... or why DNS lookups are a dangerous thing.

At my current employer we specialize in making campaigns, and this particular one is a Facebook Canvas type of thing, meaning we talk to the Facebook API.

It turns out though, one day after launching the campaign, that the local DNS resolver is sometimes unable to resolve the name or in a timely fashion.

Looking into the matter I wrote a script for benchmarking the performance of socket.gethostbyaddr(), for your convenience as well as future reference:

#!/usr/bin/env python2.6

import sys, time, socket

ts = []
def test_host(h):
    t0 = time.time()
        print "resolve failed", repr(h)
    ts.append(time.time() - t0)

def avg(L): return sum(L)/float(len(L))
def med(L):
    if len(L)&1:
        return L[int(len(L)/2)]
        return (L[int(len(L)/2)-1]+L[int(len(L)/2)])/2.0

t0 = time.time()
print "started %.2f, completed in %.2f" % (t0, time.time() - t0)
print "slowest %.4f, fastest %.4f" % (max(ts), min(ts))
print "median %.4f, average %.4f" % (med(ts), avg(ts))

We use GleSYS for our VPS needs, which is a common provider in Sweden. Guess what their DNS performance looks like? Sometimes it takes up to 40 seconds for them to resolve, when two seconds earlier they could answer the query in under 1ms.

For now I just chucked the relevant hostnames into /etc/hosts, so: I could use a tip on a lightweight recursive DNS server! (Not BIND or djbdns.)

Posted by: Malte §

You could use some publicly available resolver, such as Google Public DNS.

What with the reluctance toward BIND and djbdns?

2011-12-06 @ 12:59:24
Posted by: Susan "Suhana" Vash §

I tend to use unbound - a validating, recursive, and caching DNS resolver.

Very fast, easy to "tweak" to suit local server conditions - and appears to be rock solid security-wise

2011-12-06 @ 14:57:12
Posted by: Anton §

Check out

2011-12-06 @ 15:14:56
Posted by: bean §

Maybe deadwood (from maradns author), or pdns-recursor.

2011-12-06 @ 15:23:09
Posted by: Jon Åslund §

I recommend

2011-12-06 @ 15:58:00
Posted by: Israel Fruchter §

maybe you should try google dns services:

I bet they should be quick enough for you

2011-12-06 @ 17:58:09
Posted by: Francois Marier §

You could try unbound ( It's quite good, has full support for DNSSEC, and the developers are very responsive.

2011-12-06 @ 20:36:49
Posted by: hal §

Interesting post!

Perhaps Dnsmasq ( would suit your needs. You would of course need to disable the dhcp functionality.

2011-12-06 @ 23:51:30
Posted by: Marius Gedminas §

How about dnsmasq? It's not standalone, but at least it'll cache.

I think I may've used MaraDNS for this purpose a long time ago; then switched back to bind just to reduce my mental load (I had to use bind elsewhere).

2011-12-07 @ 00:03:44
Posted by: threelegdog §

If you are looking for a recursive you can host locally you can take a look at powerdns or unbound or you point at one of the many free open recursives. UltraDNS has one at or google at

If your code is strictly python, take a look at which allows you to specify the resolver used

2011-12-07 @ 02:03:21
Posted by: bkc §


I'd like to know why you do not want to use djbdns (dnscache). You must know something I don't!


2011-12-07 @ 05:04:14
Posted by: ax25 §

You could try Dnsmasq (forwarder, but many features):

or Unbound (I have not tried this one, but came across it recently):

2011-12-07 @ 05:12:14
Posted by: Jonas / GleSYS §

We think we have found the issue. Could you please send us an email with your account number and we can check if the problem also was related to your server?

2011-12-07 @ 06:29:08
Posted by: Szumo §

Try Twisted Names (DNS server in Python).

Posted by: fungusakafungus §

I used to use pdnsd:

It is in debian.

2011-12-07 @ 14:51:36
Posted by: anonymous §;

2011-12-08 @ 23:19:07
Posted by: Rob Cakebread §

If the VPS is running Ubuntu, you might check this out. I found this fixed slow DNS lookups for me:

2011-12-10 @ 03:31:59

Comment the entry:

Name: (required, possibly pseudonym)
Remember me (cookie)

E-mail: (not required, never published, solely for me to reply to you in person)



RSS 2.0