DNS Query Question

Mailman List Mirror (Read Only)
1

I have a customer having some DNS issues. They have done some research
regarding some DNS timeout errors they saw with Verizon's sender verify
looking up their MX records. What they have discovered is their current DNS service has a 1% failure/timeout rate. They are exploring other vendors (UltraDNS for one), but need an estimate of the number of DNS queries for accurate pricing to put together a ROI argument for the
switch.

I have no IDEA if this can be determined, but what is a good estimate of
the number of DNS queries generated from sending an email? I know that
it may differ from ISP to ISP, but they just need a rough number for
pricing purposes.

If you also happen to know how many DNS requests make it to the root
server (rather than a cached proxy out on the net), that would be great.

-Dennis

2

Dennis Dayman wrote:

I have a customer having some DNS issues. They have done some research
regarding some DNS timeout errors they saw with Verizon's sender verify
looking up their MX records. What they have discovered is their current DNS service has a 1% failure/timeout rate. They are exploring other vendors (UltraDNS for one), but need an estimate of the number of DNS queries for accurate pricing to put together a ROI argument for the
switch.

I have no IDEA if this can be determined, but what is a good estimate of
the number of DNS queries generated from sending an email?

That's not a good tack to take to figure out the answer.

Just check the logs of your current DNS server and count 'em up.

UltraDNS isn't cheap. But neither is downtime, I suppose.

-david

3

David Ulevitch wrote:

Dennis Dayman wrote:

I have a customer having some DNS issues. They have done some research
regarding some DNS timeout errors they saw with Verizon's sender verify
looking up their MX records. What they have discovered is their current DNS service has a 1% failure/timeout rate. They are exploring other vendors (UltraDNS for one), but need an estimate of the number of DNS queries for accurate pricing to put together a ROI argument for the
switch.

I have no IDEA if this can be determined, but what is a good estimate of
the number of DNS queries generated from sending an email?

That's not a good tack to take to figure out the answer.

Just check the logs of your current DNS server and count 'em up.

UltraDNS isn't cheap. But neither is downtime, I suppose.

Here's what Chuq figured.

If I�m sending from my machine to your machine, here�s what I think is the right sequence.

HELO foo.com (generates a call to the IP of the socket to compare to foo.com)

It�s also going to look up the foo.com to make sure it resolves

MAIL-FROM � it�ll look up the domain to make sure it exists, I believe.

So I think the baseline is 3, plus whatever anti-spam a site might use: DKIM, Sender-ID, SPF all generate at least a lookup of a TXT record, and depending on how they�re implemented, maybe an A. Some of the anti-spam stuff might pull MX to verify a return path exists, too.

I�d say the minimum is 3, max is around 8, assuming nothing cached anywhere, for a new connection with one email sent. Multiple emails on a connection helps, and pipelining helps more (but individually optimized emails hose that); client side caching helps a lot but we can�t depend on it.

If they want to send a message back (DSN, say), that�s going to pull the A record, then the MXes, and then for each MX, I believe it does a reverse lookup to get the name, and that iterates for every MX until sent or you run out of MXes.

-Dennis

4

Is the request even hitting their DNS servers ? If the problem is actually connectivity, then moving DNS off-network will improve dns performance, but everything else will still lose a few percentage of inbound packets ...

Unless you want to outsource your entire hosting to someone on the list. :wink:

5

Andy Davidson wrote:

Is the request even hitting their DNS servers ? If the problem is actually connectivity, then moving DNS off-network will improve dns performance, but everything else will still lose a few percentage of inbound packets ...

not sure at this time. all I know is the test I made against their's showed some inconsistent results.

Unless you want to outsource your entire hosting to someone on the list. :wink:

*snicker*.... I will mention it to my customer :wink:

-Dennis

6

Dennis Dayman wrote:

I have a customer having some DNS issues. They have done some research
regarding some DNS timeout errors they saw with Verizon's sender verify
looking up their MX records. What they have discovered is their current DNS service has a 1% failure/timeout rate. They are exploring other vendors (UltraDNS for one), but need an estimate of the number of DNS queries for accurate pricing to put together a ROI argument for the
switch.

I had some problems with DNS timeout, and discovered that by doing priority queuing in my Cisco routers I was able to cut the failure rate to my authoritative DNS servers to near zero. The only time my DNS servers don't give a proper response is when a router is being flooded with other outbound data.

Is your customer using BIND? What do the statistics tell you? How many DNS servers are handling the traffic? Are they load-balanced? Has the DNS servers been upgraded to handle more traffic? Does the customer segregate their authoritative servers from their recursive ones? (That one change right there improved my DNS reliability and servicability by several orders of magnitude!)

From your description, I'd say there was a lot more work to be done first, unless they just don't have the people to do it right.

7

Stephen Satchell wrote:

Is your customer using BIND?

They are using their co-lo's so I am unsure

What do the statistics tell you?

This is a dumb user that I'm dealing with. No experience.

Router to them means a police officer.

How many DNS servers are handling the traffic?

two (2)

Are they load-balanced?

unsure. they are on different sub nets

Has the DNS servers been upgraded to handle more traffic? Does the customer segregate their authoritative servers from their recursive ones? (That one change right there improved my DNS reliability and servicability by several orders of magnitude!)

they don't own the servers. if they did I could easily fix this. I do know that their bandwidth provider has said that they do *tend* to have issues

From your description, I'd say there was a lot more work to be done first, unless they just don't have the people to do it right.

yup. think this is why I am going down the managed session road.

-Dennis

8

Stephen Satchell wrote:

From your description, I'd say there was a lot more work to be done first, unless they just don't have the people to do it right.

forgot, but when I talked to Rodney on the phone the other day he reminded me that DNS is recursive and that if Verizon with their *own* DNS servers can't resolve the records then it MIGHT not be DNS after all. maybe this Sender Verify isn't related to DNS issues

-Dennis