[Mailman-Users] Slow delivery

Brad Knowles brad at shub-internet.org
Fri Mar 9 05:37:48 CET 2007 

At 8:46 PM -0700 3/8/07, vancleef at lostwells.net wrote:

>  Maybe this is a good time to ask just how DNS-intensive the
>  non-sendmail MTA's are.  I am finishing off the basics on installing
>  sendmail with Mailman, and am including some discussion of the need to
>  install a good fast-response caching DNS server to work with sendmail.

All MTAs I know of are pretty DNS-intensive in their operation.  The 
more anti-spam or anti-virus filtering you do, or the more other 
things you do to check the incoming mail, the more DNS-intensive that 
work is going to be.

Of course, most MTAs should give you options on how to configure them 
so that they don't generate any DNS traffic at all, but then what 
you're doing is effectively turning off about 99.99% of what the MTA 
is intended to do when handling mail.


In this respect, I don't think that sendmail is necessarily much 
worse or much better than any other MTA.

>  Since then I've installed master and slave servers for my Intranet
>  LAN, but I would heartly recommend having at least a plain caching
>  server on the box that's running the MTA.

Years ago, this was actually a bit of a sore point amongst the 
experts.  Some said that you were better off having a smaller number 
of centralized caching nameservers, which handled all DNS traffic for 
the entire network.

Others said that you're better off having caching nameservers running 
on each box, to spread that load out.


Of course, the issue there is that Box A might do a DNS query of some 
sort, and retrieve data that could later be used by Box B, but if 
both machines are running their own nameservers as opposed to a 
centralized caching nameserver, then both machines will end up doing 
the same query, causing increased load on the remote end, etc....

Moreover, large caching nameservers can take up hundreds of megabytes 
(or even a couple of gigabytes) of RAM, so if you've got servers that 
are already using lots of RAM to process all their "real" work, then 
you may not have enough RAM to also run a large caching nameserver on 
the box.

Finally, sometimes consistency is more important than raw speed.  In 
other words, sometimes it's more important that the clients see that 
they get the same answers regardless of which server they ask, and 
the actual raw performance is not quite so important.  For example, 
when an AOL user sends e-mail to a remote recipient, it would be 
really bad for that user to get "okay, message accepted" on the first 
try and then "invalid domain" on the second try, and then get "okay, 
message accepted" on the third try, or whatever.  Since the DNS 
changes frequently, you could easily wind up with some pretty 
radically different views of the world on different servers, based on 
when they asked what questions.


To solve all these issues, what was recommended was a hybrid 
approach.  Run local caching-only servers on each box, but then have 
them forward all outgoing queries to a central set of caching-only 
nameservers.

The local nameserver would short-circuit all the repetitive queries 
from the same application to talk to the same remote system, while 
the centralized caching nameservers would ensure that everyone gets 
the same answer to a particular question, and would ensure that you 
don't actually send your queries to the outside world unless no 
machine at that site had asked that question within the time-to-live 
of the answer.


DNS experts now agree that it's a generally a bad idea to have 
hierarchies of nameservers, although the overall problems have not 
otherwise changed.

So, pick your poison, but don't try to go with the hybrid approach. 
It creates too much of a central bottleneck and slows things down, 
and it also reduces your overall reliability of the system.


Of course, all detailed DNS questions should be asked on the 
appropriate mailing lists and/or newsgroups, although I can try to 
summarize as best I can -- I was a technical reviewer of 2nd edition 
of Cricket's book, and I'm in the process of writing my own book on 
DNS security.

>  While all of my experience is with sendmail, I'm inclined to suspect
>  that the other MTA's all can stand a shot of local DNS service.
>  Anybody who can confirm this for Postfix, Exim, etc.?

All MTAs I know of make intensive use of the DNS -- sendmail, 
postfix, Exim, etc....

-- 
Brad Knowles <brad at shub-internet.org>, Consultant & Author
LinkedIn Profile: <http://tinyurl.com/y8kpxu>
Slides from Invited Talks: <http://tinyurl.com/tj6q4>

More information about the Mailman-Users mailing list