deny option to specific hosts

[Peter Rathlev]

On Mon, 2012-08-20 at 17:22 +0200, Benny Pedersen wrote:
> Den 2012-08-20 17:18, Simon Hobson skrev:
> > While there are good reasons for putting a DNS server on each network (or 
> > at least on each site), it's not wrong to do otherwise.
> 
> yes its valid, but its not optimal, so just pointed out that it could 
> be more optimal with same iprange for optimal ping time to each server
> 
> the above makes one more network hop with gives one more bridge to step 
> over

By that account the optimal network would be one big flat L2 segment.
There are very good reasons for this not being the norm.

With modern ("hardware forwarding") network devices the extra latency
introduced by placing a server some hops away is negligible compared to
host processing of datagrams.

Compare these:

 # hping3 -q -S -p 53 -c 50 --fast 10.20.30.40
 HPING 10.20.30.40 (bond0 10.20.30.40): S set, 40 headers + 0 data bytes
 
 --- 10.20.30.40 hping statistic ---
 50 packets tramitted, 50 packets received, 0% packet loss
 round-trip min/avg/max = 0.9/0.9/0.9 ms


 # ping -q -i 0.1 -c 50 10.20.30.40
 PING 10.20.30.40 (10.20.30.40) 56(84) bytes of data.
 
 --- 10.20.30.40 ping statistics ---
 50 packets transmitted, 50 received, 0% packet loss, time 4900ms
 rtt min/avg/max/mdev = 0.359/0.383/0.778/0.062 ms


Too bad hping3 doesn't give a more precise result, but I assume the
uncertainty would be the last digit, i.e. a minimum result of at least
0.8ms. Compared to ICMP echo, which still counts the host processing,
that's a 0.3ms difference. Source and destination are in this case
placed 40 km apart with six L3 hops between them, two of these being
firewalls. I'll admit that TCP is probably more expensive than UDP but
keep in mind that the above does not include three way handshake, just
the time from SYN sent to SYN+ACK received.

There may be other reasons to have local nameservers. Mitigating
WAN-like latencies (e.g. 20ms and above) and adding resilience come to
mind.

-- 
Peter