LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

DNSSEC

DNSSEC

Posted Dec 8, 2011 14:53 UTC (Thu) by mtaht (✭ supporter ✭, #11087)
In reply to: DNSSEC by job
Parent article: Some Cerowrt updates

Running your own dns resolver is useful.

It cuts 10s of ms of latency off your provider's resolver for cached data.

It lets you have your own DNS for inside your home.

It lets you have trustworthy DNS data when your provider does not provide it - for example, playing with NXDOMAIN.

(Log in to post comments)

DNSSEC

Posted Dec 8, 2011 19:33 UTC (Thu) by job (guest, #670) [Link]

The super cheap hardware discussed here won't cut down on latency compared to your neighboring DNS server, especially then the CPU is taxed by routing many streams at once. The bigger DNS server will also have better caching, and more users to keep said cache warm. That's probably why most consumer broadband boxes just forward queries and is not really a resolver in its own right.

DNSSEC

Posted Dec 8, 2011 20:27 UTC (Thu) by mtaht (✭ supporter ✭, #11087) [Link]

Um, er, no, a 680 mhz 128MB wireless router caches dns traffic, routes 500+Mbit streams, does a bit of AQM, and does various other things just fine without melting down. Since most the time it's running a heck of a lot slower than that, caching DNS locally is a win.

Secondly, you still can (and should) use the upstream provider as a forwarder DNS, for example, comcast's DNSSEC servers are usually less than 10 ms away. But in the home, your DNS server is .02ms away.

DNSSEC

Posted Dec 8, 2011 22:24 UTC (Thu) by Simetrical (guest, #53439) [Link]

Hmm. But the OS DNS cache is 0.001 ms away. Why isn't that good enough? I can see why you'd benefit from your own DNS server if you have a whole bunch of machines behind it, so they can pool the cache. But if it's just two or three clients, like in a typical home, what purpose does having a DNS server in the router serve?

DNSSEC

Posted Dec 9, 2011 0:57 UTC (Fri) by zlynx (subscriber, #2285) [Link]

Windows has an OS DNS cache. Oddly enough, it seems most Linux distros do not install a DNS cache by default. I'm not sure about Android.

I'm going to blame NetworkManager for this Linux situation. It used to be pretty easy to modify the network scripts to always point DNS to localhost. NetworkManager seems it makes it far too difficult to configure a local DNS cache.

If you do figure that you need to add dns=dnsmasq to the configuration file, it turns out that dnsmasq is the only supported local cache, and then you find out that it couldn't possibly have been tested, as it crashes NetworkManager randomly (or possibly when two interfaces come up, or it might have something to do with VPNs, or maybe suspend/resume).

Really, the whole caching DNS is a lot easier to set up on the router.

DNSSEC

Posted Dec 11, 2011 19:08 UTC (Sun) by niner (subscriber, #26151) [Link]

> I'm going to blame NetworkManager for this Linux situation. It used to be pretty easy to modify the network scripts to always point DNS to localhost.
> NetworkManager seems it makes it far too difficult to configure a local DNS cache.

On the KDE Network Management Plasmoid I just edit the connection and change the Method from "Automatic (DHCP)" to "Automatic (DHCP) addresses only" and type the IP address of my DNS server into the DNS Servers field, hit OK and be done. I find this much simpler than with the configuration method I used before NetworkManager. And I can change this per connection so that at home I use my local DNS while at work I use whatever the DHCP server gives me.

DNSSEC

Posted Dec 12, 2011 3:35 UTC (Mon) by zlynx (subscriber, #2285) [Link]

But how do you update the forwarding address in your DNS cache daemon?

DNSSEC

Posted Dec 8, 2011 20:53 UTC (Thu) by zlynx (subscriber, #2285) [Link]

Agree with mtaht.

I used to run my home network router on a dual Pentium 166. It did routing with IPv6 tunnels and QoS, Squid, DHCP, web server and BitTorrent.

It worked very well. The CPU in modern home routers (well, above the $60 level anyway) is much faster than that P166 was, so I expect it will do an even better job.

DNSSEC

Posted Dec 8, 2011 22:08 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]

there are some $30 single-band wifi routers with 400MHz cpus and 64M ram, they are probably fast enough to do this as well.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds