deny option to specific hosts
peter at rathlev.dk
Mon Aug 20 16:02:33 UTC 2012
On Mon, 2012-08-20 at 17:22 +0200, Benny Pedersen wrote:
> Den 2012-08-20 17:18, Simon Hobson skrev:
> > While there are good reasons for putting a DNS server on each network (or
> > at least on each site), it's not wrong to do otherwise.
> yes its valid, but its not optimal, so just pointed out that it could
> be more optimal with same iprange for optimal ping time to each server
> the above makes one more network hop with gives one more bridge to step
By that account the optimal network would be one big flat L2 segment.
There are very good reasons for this not being the norm.
With modern ("hardware forwarding") network devices the extra latency
introduced by placing a server some hops away is negligible compared to
host processing of datagrams.
# hping3 -q -S -p 53 -c 50 --fast 10.20.30.40
HPING 10.20.30.40 (bond0 10.20.30.40): S set, 40 headers + 0 data bytes
--- 10.20.30.40 hping statistic ---
50 packets tramitted, 50 packets received, 0% packet loss
round-trip min/avg/max = 0.9/0.9/0.9 ms
# ping -q -i 0.1 -c 50 10.20.30.40
PING 10.20.30.40 (10.20.30.40) 56(84) bytes of data.
--- 10.20.30.40 ping statistics ---
50 packets transmitted, 50 received, 0% packet loss, time 4900ms
rtt min/avg/max/mdev = 0.359/0.383/0.778/0.062 ms
Too bad hping3 doesn't give a more precise result, but I assume the
uncertainty would be the last digit, i.e. a minimum result of at least
0.8ms. Compared to ICMP echo, which still counts the host processing,
that's a 0.3ms difference. Source and destination are in this case
placed 40 km apart with six L3 hops between them, two of these being
firewalls. I'll admit that TCP is probably more expensive than UDP but
keep in mind that the above does not include three way handshake, just
the time from SYN sent to SYN+ACK received.
There may be other reasons to have local nameservers. Mitigating
WAN-like latencies (e.g. 20ms and above) and adding resilience come to
More information about the dhcp-users