DNS versus NAT ?
Viktor Dukhovni
ietf-dane at dukhovni.org
Sun Jun 16 10:32:56 UTC 2019
On Thu, Jun 13, 2019 at 09:59:18AM +0100, Tony Finch wrote:
> > And if that is the case, then will my SOHO router catch fire if and when
> > I elect to send out through it a set of 65536 or more separate DNS queries,
> > all in rapid succession?
>
> Almost certainly :-) Even quite big NAT boxes will get indigestion if you
> put a lot of DNS traffic through them. In general it's best to keep
> stateful middleboxes away from DNS servers. In your case you are probably
> better off either setting up a DMZ at home (if they will give you multiple
> IP addresses) or get a colo box for high volume DNS query traffic.
My DANE/DNSSEC survey machine (Low-power 25W Xeon SuperMicro) is
also my home router. It performs NAT for the inside network, but
DNS traffic is specifically excluded from NAT early in the firewall
rules. The internal machines must use the DNS cache on the border
machine.
With that in place, my unbound server is able to process ~2400 qps,
without running into any NAT state barriers. Without the bypass
rules, I'd overflow the NAT state table in under a minute. But
with the rules, ~9.8 million signed domains (multiple queries per
domain, covering DS/DNSKEY/MX and modulo dedup also A/AAAA/TLSA per
MX host) are processed in ~5 hours.
This yields a rather unusual unbound "cache", e.g. since last stats
reset:
total.num.queries=21993259
total.num.cachehits=9160
Or a cache hit rate that is less than 0.05% (under the driver blood
alcohol limit in Melbourne Australia :-).
--
Viktor.
More information about the Unbound-users
mailing list