Good evening, all, It's still early in the project, but a few quick observations. Using dnstop and tethereal, I've seen that in the last 24 hours we've had 570K DNS queries to slart, the 5th/6th nameserver for {sa,sc}.surbl.org. 84% of those - 475K queries - have been to surbl.org. The next closest was in-addr.arpa with 12K and 7500 or less for everything else (that "everything else" category includes being a primary or secondary for 130 other domains and the primary nameserver for 28 machines). Of that 475K, 400K were to sc.surbl.org and 43K to sa.surbl.org. I suppose the rest were to jeff.chan.rox.surbl.org. *smile* More recent nameserver stats show the RBL is hovering around 90.2% of the queries to that nameserver.
Oh, and did I mention that the nameserver is running on one of 27 User-Mode Linux virtual machines (*) running on top of a dual 1.4Ghz P3? The host machine load runs from 3.0 - 5.0 (but 2 of that is from the distributed.net CPU sponge, so really the load is 1.0 - 3.0). It'll be interesting to see just how high the load goes as more people come on, especially when SA 3.0 comes out. *gulp* :-) Cheers, - Bill
* http://66.59.109.137:1500 , http://www.stearns.org/slartibartfast/uml-coop.current.html
--------------------------------------------------------------------------- "NT 5.0 is the last nail in the Unix coffin. Interestingly, Unix isn't in the coffin... It's wondering what the heck is sealing itself into a wooden box 6 feet underground..." (Courtesy of Jason McMullan jmcc@grits.visus.com) -------------------------------------------------------------------------- William Stearns (wstearns@pobox.com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------
On Monday, April 12, 2004, 8:10:41 PM, William Stearns wrote:
Good evening, all, It's still early in the project, but a few quick observations. Using dnstop and tethereal, I've seen that in the last 24 hours we've had 570K DNS queries to slart, the 5th/6th nameserver for {sa,sc}.surbl.org. 84% of those - 475K queries - have been to surbl.org. The next closest was in-addr.arpa with 12K and 7500 or less for everything else (that "everything else" category includes being a primary or secondary for 130 other domains and the primary nameserver for 28 machines). Of that 475K, 400K were to sc.surbl.org and 43K to sa.surbl.org. I suppose the rest were to jeff.chan.rox.surbl.org. *smile* [ :blush: -- Jeff C.] More recent nameserver stats show the RBL is hovering around 90.2% of the queries to that nameserver.
Oh, and did I mention that the nameserver is running on one of 27User-Mode Linux virtual machines (*) running on top of a dual 1.4Ghz P3? The host machine load runs from 3.0 - 5.0 (but 2 of that is from the distributed.net CPU sponge, so really the load is 1.0 - 3.0). It'll be interesting to see just how high the load goes as more people come on, especially when SA 3.0 comes out. *gulp* :-) Cheers, - Bill
Thanks for the timely stats Bill! Someone just inquired what would be involved in being a secondary. I will forward him your data.
We will definitely be needing more secondaries.
We could increase the TTL on sc to something higher, but that could add some latency to the catching of new domains. 10 minutes is pretty short, but there are other RBLs with short TTLs. Here's a sample of some others. Comments welcome:
sc.surbl.org origin = ns1.freeapp.net mail addr = zone.surbl.org serial = 1081827731 refresh = 600 (10M) retry = 300 (5M) expire = 604800 (1W) minimum ttl = 600 (10M)
list.dsbl.org origin = a.list.ns.dsbl.org mail addr = admin.dsbl.org serial = 1080300617 refresh = 600 (10M) retry = 300 (5M) expire = 86400 (1D) minimum ttl = 600 (10M)
sbl.spamhaus.org origin = need.to.know.only mail addr = hostmaster.spamhaus.org serial = 2004032608 refresh = 3600 (1H) retry = 900 (15M) expire = 604800 (1W) minimum ttl = 300 (5M)
dnsbl.njabl.org origin = ns1.njabl.org mail addr = help.njabl.org serial = 1080298387 refresh = 10800 (3H) retry = 1800 (30M) expire = 720000 (1w1d8h) minimum ttl = 900 (15M)
korea.blackholes.us origin = scarlatti.shakha.com mail addr = hostmaster.blackholes.us serial = 2003120601 refresh = 3600 (1H) retry = 900 (15M) expire = 1209600 (2W) minimum ttl = 43200 (12H)
spam.dnsrbl.net origin = ns1.namesystems.net mail addr = dns@namesystems.net serial = 2004031600 refresh = 3600 (1H) retry = 900 (15M) expire = 864000 (1w3d) minimum ttl = 3600 (1H)
hil.habeas.com origin = ns1.habeas.com mail addr = root.habeas.com serial = 33 refresh = 3600 (1H) retry = 1200 (20M) expire = 604800 (1W) minimum ttl = 86400 (1D)
relays.ordb.org origin = a.ns.ordb.org mail addr = hostmaster.ordb.org serial = 1080300600 refresh = 600 (10M) retry = 300 (5M) expire = 604800 (1W) minimum ttl = 1800 (30M)
Are there any DNS tricks for dealing with quickly changing zones other than short times?
Jeff C.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jeff Chan writes:
On Monday, April 12, 2004, 8:10:41 PM, William Stearns wrote: Are there any DNS tricks for dealing with quickly changing zones other than short times?
Hey guys -- not that I know of. But worth asking (and maybe looking for secondaries) on the abuse.net spamtools list, lots of DNSBL know-how there from a few seasoned old salts. ;)
- --j.
On Mon, Apr 12, 2004 at 11:10:41PM -0400, William Stearns wrote:
Good evening, all, It's still early in the project, but a few quick observations. Using dnstop and tethereal, I've seen that in the last 24 hours we've had
Well, I don't have query counts but here's how the SURBL stacks up on my servers.
rfc-ignorant.org 91.9% (And this is actually just a delegation point.) surbl.org 3.2%
rfci had 29k queries in the few minutes I ran dnstop.
Our rbldns servers do a combined 3-4Mbps in outbound DNS answers - primary traffic load is from the rfci and spamhaus zones which we secondary for the public.
Be warned, when the SURBL gets into a default SA release we will see the traffic scream up. Be prepared to serve a few mbits of DNS traffic.
Jeff, how many secondaries do you have lined up? Wouldn't hurt to pickup a few anycasted secondaries either. (I'm working on it at Sonic, but it's still a way out.)
Can we get a default reply to list going too?
-- Kelsey Cummings - kgc@sonic.net sonic.net, inc. System Administrator 2260 Apollo Way 707.522.1000 (Voice) Santa Rosa, CA 95407 707.547.2199 (Fax) http://www.sonic.net/ Fingerprint = D5F9 667F 5D32 7347 0B79 8DB7 2B42 86B6 4E2C 3896
On Monday, April 12, 2004, 10:56:13 PM, Kelsey Cummings wrote:
Well, I don't have query counts but here's how the SURBL stacks up on my servers.
rfc-ignorant.org 91.9% (And this is actually just a delegation point.) surbl.org 3.2%
rfci had 29k queries in the few minutes I ran dnstop.
Our rbldns servers do a combined 3-4Mbps in outbound DNS answers - primary traffic load is from the rfci and spamhaus zones which we secondary for the public.
Be warned, when the SURBL gets into a default SA release we will see the traffic scream up. Be prepared to serve a few mbits of DNS traffic.
Definitely important to plan for.
Jeff, how many secondaries do you have lined up?
We currently have seven with Dave Funk recently offering some more.
ns1.freeapp.net dns1.littleredbat.net a.rbl-auth.sr.sonic.net b.rbl-auth.sr.sonic.net slartibartfast.pa.net dns.maddoc.com master.dto.tudelft.nl
Wouldn't hurt to pickup a few anycasted secondaries either. (I'm working on it at Sonic, but it's still a way out.)
Can we get a default reply to list going too?
We left the list reply to going to senders from the default Mailman install (with a strong recommendation included for it). I don't mind changing replies to go to the list, but it might be good to hear if there are any strenuous objections.
Jeff C.
On Monday, April 12, 2004, 10:56:13 PM, Kelsey Cummings wrote:
Wouldn't hurt to pickup a few anycasted secondaries either. (I'm working on it at Sonic, but it's still a way out.)
Is anycast DNS up? I assume that means having multiple "primary" equivalents scattered throughout the Internet. Got FAQ URI? ;-)
It's interesting because I was thinking about how to do a failover to a backup data engine/name server/zone file source. If anycast means multiple primaries in essence, then it could help answer the backup server question in a clean way.
Jeff C.
Hi!
rfc-ignorant.org 91.9% (And this is actually just a delegation point.) surbl.org 3.2%
rfci had 29k queries in the few minutes I ran dnstop.
Our rbldns servers do a combined 3-4Mbps in outbound DNS answers - primary traffic load is from the rfci and spamhaus zones which we secondary for the public.
Be warned, when the SURBL gets into a default SA release we will see the traffic scream up. Be prepared to serve a few mbits of DNS traffic.
If you are using the latest rbldnsd and send a SUGUSR1 you will see stats printed in your log, more accurate :)
I am running also a slave for RFCI on the same box, doing ok...
Bye, Raymond.
-
Jeff Chan -
jm@jmason.org -
Kelsey Cummings -
Raymond Dijkxhoorn -
William Stearns