Sometimes, it is much better to have a 48 byte response from a server, rather than a 150 byte response - particularly when you're on dialup or otherwise saturated links. Certainly, it is usually easier to upgrade the link - but when that's not possible for whatever reason, you just need to do what you can.
Enter a great feature of ISC BIND 9. When you are configuring your DNS server, you typically have many directives in 'options'. For instance - allow-recursion { internal; };. What you may not realize though, is another nifty configuration key "minimal-responses". When enabled, this boolean value will only add the "authority" and "additional" data sections (delegation/negative responses) to your response - unless otherwise required.
By default, Bind sets this value as 'no', meaning - when you issue a query for a non-authoritative zone, not only will it provide you with the "answer" section it will provide you with the "authority" section and the "additional" section.
What are in these sections you might ask?
Answer
Generally put, the answer section contains the answer to your query. Typically, the sysadmin only cares that the answer is the hostname or IP address of their query. This would be say www.pantek.com or 64.208.104.250. What else is contained in this record, however?
Without boring you on some of the excessive details, the answer section is broken down into 6 parts:
- NAME - The name being returned (i.e. www.pantek.com)
- TYPE - The RR type (i.e. A)
- CLASS - The Class (i.e. IN, CHAOS, etc)
- TTL - The TTL in Seconds (i.e. 86400)
- RLENGTH - The length of the RR specific data in octets (i.e. 27)
- RDATA - The RR data (i.e. 64.208.104.250)
Authority
Fortunately enough, the Authority section is almost the exact same as the Answer section. The difference? Rather than including the host-specific information, this includes just the NS records of the authoritative nameserver.
Additional
Next comes the additional section. Again, the packet format matches the Answer section, but this time - rather than only reporting NS records like the Authority section, it provides additional answers to the querying system on the addresses of the servers in which it is being forwarded to.
Getting back to the original explanation, when dealing with recursive (or otherwise non-iterative queries), the system performing the query generally only cares about the address or name of the site or address in which its looking for. Since this is the desired output of normal queries (i.e., queries in which we do not care about the authoritative server - since all we want is our name) , then we can configure our server to respond accordingly.
Now that you're excited, its time to login to your DNS server and update your named.conf file (which, depending on your system could be in any ridiculously placed directory) and add the following:
// general or otherwise global options
options {
// decrease the footprint of dns queries by 102 bytes
minimal-responses yes;
};
At last, you've turned 'minimal-responses' on, and you are now only responding to requests with the appropriate answer - rather than 102 bytes of details that you probably never cared about...
0 comments:
Post a Comment