PowerDNS Recursor 3.0 Feature Complete!

Posted by bert hubert Tue, 18 Apr 2006 22:26:00 GMT

Ahhhh, I’d thought I’d never make this. As mentioned previously, I’d been trying to convince myself and others for a while now that the PowerDNS recursor was nearly “done”. And I think it is “done” now.

Besides the stuff mentioned below, I added ‘server-id’ today, which allows you to query which exact server in a cluster you are talking to. Additionally, version.bind now also works on the recursor. Of course you can override it!

Then there is rec_control top-remotes which gives a list of the top-20 IP addresses which query you most.

Big things

Went to the in-laws yesterday, which involves a many hour car drive, so I took the excelent Unix Network Programming (volume 1) with me, my brother in law drove most of the way.

I picked up two things:

  1. Connected connectionless sockets
  2. IPv6 address conversion techniques

Connected connectionless sockets

UDP, the protocol DNS uses most of the time, is connectionless, which means that questions are just sent, there is no connection setup or teardown. This has a lot of advantages, but there is also a downside. If we send a packet to a host that is unreachable, or has no nameserver running, we often get an ICMP packet that tells us so. However, as the socket is not connected, the kernel is not in a position to tell userspace about the error: which socket would it be for?

I knew one could connect(2) a UDP socket, but I thought it was just convenience, it saves some typing because there is less need to pass addresses around.

However, UNP informed me that once connected, these ICMP errors do get passed back to userspace. And since I raised the PowerDNS level of security, we have one socket per question anyhow, so we might as well connect.

And lo, when I hooked this up, 5% of outgoing queries now get an error instead of a timeout. This in turn means that we save a 2 second timeout in 5% of outgoing queries, which should translate into a measurable speedup in perceived DNS performance!

I then looked it up, djbdns already does this of course. For me there are enough reasons not to run djbdns/dnscache, but there is a lot of good stuff in there!

IPv6 address conversion

The BSD socket interface is protocol family agnostic, meaning you can use the same interface for IPv4, IPv6, DECNET and whatnot. In practice, this is not as easy as it sounds.

Previously, the PowerDNS recursor had some crude hacks to integrate IPv6, today I sat down to do it well, resulting in the ComboAddress, which is a union of a sockaddr_in and a sockaddr_in6, and has some helper functions to convert it from ‘network’ to ‘presentation’ format. With these functions, it was a breeze to convert the recursor to be fully IPv6 native.

One of the harder things to do was the IPv6 netmask matching code for the allow-from setting, but even that worked rather nicely.

There is a nice quote, often attributed to Antoine de Saint-Exupery:

“Perfection is achieved not when you have nothing more to add, but when you have nothing left to take away.”

I hope the ‘taking away’ part can start in PowerDNS from now on. I already removed the unsafe --single-socket bypass. Although this did have slightly higher performance, it brings down security.

Posted in , ,  | 2 comments | no trackbacks

Comments

  1. piotr said about 2 hours later:

    "I then looked it up, djbdns already does this of course. For me there are enough reasons not to run djbdns/dnscache, but there is a lot of good stuff in there!"

    Yes, that you have your own DNS software :)
  2. hydrocodone said 172 days later:
    Hello all really cool blog alprazolam fioricet hydrocodone vicodin tramadol xanax valium ultram soma carisoprodol ambien ativan lorazepam propecia adipex didrex cialis levitra paxil meridia viagra wellbutrin clonazepam xenical prozac butalbital phentermine buy ativan buy adipex buy didrex buy levitra buy cialis buy phentermine buy soma buy tramadol buy diazepam buy carisoprodol buy meridia buy paxil buy valium buy xanax buy ultram buy fioricet tooth whitening online pharmacy alprazolam car insurance payday loan web directory business directory carisoprodol hydrocodone buy vicodin

Trackbacks

Use the following link to trackback from your own site:
http://blog.netherlabs.nl/articles/trackback/36

Comments are disabled