GleSYS, Y U NO DNS?

... or why DNS lookups are a dangerous thing.

At my current employer we specialize in making campaigns, and this particular one is a Facebook Canvas type of thing, meaning we talk to the Facebook API.

It turns out though, one day after launching the campaign, that the local DNS resolver is sometimes unable to resolve the name facebook.com or graph.facebook.com in a timely fashion.

Looking into the matter I wrote a script for benchmarking the performance of socket.gethostbyaddr(), for your convenience as well as future reference:

#!/usr/bin/env python2.6

import sys, time, socket

ts = []
def test_host(h):
    t0 = time.time()
    try:
        socket.gethostbyaddr(h)
    except:
        print "resolve failed", repr(h)
    ts.append(time.time() - t0)

def avg(L): return sum(L)/float(len(L))
def med(L):
    L=list(sorted(L))
    if len(L)&1:
        return L[int(len(L)/2)]
    else:
        return (L[int(len(L)/2)-1]+L[int(len(L)/2)])/2.0

t0 = time.time()
test_host("facebook.com")
test_host("www.facebook.com")
test_host("graph.facebook.com")
test_host("api.facebook.com")
test_host("api-read.facebook.com")
test_host("api-video.facebook.com")
print "started %.2f, completed in %.2f" % (t0, time.time() - t0)
print "slowest %.4f, fastest %.4f" % (max(ts), min(ts))
print "median %.4f, average %.4f" % (med(ts), avg(ts))

We use GleSYS for our VPS needs, which is a common provider in Sweden. Guess what their DNS performance looks like? Sometimes it takes up to 40 seconds for them to resolve facebook.com, when two seconds earlier they could answer the query in under 1ms.

For now I just chucked the relevant hostnames into /etc/hosts, so: I could use a tip on a lightweight recursive DNS server! (Not BIND or djbdns.)


Comments
Posted by: Malte §

You could use some publicly available resolver, such as Google Public DNS.



What with the reluctance toward BIND and djbdns?

2011-12-06 @ 12:59:24
Posted by: Susan "Suhana" Vash §

I tend to use unbound - a validating, recursive, and caching DNS resolver.



Very fast, easy to "tweak" to suit local server conditions - and appears to be rock solid security-wise



http://unbound.net/

2011-12-06 @ 14:57:12
Posted by: Anton §

Check out http://unbound.net

2011-12-06 @ 15:14:56
Posted by: bean §

Maybe deadwood (from maradns author), or pdns-recursor.

2011-12-06 @ 15:23:09
URL: http://subtitles.toh.info
Posted by: Jon Åslund §

I recommend http://unbound.net/

2011-12-06 @ 15:58:00
URL: http://twitter.com/jooon
Posted by: Israel Fruchter §

maybe you should try google dns services:

http://code.google.com/speed/public-dns/



I bet they should be quick enough for you

2011-12-06 @ 17:58:09
Posted by: Francois Marier §

You could try unbound (http://unbound.net/). It's quite good, has full support for DNSSEC, and the developers are very responsive.

2011-12-06 @ 20:36:49
URL: http://fmarier.org
Posted by: hal §

Interesting post!



Perhaps Dnsmasq (http://thekelleys.org.uk/dnsmasq/doc.html) would suit your needs. You would of course need to disable the dhcp functionality.

2011-12-06 @ 23:51:30
Posted by: Marius Gedminas §

How about dnsmasq? It's not standalone, but at least it'll cache.



I think I may've used MaraDNS for this purpose a long time ago; then switched back to bind just to reduce my mental load (I had to use bind elsewhere).

2011-12-07 @ 00:03:44
URL: http://gedmin.as
Posted by: threelegdog §

If you are looking for a recursive you can host locally you can take a look at powerdns http://www.powerdns.com/ or unbound http://unbound.net/ or you point at one of the many free open recursives. UltraDNS has one at 156.154.70.1 or google at 8.8.8.8.



If your code is strictly python, take a look at http://www.dnspython.org/ which allows you to specify the resolver used

2011-12-07 @ 02:03:21
Posted by: bkc §

Hi,



I'd like to know why you do not want to use djbdns (dnscache). You must know something I don't!



Thanks



2011-12-07 @ 05:04:14
Posted by: ax25 §

You could try Dnsmasq (forwarder, but many features):

http://thekelleys.org.uk/dnsmasq/doc.html



or Unbound (I have not tried this one, but came across it recently):

http://unbound.net/

2011-12-07 @ 05:12:14
URL: http://penguinpackets.com
Posted by: Jonas / GleSYS §

We think we have found the issue. Could you please send us an email with your account number and we can check if the problem also was related to your server?

2011-12-07 @ 06:29:08
Posted by: Szumo §

Try Twisted Names (DNS server in Python).

Posted by: fungusakafungus §

I used to use pdnsd: http://www.phys.uu.nl/~rombouts/pdnsd/faq.html

It is in debian.

2011-12-07 @ 14:51:36
Posted by: anonymous §

8.8.8.8; 8.8.4.4



http://code.google.com/speed/public-dns/docs/using.html

2011-12-08 @ 23:19:07
Posted by: Rob Cakebread §

If the VPS is running Ubuntu, you might check this out. I found this fixed slow DNS lookups for me:



http://www.ubuntugeek.com/how-to-disable-ipv6-in-ubuntu.html

2011-12-10 @ 03:31:59
URL: http://blog.cakebread.info

Comment the entry:

Name: (required, possibly pseudonym)
Remember me (cookie)

E-mail: (not required, never published, solely for me to reply to you in person)

URL:

Comment:

RSS 2.0