BIND not caching

[Vladimír Třebický]

Hi,

although I have properly (I hope ;-) set my "forwarders" in "options"
section,
my bind doesn't cache. My DNS was little bit slow so I tried dnstracer to
find
out the resolve path. Each time it tries the root-servers.
I compiled version 9.2.2 by myself without threads or any other features.
Thanks
for hints ;-)

Vladimir Trebicky

This is my named.conf:
options {
directory "/var/named";
listen-on {
217.11.242.16;
217.11.242.17;
};
forwarders{
217.11.242.84;
81.0.235.1;
212.67.79.158;
193.85.3.130;
198.41.0.4;
192.33.4.12;
};
};
zone "." {
type hint;
file "cache";
};
zone "xhost.cz" {
type master;
file "xhost.cz";
notify no;
};

---
Odchozí zpráva moľná neobsahuje viry.
Zkontrolováno antivirovým systémem AVG (http://www.grisoft.cz).
Verze: 6.0.476 / Virová báze: 273 - datum vydání: 24.4.2003

[p...@icke-reklam.ipsec.nu]

Vladim?r T?ebick? <treb...@xhost.cz> wrote:
> Hi,

> although I have properly (I hope ;-) set my "forwarders" in "options"
> section,
> my bind doesn't cache. My DNS was little bit slow so I tried dnstracer to
> find
> out the resolve path. Each time it tries the root-servers.
> I compiled version 9.2.2 by myself without threads or any other features.
> Thanks
> for hints ;-)

Remove all "forwarders" if you want your nameserver to cache.

> Vladimir Trebicky

--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.

[Vladimír Trebický]

Unfortunately, it didn't work :(

----- Original Message -----
From: <p...@icke-reklam.ipsec.nu>
Newsgroups: comp.protocols.dns.bind
To: <comp-protoc...@isc.org>
Sent: Wednesday, May 07, 2003 4:55 PM
Subject: Re: BIND not caching

Vladim?r T?ebick? <treb...@xhost.cz> wrote:
> Hi,

> although I have properly (I hope ;-) set my "forwarders" in "options"
> section,
> my bind doesn't cache. My DNS was little bit slow so I tried dnstracer to
> find
> out the resolve path. Each time it tries the root-servers.
> I compiled version 9.2.2 by myself without threads or any other features.
> Thanks
> for hints ;-)

Remove all "forwarders" if you want your nameserver to cache.

> Vladimir Trebicky

--
Peter Hĺkanson

IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.

---
Odchozí zpráva mozná neobsahuje viry.

[Barry Margolin]

In article <b9b76d$crk$1...@sf1.isc.org>, <p...@icke-reklam.ipsec.nu> wrote:
>Vladim?r T?ebick? <treb...@xhost.cz> wrote:
>> Hi,
>
>> although I have properly (I hope ;-) set my "forwarders" in "options"
>> section,
>> my bind doesn't cache. My DNS was little bit slow so I tried dnstracer to
>> find
>> out the resolve path. Each time it tries the root-servers.
>> I compiled version 9.2.2 by myself without threads or any other features.
>> Thanks
>> for hints ;-)
>
>Remove all "forwarders" if you want your nameserver to cache.

Is that a change in BIND 9? In previous versions, BIND would cache the
answers that it received from the forwarders, and only go to them if
something isn't already in the cache (or if the cached entry's TTL had
timed out, of course).

--
Barry Margolin, barry.m...@level3.com
Genuity Managed Services, a Level(3) Company, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

[p...@icke-reklam.ipsec.nu]

Vladimír Trebický <treb...@xhost.cz> wrote:
> Unfortunately, it didn't work :(

Off course it works.

Whats the output of rndc dumpdb ? The file generated _is_ a copy of the cache.

Or do you have another problem ? What RR are you trying to cache ?
What is the symptoms that distrurbs you ?

--
Peter Håkanson

[Vladimír Trebický]

It seems to me that it is more complicated :-)
The truth is that I haven't configured /etc/rndc.conf at all.
The symtoms are here:

Tracing to www.volny.cz via www2.yo.cz, timeout 15 seconds
www2.yo.cz (217.11.237.38)
|\___ E.ROOT-SERVERS.NET [.] (192.203.230.10)
| |\___ NS-EXT.VIX.COM [cz] (204.152.184.64)
| | |\___ ns.vol.cz [volny.cz] (195.250.128.34) Got authoritative
answer
| | \___ sns.vol.cz [volny.cz] (195.250.128.2) Got authoritative
answer
...
on server that is IMHO _not_ caching, in opposite to:

Tracing to www.volny.cz via 217.11.242.84, timeout 15 seconds
217.11.242.84 (217.11.242.84) Got answer
|\___ ns.vol.cz [volny.cz] (195.250.128.34) Got authoritative answer
\___ sns.vol.cz [volny.cz] (195.250.128.2) Got authoritative answer

that _is_ IMHO caching right
(www.volny.cz is only example, it could be e.g. www.google.com or
anything else that my server doesn't own)

I thought that in rndc.conf are only some optional public fingerprints ;-)

----- Original Message -----
From: <p...@icke-reklam.ipsec.nu>
Newsgroups: comp.protocols.dns.bind
To: <comp-protoc...@isc.org>
Sent: Wednesday, May 07, 2003 5:35 PM
Subject: Re: BIND not caching

Vladimír Trebický <treb...@xhost.cz> wrote:
> Unfortunately, it didn't work :(

Off course it works.

Whats the output of rndc dumpdb ? The file generated _is_ a copy of the
cache.

Or do you have another problem ? What RR are you trying to cache ?
What is the symptoms that distrurbs you ?

[p...@icke-reklam.ipsec.nu]

Vladim=EDr Trebick=FD <treb...@xhost.cz> wrote:
> It seems to me that it is more complicated :-)

Might be. An example ( assuming your bind-9 is at 217.11.237.38 :

Starting with an initial query for a domain :
dig www.volny.cz a @217.11.237.38
; <<>> DiG 9.2.2 <<>> www.volny.cz a @217.11.237.38
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4743
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;www.volny.cz. IN A

;; ANSWER SECTION:
www.volny.cz. 1800 IN A 212.20.96.23
www.volny.cz. 1800 IN A 212.20.96.24
www.volny.cz. 1800 IN A 212.20.96.20
www.volny.cz. 1800 IN A 212.20.96.22

;; AUTHORITY SECTION:
volny.cz. 1800 IN NS ns.vol.cz.
volny.cz. 1800 IN NS sns.vol.cz.

;; Query time: 263 msec
;; SERVER: 217.11.237.38#53(217.11.237.38)
;; WHEN: Wed May 7 19:45:03 2003
;; MSG SIZE rcvd: 133

One of the answers(s) is :
;; ANSWER SECTION:
www.volny.cz. 1800 IN A 212.20.96.23

The nameserver have resolved the name and actually got a response from
an authorative server.

Now we repeat the same query :
> dig www.volny.cz a @217.11.237.38

; <<>> DiG 9.2.2 <<>> www.volny.cz a @217.11.237.38
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49632
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;www.volny.cz. IN A

;; ANSWER SECTION:
www.volny.cz. 1796 IN A 212.20.96.22
www.volny.cz. 1796 IN A 212.20.96.23
www.volny.cz. 1796 IN A 212.20.96.24
www.volny.cz. 1796 IN A 212.20.96.20

;; AUTHORITY SECTION:
volny.cz. 1796 IN NS sns.vol.cz.
volny.cz. 1796 IN NS ns.vol.cz.
;; Query time: 51 msec
;; SERVER: 217.11.237.38#53(217.11.237.38)
;; WHEN: Wed May 7 19:45:07 2003
;; MSG SIZE rcvd: 133

Note that the TTL value has been reduced to "1796", this is an indication
that we got a cached answer. Also note the difference in response time .

--=20
Peter H=E5kanson =20

IPSec Sverige ( At Gothenburg Riverside )

Sorry about my e-mail address, but i'm trying to keep spam out=

[p...@icke-reklam.ipsec.nu]

Barry Margolin <barry.m...@level3.com> wrote:
> In article <b9b76d$crk$1...@sf1.isc.org>, <p...@icke-reklam.ipsec.nu> wrot=

e:
>>Vladim?r T?ebick? <treb...@xhost.cz> wrote:
>>> Hi,
>>
>>> although I have properly (I hope ;-) set my "forwarders" in "options"
>>> section,

>>> my bind doesn't cache. My DNS was little bit slow so I tried dnstrace=

r to
>>> find
>>> out the resolve path. Each time it tries the root-servers.

>>> I compiled version 9.2.2 by myself without threads or any other featu=

res.
>>> Thanks
>>> for hints ;-)
>>
>>Remove all "forwarders" if you want your nameserver to cache.

> Is that a change in BIND 9? In previous versions, BIND would cache the
> answers that it received from the forwarders, and only go to them if
> something isn't already in the cache (or if the cached entry's TTL had
> timed out, of course).

No, but a nameserver forwarding to other will not cache glue-records
and ns records, thus reducing the benefits of caching. In effect=20
depending on the forwarders cache.

> --=20

> Barry Margolin, barry.m...@level3.com
> Genuity Managed Services, a Level(3) Company, Woburn, MA

> *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgro=
ups.
> Please DON'T copy followups to me -- I'll assume it wasn't posted to th=
e group.

--=20
Peter H=E5kanson =20

IPSec Sverige ( At Gothenburg Riverside )

Sorry about my e-mail address, but i'm trying to keep spam out=

[Stewart]

Barry Margolin wrote:

>>Remove all "forwarders" if you want your nameserver to cache.
>

> Is that a change in BIND 9? In previous versions, BIND would cache the
> answers that it received from the forwarders, and only go to them if
> something isn't already in the cache (or if the cached entry's TTL had
> timed out, of course).

This is a myth I see perpetuated more often than I'd care to count. A
lot of people out in the big wide Internet seem under the impression
that BIND has two options for recursion; forwarding or cacheing. This is
just not the case. Not at all. I've verified this with BIND 8.x and 9.x
repeatedly always with the same result (a result, BTW, supported by the
documentation).

Sorry to repeat this, because it sounds as if you already know how BIND
works, but I feel it has to be said.

The "forwarding" option only changes the behaviour in retreiving a
record that is not in the cache.

When using "forward first", the record will be retreived from the
server(s) configured before trying the root servers. If "forward only",
only the forwarders will be contacted (ie; the roots will not be attempted).

The reasons for this are many. First and foremost of them, however, is
that it allows for a heirarchal DNS setup. One or two primary cacheing
servers with several child servers to distribute the load of the
querying clients. Of course, it also serves to take the load off the
root servers, which has the effect of making one's DNS system more
efficient and gives faster responses. If, for example, my 10BaseT client
contacts its DNS server for an RR which only has to go as far as a peer
100BaseTX forwarder for the response, I save lots of time compared to a
cacheing server that has to query the roots, then the masters across the
global Internet.

The important distinction here is that forwarding does *NOT* disable, or
negate the cache!

To demonstrate (presuming that you already have a cacheing name server
on your LAN under your own control, and that you have one or more
computers under your control);

1) Install BIND (8 or 9) on a client computer.
2) Configure as normal in a cacheing configuration.
3) Configure as "forward first" with your LAN's cacheing server as its
only listed forwarder.
4) Enable query logging on both servers.
5) Query your slave server for an RR. Say, 'yahoo.com IN A' Tail both
query logs. See it come through?
6) Dump both caches. Observe the state of the RR.
7) RE-query the same RR from the slave server, observing query logs again.
8) Change slave server to "forward only" and repeat.

As another poster pointed out, checking the query time on subsequent
queries from a forwarding server and the state of the cache is a good
illustration.

So, for the last time; Forwarding does *NOT* disable cacheing!

(Surely there's an FAQ?!?)

--
http://blackdeath.snerk.org/