[syslog-ng]DNS caching
Balazs Scheidler
bazsi@balabit.hu
Thu, 21 Mar 2002 10:32:51 +0100
On Thu, Mar 21, 2002 at 09:17:33AM +0100, Michael Renner wrote:
> At 09:01 20.03.2002 +1000, you wrote:
> >On Tue, 19 Mar 2002 at 10:24am (+0100), Balazs Scheidler wrote:
> >[...]
> >
> > >
> > > can you check this patch, whether it fixes your problem ?
> > >
> > > diff -u -r1.37 cfgfile.c
> > > --- cfgfile.c 2001/09/03 16:42:23 1.37
> > > +++ cfgfile.c 2002/03/19 09:23:55
> >
> >[...]
> >
> >Thank you... it appears to be working as advertised now. When running with
> >NSCACHE_DEBUG enabled we get lots of messages like...
> >
> >.... which looks good. CPU usage for the syslog process has dropped from
> >~80% to ~40% (hazzah!) and the named process that was doing local caching
> >has dropped from ~10% to almost nill.
>
> Dear Bazsi,
>
> Thanks, also works flawless here, I get hardly any hits on my dnscache.
> Btw. the default option of dns_cache is "on", maybe you should document
> this or change it to "no", otherwise people who upgrade to newer versions
> (with the fixed dns_cache) may be confused by the "new" behaviour of syslog-ng.
>
> You also mention "syslog-ng blocks on DNS queries, so enabling DNS may lead
> to a Denial of Service attack." in your documentation. Does this mean that
> syslog messages which are received by the NIC, while syslog-ng performs a
> synchronous DNS lookup, are stored in the kernels receive buffer or are
> dropped?
they are stored in receive buffers in the kernel, but if a message doesn't
fit into this receive buffer, it is dropped. This applies only to UDP and
unix-dgram messages.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1