Picking a master from a list of returned IPs
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Thu Aug 15 13:45:25 UTC 2002
J <usenet at linuxnuts.net> wrote:
> phn at icke-reklam.ipsec.nu wrote:
>> J <usenet at linuxnuts.net> wrote:
>>
>>
>>>Howdy all. I'm trying to figure out how have to make Bind9 pick
>>>(randomly?) an IP for a master on a zone that returns multiple IPs.
>>>That's not worded very well. Let me write it like this:
>>
>>
>>>I use the DNS blacklist zone relays.osirusoft.com to reject spam.
>>
>>
>>>zone "relays.osirusoft.com" {
>>
>>
>> if you want a copy you should ask joejared at osirusoft.com to become
>> a slave server, then he would give you one or two addresses to use
>> as masters.
> I asked Joe for bandwidth and hit stats for his slaves today. I also
> asked management if they'd be willing to do it. It all depends on the
> load it would impose on our bandwidth and servers.
>> Also se the comment on http://relays.osirusoft.com :
>>
>> Notice: Zone transfers are only available to official Name Servers for Relays.OsiruSoft.com. Transfers may only be allowed if you are a large ISP or willing to act as an official name server.
> Pretty much all of the "official" slaves allow transfers. That's the
> way it works. He runs a handful of masters. Official slaves pull from
> them. The rest pull of us pull from those slaves.
>> Using a randomly choosen nameserver will stop at any moment ( if the owner
>> stops zonetransfers ), then your spamfilter will break.
> Yep. Seen it a number of times. Some admins up and canned the zone.
> Others stop updating their own copy and the rest of us find out the way
> I did today.
>> The zone is huge, so you might end up with more traffic then just using it
>> via normal dns-lookups.
> There are a number of problems with doing this. While my ISP isn't huge
> (only 3500 users) we still handle about 45,000 pieces of mail per day.
> A DNS query every 1.9 seconds is pretty often. We also have problematic
> I1 service. We're getting tier-3 service from a tier-1 provider, qwest.
As your analyze is correct the right answer is "it depends".
In your case you seem to be correct.
One could wish that osirusoft started to use IXFR that could
reduce zonetransfer times dramatically while keeping slaves
in sync.
> We think it was a problem created by a buyout at some point and time.
> A trace out claims our next hop is qwest (funny), then 2 tamerica.net
> hops, 5 hops of bbnplanet.com, and finally Sprint. Occasionally they
> throw in some Clueless and Whitless (cw.net) just to spice things up.
> The connection between tamerica and bbnplanet.com is alway saturated
> mid-day. That slows things like a simple ping to 300-1000ms. Sucks.
> We're working on this. Our new mail server is loaded with RAM. I'm
> considering running named on that host and caching the 7 DNSBls I use.
> Sendmail makes around 10 queries to the mail server for each piece of
> mail it receives. Keeping those queries local to the machine might
> help. If my MTA has to make those queries over the 'Net at large, I
> think I could run into some serious problems. At present I only use
> DNSBls I can get a transfer of. That's what we purchased from MAPS for
> the DUL and RSS. Works pretty well.
spamcop is another independent list that's pretty fast in listing
new spammers. They run djdns however, so there is no hope on IXFR.
>> Using relays.osirusoft.com as spamfilter is an excellent way of preventing
>> your mailservers becoming a spam-toilet. Highly recommended !
> Absolutely. I've been using it for over a year and love it. While I
> wouldn't have jumped on the SPEWS bandwagon in the beginning, I'm glad
> it was part of the zone. :)
> Thanks for the input
> J
Please come back with a report whatever you decide. Sharing experience
about "howto stop spam" is A Good Thing.
Regards
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list