warren


sca at andreasschulze

Jul 4, 2011, 4:10 AM

Post #4 of 18 (938 views)
Permalink
Re: SpamTips.org: Why run your own DNS server? [In reply to]

Warren,

> Anyone have any better tips of an alternate DNS resolver, or
> configuration options to improve this suggested configuration?

please distinguish between DNS server and recursive+caching resolver.
The HowTo meen the second one...

http://en.wikipedia.org/wiki/Domain_Name_System#Name_servers


other resolvers installable by users are
- unbound ( http://unbound.net )
- dnscache ( http://cr.yp.to/dnscache.html )
- bind (off course)
- http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software

--
Andreas Schulze


support-spamassassin at oeko

Jul 4, 2011, 4:15 AM

Post #5 of 18 (938 views)
Permalink
Re: SpamTips.org: Why run your own DNS server? [In reply to]

Hi Warren,

On Mon, 04.07.2011 at 01:03:46 -1000, Warren Togami Jr. <wtogami [at] gmail> wrote:
> I heard others recommend unbound, but I haven't tried it yet. Is it
> more RAM efficient than other alternatives, and fast?

I haven't specifically conducted tests about its memory efficiency, but
I do use it on several servers of mine, and of customers, too. It is an
ISP style DNS server, and subjectively runs quite fast. But I don't use
DNSSEC...

For us, unbound is the natural successor of dnscache, which was
excellent in its day, but (imho) doesn't seem to keep up with today's
growing wishlist of features (eg. IPv6 support), unless you're ready
for some serious hackery.

> I don't believe pdns-recursor is guilty of this particular complaint
> as it is ONLY a recursor?

Well, together with the auth server it creates an "ecosystem" with
some (limited) vendor lock-in capability.


Kind regards,
--Toni++


me at junc

Jul 4, 2011, 4:19 AM

Post #6 of 18 (941 views)
Permalink
Re: SpamTips.org: Why run your own DNS server? [In reply to]

On Mon, 04 Jul 2011 00:46:15 -1000, Warren Togami Jr. wrote:

>
> http://www.spamtips.org/2011/07/spamassassin-why-run-your-own-dns.html
> I wrote this article about why it can be important to run your own
> DNS server if you have a busy Spamassassin deployment.

okay one asked :)

1: do not add forwarders in global named.conf

if one do this the risk is that eg ones isp does not pay spamhaus or
simply blocking domains via hijacking, or even dnssec is gone

2: make sure your "root" hint xone file is less then 30 days old

this file can be fetched via ftp

3: check that port 53 is open both on tcp an udp

4: use nameserver 127.0.0.1 in resolv.conf

5: make progress to get ipv6 that will help to get more dns responses
from ipv6 only dns servers and also help spread loads on dns

last one can be ignored if you want to


axb.lists at gmail

Jul 4, 2011, 4:23 AM

Post #7 of 18 (934 views)
Permalink
Re: SpamTips.org: Why run your own DNS server? [In reply to]

On 2011-07-04 13:15, Toni Mueller wrote:
>> I don't believe pdns-recursor is guilty of this particular complaint
>> as it is ONLY a recursor?
>
> Well, together with the auth server it creates an "ecosystem" with
> some (limited) vendor lock-in capability.

"vendor lock-in" ? be explicit, please.


jeffc at surbl

Jul 4, 2011, 4:34 AM

Post #8 of 18 (931 views)
Permalink
Re: SpamTips.org: Why run your own DNS server? [In reply to]

On Monday, July 4, 2011, 3:46:15 AM, Warren Jr. wrote:
> Hey folks,

> http://www.spamtips.org/2011/07/spamassassin-why-run-your-own-dns.html
> I wrote this article about why it can be important to run your own DNS
> server if you have a busy Spamassassin deployment.

> Anyone have any better tips of an alternate DNS resolver, or
> configuration options to improve this suggested configuration?

> http://www.spamtips.org/p/ultimate-setup-guide.html
> Please see my Ultimate Setup Guide for all the latest tweaks to maximize
> your Spamassassin effectiveness and safety. Do you have any tips or
> tricks that are not mentioned here?

Hi Warren,
I'd suggest adding something about using rbldnsd to serve lists
locally. That's usually even faster than having your own
resolver, and for many different reasons it's how medium to large
systems should do things.

See:

http://www.surbl.org/surbl-nameserver-setup

and:

http://www.surbl.org/links#mirrors

Cheers,

Jeff C.
--
Jeff Chan
mailto:jeffc [at] surbl
http://www.surbl.org/


axb.lists at gmail

Jul 4, 2011, 4:52 AM

Post #9 of 18 (933 views)
Permalink
Re: SpamTips.org: Why run your own DNS server? [In reply to]

On 2011-07-04 12:46, Warren Togami Jr. wrote:
> Hey folks,
>
> http://www.spamtips.org/2011/07/spamassassin-why-run-your-own-dns.html
> I wrote this article about why it can be important to run your own DNS
> server if you have a busy Spamassassin deployment.
>
> Anyone have any better tips of an alternate DNS resolver, or
> configuration options to improve this suggested configuration?

Warren

Sadly, your post has unleashed a sequel of pretty useless hints & rants.

"There is a drawback to running pdns-recursor. The above pdns-recursor
instance is using ~400MB of memory. If you cannot afford this kind of
memory use, you can reduce the limits in options max-cache-entries and
max-packetcache-entries in /etc/pdns-recursor/recursor.conf as
documented upstream. You will need to find a balance between memory use
and effective cache hit performance."

A small site will never use 400MB of DNS cacheing... don't scare ppl
unnecessarily :)
Larger sites already do local recursion and have the iron to to it.
(other recursors will also use a lot of memory under high-ish load)

Be careful when endorsing:

"For example, DNS results of DNSBL and URIBL's are very transient in
nature with tiny TTL's, so perhaps we could substantially reduce memory
usage by forcing max-cache-ttl and max-negative-ttl to a much smaller
duration. It also appears that the packetcache is far more effective
than the cache at achieving hits, so we may be better off favoring the
packetcache rather than the memory hogging and less effective cache."

Reducing negative TTL time should ONLY be done the user runs *local*
copies of most of the queried BLs, otherwsise he may hit BL abuse
threshold way earlier.

BLs generally adjust their negative TTL to get a practical balance
between query load and positive hits.
Gaming these settings can become a costly process.

Axb


wtogami at gmail

Jul 4, 2011, 5:11 AM

Post #10 of 18 (966 views)
Permalink
Re: SpamTips.org: Why run your own DNS server? [In reply to]

On 7/4/2011 1:52 AM, Axb wrote:
> On 2011-07-04 12:46, Warren Togami Jr. wrote:
>> Hey folks,
>>
>> http://www.spamtips.org/2011/07/spamassassin-why-run-your-own-dns.html
>> I wrote this article about why it can be important to run your own DNS
>> server if you have a busy Spamassassin deployment.
>>
>> Anyone have any better tips of an alternate DNS resolver, or
>> configuration options to improve this suggested configuration?
>
> Warren
>
> Sadly, your post has unleashed a sequel of pretty useless hints & rants.
>
> "There is a drawback to running pdns-recursor. The above pdns-recursor
> instance is using ~400MB of memory. If you cannot afford this kind of
> memory use, you can reduce the limits in options max-cache-entries and
> max-packetcache-entries in /etc/pdns-recursor/recursor.conf as
> documented upstream. You will need to find a balance between memory use
> and effective cache hit performance."
>
> A small site will never use 400MB of DNS cacheing... don't scare ppl
> unnecessarily :)
> Larger sites already do local recursion and have the iron to to it.
> (other recursors will also use a lot of memory under high-ish load)

I am not 100% certain about this, but it appears that pdns-recursor is
tuned to "normal" patterns of DNS lookups (like web browsing or maybe a
squid proxy server). It is caching a large amount of useless data,
evidenced by the piss terrible cache hit ratio. My in-brain logic
without testing suggested that timing out most of that nearly-useless
cache may shrink memory usage considerably without making that poor
cache hit ratio much worse, since more recent data is often more
relevant. That is my theory anyway. I'm testing that now.

>
> Be careful when endorsing:
>
> "For example, DNS results of DNSBL and URIBL's are very transient in
> nature with tiny TTL's, so perhaps we could substantially reduce memory
> usage by forcing max-cache-ttl and max-negative-ttl to a much smaller
> duration. It also appears that the packetcache is far more effective
> than the cache at achieving hits, so we may be better off favoring the
> packetcache rather than the memory hogging and less effective cache."
>
> Reducing negative TTL time should ONLY be done the user runs *local*
> copies of most of the queried BLs, otherwsise he may hit BL abuse
> threshold way earlier.
>
> BLs generally adjust their negative TTL to get a practical balance
> between query load and positive hits.
> Gaming these settings can become a costly process.
>
> Axb

Good point, I'll remove that paragraph for now and actually test that
theory myself to see how it effects the actual hit/miss ratio.

Warren


wtogami at gmail

Jul 4, 2011, 5:14 AM

Post #11 of 18 (935 views)
Permalink
Re: SpamTips.org: Why run your own DNS server? [In reply to]

On 7/4/2011 1:52 AM, Axb wrote:
> A small site will never use 400MB of DNS cacheing... don't scare ppl
> unnecessarily :)
> Larger sites already do local recursion and have the iron to to it.
> (other recursors will also use a lot of memory under high-ish load)

It is also possible that pdns-recursor just sucks and I should be trying
other daemons. I will try unbound next.

Warren


uhlar at fantomas

Jul 4, 2011, 6:37 AM

Post #12 of 18 (930 views)
Permalink
Re: SpamTips.org: Why run your own DNS server? [In reply to]

On 04.07.11 00:46, Warren Togami Jr. wrote:
>http://www.spamtips.org/2011/07/spamassassin-why-run-your-own-dns.html
>I wrote this article about why it can be important to run your own
>DNS server if you have a busy Spamassassin deployment.

it CAN but it doesn't always have to be.
We provide 6 DNS servers (behind 2 L3 switches), with forwarders set to
our local mirrors for some RBL's.

The point is the reachability and RTT.
--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.


support-spamassassin at oeko

Jul 4, 2011, 11:35 AM

Post #13 of 18 (923 views)
Permalink
Re: SpamTips.org: Why run your own DNS server? [In reply to]

Hi,

On Mon, 04.07.2011 at 13:23:42 +0200, Axb <axb.lists [at] gmail> wrote:
> >Well, together with the auth server it creates an "ecosystem" with
> >some (limited) vendor lock-in capability.
>
> "vendor lock-in" ? be explicit, please.

last I looked PowerDNS highlighted some custom DNS RR types (on the
wire) that were not usable with any other software. Migrating from one
DNS server package to another is imho difficult enough without that
already.


Kind regards,
--Toni++


jorn at wcborstel

Jul 4, 2011, 12:19 PM

Post #14 of 18 (924 views)
Permalink
Re: SpamTips.org: Why run your own DNS server? [In reply to]

On 4-7-2011 20:35, Toni Mueller wrote:
> Hi,
>
> On Mon, 04.07.2011 at 13:23:42 +0200, Axb<axb.lists [at] gmail> wrote:
>>> Well, together with the auth server it creates an "ecosystem" with
>>> some (limited) vendor lock-in capability.
>> "vendor lock-in" ? be explicit, please.
> last I looked PowerDNS highlighted some custom DNS RR types (on the
> wire) that were not usable with any other software. Migrating from one
> DNS server package to another is imho difficult enough without that
> already.
>
>
> Kind regards,
> --Toni++
Well, if you're concerned about that then don't use the custom RR types
that PowerDNS provides. I don't really see the fuss about it and saying
it's vendor lock-in is simply not true. It's just some non-standard RR
types and that's that. You're not being forced to use them or anything.

Regards,
Jorn


J.Ede at birchenallhowden

Jul 5, 2011, 12:18 AM

Post #15 of 18 (925 views)
Permalink
RE: SpamTips.org: Why run your own DNS server? [In reply to]

> -----Original Message-----
> From: Andreas Schulze [mailto:sca [at] andreasschulze]
> Sent: 04 July 2011 12:11
> To: Warren Togami Jr.
> Cc: users [at] spamassassin
> Subject: Re: SpamTips.org: Why run your own DNS server?
>
> Warren,
>
> > Anyone have any better tips of an alternate DNS resolver, or
> > configuration options to improve this suggested configuration?
>
> please distinguish between DNS server and recursive+caching resolver.
> The HowTo meen the second one...
>
> http://en.wikipedia.org/wiki/Domain_Name_System#Name_servers
>
>
> other resolvers installable by users are
> - unbound ( http://unbound.net )
> - dnscache ( http://cr.yp.to/dnscache.html )
> - bind (off course)
> - http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
>
> --
> Andreas Schulze
[]
Oops... meant to reply to list.

Are there any figures on the relative merits/speeds of these servers? Bind is the default on at least redhat based installations.

Jason


support-spamassassin at oeko

Jul 5, 2011, 1:30 AM

Post #16 of 18 (921 views)
Permalink
Re: SpamTips.org: Why run your own DNS server? [In reply to]

Hi,

On Tue, 05.07.2011 at 07:18:30 +0000, Jason Ede <J.Ede [at] birchenallhowden> wrote:
> Andreas Schulze [mailto:sca [at] andreasschulze] wrote:
> > - bind (off course)

although I'm sure that it was meant in a different way, "off course"
hits the nail right onto the head, imnsho.

> Are there any figures on the relative merits/speeds of these servers?
> Bind is the default on at least redhat based installations.

Bind has the following widely acknowledged properties:

* a plethora of security problems across all versions
* generates high system loads
* notoriously hard to configure
* (also partially) their own brand of DNS standards
* and an a**h*le style support ("pay through your nose, and you'll get
security fixes x months in advance")

Therefore, at least some people are striving to replace Bind with other
software. Although I'm far from intimate to the decision, OpenBSD has
imported NSD into their base quite some time ago, and ships it with
their current release 4.9 in the base system. Afaik, the plan is to
deprecate Bind some time down the road. NSD is by the same guys who
(later) wrote unbound, and it was, afair, partially funded by RIPE.

Subjectively, and without any kind of benchmarking, I can only say that
both dnscache and unbound perform at least five, but probably more like
ten times as fast as Bind does.


Kind regards,
--Toni++


per at computer

Jul 5, 2011, 10:21 AM

Post #17 of 18 (915 views)
Permalink
Re: SpamTips.org: Why run your own DNS server? [In reply to]

Jeff Chan wrote:

> On Monday, July 4, 2011, 3:46:15 AM, Warren Jr. wrote:
>> Hey folks,
>
>>
http://www.spamtips.org/2011/07/spamassassin-why-run-your-own-dns.html
>> I wrote this article about why it can be important to run your own
>> DNS server if you have a busy Spamassassin deployment.
>
>> Anyone have any better tips of an alternate DNS resolver, or
>> configuration options to improve this suggested configuration?
>
>> http://www.spamtips.org/p/ultimate-setup-guide.html
>> Please see my Ultimate Setup Guide for all the latest tweaks to
>> maximize
>> your Spamassassin effectiveness and safety. Do you have any tips or
>> tricks that are not mentioned here?
>
> Hi Warren,
> I'd suggest adding something about using rbldnsd to serve lists
> locally. That's usually even faster than having your own
> resolver, and for many different reasons it's how medium to large
> systems should do things.

+1


/Per Jessen, Z├╝rich


underspell at gmail

Jul 5, 2011, 11:46 AM

Post #18 of 18 (917 views)
Permalink
Re: SpamTips.org: Why run your own DNS server? [In reply to]

Got this table from this very nice book (
http://www.amazon.com/Alternative-DNS-Servers-Deployment-Back-Ends/dp/0954452992/ref=sr_1_1?ie=UTF8&qid=1309891205&sr=8-1).
It's a bit outdated ( well, not for dnscache :p ) but you can have an
idea.

JosÚ Borges Ferreira



On Tue, Jul 5, 2011 at 8:18 AM, Jason Ede <J.Ede [at] birchenallhowden>wrote:

> > -----Original Message-----
> > From: Andreas Schulze [mailto:sca [at] andreasschulze]
> > Sent: 04 July 2011 12:11
> > To: Warren Togami Jr.
> > Cc: users [at] spamassassin
> > Subject: Re: SpamTips.org: Why run your own DNS server?
> >
> > Warren,
> >
> > > Anyone have any better tips of an alternate DNS resolver, or
> > > configuration options to improve this suggested configuration?
> >
> > please distinguish between DNS server and recursive+caching resolver.
> > The HowTo meen the second one...
> >
> > http://en.wikipedia.org/wiki/Domain_Name_System#Name_servers
> >
> >
> > other resolvers installable by users are
> > - unbound ( http://unbound.net )
> > - dnscache ( http://cr.yp.to/dnscache.html )
> > - bind (off course)
> > - http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
> >
> > --
> > Andreas Schulze
> []
> Oops... meant to reply to list.
>
> Are there any figures on the relative merits/speeds of these servers? Bind
> is the default on at least redhat based installations.
>
> Jason
>
Attachments: screenshot_243.png (43.6 KB)

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.