Yusuf Goolamabbas

My last post explained how Dan Bernstein’s dnscache could be used alongwith Google Public DNS (GPD) as an upstream forwarder.

For those who spend time with DNS, they are likely to be aware of Bert Hubert’s PowerDNS which comes in two flavours, an authorative nameserver and a recursive nameserver

PowerDNS currently hard-codes the RD (recursion desired) bit to 0 when it sends DNS packets to nameservers configured in its forward-zones/forward-zones-file configuration parameter. This makes it impossible for one to configure an open recursive nameserver such as GPD as a forwarder. There is a ticket open in PowerDNS about it and Bert has mentioned on the mailing list that he is close to making the changes to provide the required functionality. Maybe this feature might come in a future PoweDNS recursor release

Most of the comments which I’m reading about Google Public DNS (GPD) performance centers around round trip latency from an end-users location to GPD’s resolvers vis-a-vis their network location and comparing the round trip time to their local ISP DNS cache. Ping time is only one part of the time taken for DNS resolution, one needs to factor in DNS resolution time also which can be affected by cache locality and sizing as well as how connected the requested authorative nameserver for the query is relative to the DNS resolver. IMHO, an effective way for setting up an office DNS cache is to setup a local caching nameserver such as Dan Bernstein’s dnscache and use GPD as an upstream forwarder.

Thus domains which are repeatedly asked are answered from your local dnscache and the long tail of domains can be answered by GPD which may have its in its cache because what may be infrequent for your organisation is frequent for someone else who is using GPD thus giving you the best of both worlds. Fast local caching, and a fast recursive resolver when you have no locally cached results.

I’m assuming that in the coming weeks, Google will reach out to a number of organisations who use anycast DNS such as Content Delivery Network operators (Akamai, Limelight, CDNetworks etc) and authorative DNS servers operators (Dynect,UltraDNS,DNSMadeEasy etc) and work out better network routing amongst them.

These instructions assume that you have setup dnscache as an external forwarding cache for your organisation.
Then run the following commands (asssumes that you have installed dnscache as per DJB’s setup. Ubuntu/Debian users may have to adjust paths if they use packages from these distributions

echo 1 > /service/dnscache/env/FORWARDONLY
echo '8.8.8.8
8.8.4.4' > /service/dnscache/root/servers/@
svc -t /service/dnscache

There has been a lot of buzz regarding Google Public DNS herafter called GPD.  Google’s instructions are designed for end users modifying their own computers.  I think GPD can be very useful if used in conjunction with a forwarding cache on a router. This is the mechanism I used on my Linksys WRT54GL running DD-WRT
v24 to combine using DNSMasq and use GPD’s provided IP addresses 8.8.8.8 and 8.8.4.4 as the upstream DNS.

I assume that you have enabled SSH access to the router so you can login via SSH and take backups of the old values of the upstream DNS

1. SSH into your router and run cat /tmp/resolv.dnsmasq . Save the IP addresses listed somewhere in case you want to revert back
2. Go to the Commands tab under Administration.
3. In the Commands box paste the following:

echo "nameserver 8.8.8.8
nameserver 8.8.4.4" > /tmp/resolv.dnsmasq
sleep 1
killall -HUP dnsmasq

4. Click Save Firewall (note: your WAN interface will be restarted)

Now, you can take advantage of the DNS caching on your router and misses on the routers DNS cache are sent to GPD for resolution. Note that websites which use CDN will now determine the closest node based on where the anycasted GPD addresses 8.8.8.8 and 8.8.4.4  resolve to relative to your network.

In a future post, I’ll write about how GPD can be integrated as an upstream forwarder using dnscache and why PowerDNS recursor doesn’t support using an open resolver as an upstream forwarder at present

There have been a lot of discussions, blog posts describing how Chrome is one of the shortest if not the shortest beta cycle from Google. Most of the discussion has centered around the business requirements from OEM of having a non-beta software for pre-installation. Whilst this is valid, in my opinion this pre-deployment would still take a while to go through since I expect the earliest manufacturers will start a new build will be after Chinese New Year (end of Jan) and subsequently with another QA cycle could be March-April before boxes with Chrome pre-installed show up in stores

In my opinion, Google wants to take advantage of the holiday season where everyone is visiting family and doing the usual “tech support”. A lot of early adopters would like to get their parents computer cleaned up and install alternative browsers. Google’s Chrome is clean and with the search box integrated nicely with the address bar would be very useful to many who don’t care about the lack of extensions.

I for one would really like for sites to actively discourage use of Internet Explorer 6 and push their users to alternatives such as Firefox, IE7, Chrome, Opera.

It will however be interesting to see how Chrome’s mechanism of being chatty with Google for its auto-suggestion may impact usage in markets where people have bandwidth limits.

I’m having a great time watching Season 3 of the IT Crowd. I loved Season 1 and Season 2 and converted a lot of my colleagues to be watchers of the show.

Season 3 hasn’t disappointed so far and I had a great time watching Episode 3 with a brilliant moment when Moss recovers from his concussion and there is a Windows startup sound to signify his brain being “rebooted”

I was introduced to uber-smart hacker and phenomenally successful serial entrepreneur Adam Twiss who originally wrote ApacheBench whilst he was at Zeus and subsequently donated to the Apache Foundation.

Adam is the co-founder and CTO of Velocix which was formerly known as CacheLogic.

Velocix is well known for its hybrid P2P based CDN network and I was trying to get a better understanding of how things worked behind the scenes in order to evaluate its suitability for various projects at work.

This is really oversimplifying their value proposition but for a technical person I would say that Velocix basically can provide a constant backfill to a BitTorrent swarm should a client want to use BitTorrent as a content delivery protocol.

Obviously Velocix can do a lot more than the above but it was hard for me to extract the above value proposition which was interesting to me from their website.

Hopefully this blog post can get some Google karma and help prospective Velocix customers

Firefox 3 has been released and by all accounts there has been enormous uptake of this fine browser.

If you aren’t familiar with the browser, I would encourage you to visit Deb Richardson’s brilliant Field Guide to Firefox 3 which describes a number of key Firefox 3 features in a very accessible manner.

One thing I would like to mention is that Firefox 3 has improved connection parallelism. The default limit for concurrent connections per hostname has been increased from 2 to 6 which is similar to IE8. Details can be found in this bug report here and for the technically inclined these are the new defaults

pref(“network.http.max-connections”, 30);
pref(“network.http.max-connections-per-server”, 15);
pref(“network.http.max-persistent-connections-per-server”, 6);
pref(“network.http.max-persistent-connections-per-proxy”, 8);

Whilst the improved connection parallelism is one factor in improved page load performance, web server administrators who are currently serving content via Apache need to factor in increased concurrent connections from Firefox 3 and tweak their MaxClients setting appropiately.

If they are using Apache to serve static content, maybe they should consider switching to lighttpd and nginx for serving such content.

Google’s Steve Souder has a great roundup on Parallel Connections in this blog entry.

Hong Kong is unique in the sense that whilst we have insane mobile penetration of 154.4 %, there is a huge price difference between voice plans and SMS plans.

Depending on a third party long distance provider, it is actually cheaper to call up somebody and speak for a few minutes (HK-US charges are 7 cents/min and an SMS costs at minimum HK$ 2) and convey more than send a SMS to that person

Thus, I find Twitter’s SMS integration very useful. I tell my family members to sign up to Twitter and then also enable their mobile devices. In India, Twitter has a shortcode 5566511.

In HongKong, wifi access is very ubiquitous via the GovWiFi program as well as efforts by FON as well as PCCW, HongKong’s dominant telco provider so hopefully with the upcoming launch of the iPhone in Hong Kong it can help me by allowing me to have access to Twitter

I was chatting with Ali Ebrahim over IM and mentioned to him that the La Fonera was quite useful as a quick mechanism to provide a sandbox SSID for visitors to his office who wanted to connect to the Internet. I’d like to elaborate on the exact mechanism

Offering access via the office WLAN or even via a wired connection opens up the risk of having an external entity access to an office’s internal network. I’ll leave it to your imagination as to what could possibly go wrong here (virus infection, internal file shares visible etc).

Whilst it is always possible to deny any form of Internet access to a visitor, it is possible via a La Fonera not only to provide access but at the same time be secure.

You may rightfully ask

Won’t it require the visitor/guest to be a fonero , that is run La Fonera/Fonera+ at his/her home/office so that he could connect to our office’s FON Access Point ? This may preclude the majority of visitors to an office

The answer is

• Use the Friends and Family mechanism available by logging in on the FON User Zone.

The Friends and Family mechanism in the FON User Zone enables a fonero to setup local users on his FON Access Point with an associated password. This username and password is specific to that FON Access Point. You just need to setup one username/password. Multiple users can connect to that FON Hotspot via that username/password. I recommend modify the captive portal page to inform people about the username/password. The La Fonera defaults to having the bandwidth limited to 512 Kbit/sec to the Internet for connections made via its FON_whatever SSID. Connections made to the public SSID FON_whatever are on a separate VLAN and users cannot see any open shares on the office network.

Thus with this mechanism, one could allow access to the Internet to visitors/guests in an office environment by having them connect to the open FON_whatever SSID and still have them separate from the office internal network. You should keep your private SSID secure using WPA2 and use a difficult to guess password. It’s best to change the default password which is the serial number of the La Fonera as well as the default private SSID which is MyPlace

BTW, If you are using FON, I really recommend the Devicescape Connection Manager. It makes connecting to FON Hotspots pretty much a no-brainer. I really wish providers like Y5Zone and PCCW in Hong Kong would work with Devicescape and get their hotspots supported in the system. I’ve seen a number of their customers asking in the forums how to get Devicescape working with such hotspots. I’m also looking forward to a proper iPhone Devicescape app when Apple officially allows it

Friend and fellow jamaat member Ali Ebrahim recently setup an instance of the Venus RSS aggregator to create Planet Bohra. He had pulled the twitter feed for mumineen.org but my grief was that when I clicked the link from inside Planet Bohra, I would be sent to the twitter page and not to the final destination.

I thought I would have to hack Planet to get around this. Thinking for a few minutes, I realised that maybe I should munge the twitter feed via Yahoo Pipes and started playing around with it (I had never used Yahoo Pipes before).

A short while later, I had something which did the trick and Ali was able to incorporate into Planet Bohra.

I should try and get together with Ali and see if we can do something more interesting via Yahoo Pipes.