Re: Thoughts on a large-scale DNS server...

From: John Von Essen (john_at_essenz.com)
Date: 06/28/05

  • Next message: Dan Ross: "Re: option 82 on isc dhcp" 
    Date: Tue, 28 Jun 2005 11:23:14 -0400 (EDT)
To: Adam Jacob Muller <adam@oxeo.com>

    Adam,

    Thanks for the info. The two servers will be in two geographically
    separated datacenters. I am unfamiliar with djbdns. The first question I
    have is, are zone file configurations the same. We currently have all
    11,000 zone files ready to go within a BIND environment, and we really
    dont want to have to change the core config style of all those domains.

    As for TTL, we currently use a 24 hour TTL, for zone file itself we then
    do something like:

    $TTL 86400
    @ IN SAO ...
                   2004100500 ; Serial
                   10800 ; Refresh after 3 hour
                   3600 ; Retry after 1 hour
                   604800 ; Expire after 1 week
                   86400 ) ; Minimum TTL of 1 day

    The majority of our dns will rarely if "ever" change. I would only use
    Linux if I was really convinced that BIND (or djbdns) for some reason or
    another ran better (better pthread support, etc.,.) on it. But then again
    I'm partial to FreeBSD.

    -John

    On Tue, 28 Jun 2005, Adam Jacob Muller wrote:

    > I annotated your message below, basically explaining our similar setup.
    >
    > On Jun 28, 2005, at 10:42 AM, John Von Essen wrote:
    >
    > > I have been tasked with setting up a large-scale dns server
    > > environment
    > > (One ISP is taking over another ISP) and would greatly appreciate any
    > > thouhts or experiences that could help me out.
    > >
    > > In the end we will probably be doing authoritative DNS for 11,000
    > > domains,
    > > and another 200 or so in-arpa address ranges for reverse resolution.
    >
    > we have ~ 10k domains right now, and much less than 200 ptr's
    >
    > >
    > > The plan is to have 3 core machines. One is the master, and gets
    > > its zone
    > > files created from local cvs exports. The other two are slaves, and do
    > > zone transfers from the master. The Public will actually only talk to
    > > these two slave DNS servers (NS1 and NS2). The machines themselves
    > > will be
    > > Single 3Ghz Xeon, 1Gb Memory, and 70Gb RAID 1 U320 SCSI. For every
    > > machine, we will have a standby machine waiting and ready.
    >
    > sounds like a very conservative setup, and for DNS that's good. if at
    > all possible I
    > would suggest that you move at least one of those servers to a
    > totally seperate network.
    > This is important, if your network is unreachable for say, 20 minutes
    > for any reason, anyone who queries
    > your dns in that time and caches the result will be unable to connect
    > until that invalid entry clears from their cache.
    >
    > As slashdot tells us, some providers ignore your set records,
    > http://ask.slashdot.org/article.pl?
    > sid=05/04/18/198259&tid=95&tid=128&tid=4
    > so this is a very prudent step as i'm sure providers also tweak the
    > retry times since a failed lookups are
    > more likely to be repeated and consume more resources than successful
    > ones.
    >
    >
    > >
    > > The first question is, do I have enough CPU/Memory. Keep in mind these
    > > machines will nothing but DNS.
    >
    > Yes
    >
    > >
    > > Are there any performace issues with using regular filesystem
    > > directory
    > > zone file storage. For example, we will have a very large
    > > named.conf file
    > > with some 11,000 zone entries (I have never worked with a named.conf
    > > file that big before). Those entries will just reference the local
    > > filesystem, file "s/a/adam.com"; and so on.
    > >
    > > The next big question is BIND8 or BIND9. I would like to take
    > > advantage of
    > > threading in BIND9, but saw a previous post that BIND9 can have
    > > difficulty
    > > working with BIND8 servers which were incorrectly setup, whereas
    > > BIND8 can
    > > allow for a certain level of "external" incompetence.
    >
    > the real question is, do you want to use bind at all?
    > We currently use djbdns to manage everything, i personally find it to
    > be much more tolerant of errors than any version of bind.
    > http://cr.yp.to/djbdns.html
    >
    >
    > >
    > > And finally, Linux or FreeBSD, and if FreeBSD, 4 or 5.
    >
    > FreeBSD
    >
    > >
    > > Current staff (besides me) whats to run Debian Linux, but BIND9
    > > pthreads
    > > dont work in Linux, do they work in FreeBSD? I want to use FreeBSD
    > > just
    > > because it better overall with regards to TCP/IP.
    >
    > Debian is a good, stable linux distro, my personal favorite in fact.
    > (though gentoo is also nice).
    > Linux is more reliable out of the box, FreeBSD can and is more
    > reliable if you know how to work it.
    >
    > >
    > > The only performance numbers we got from the other ISP, is that
    > > existing
    > > dns servers use about a constanst 400 kbps (bits) of bandwidth.
    >
    > The bandwidth, the needed server specs are a combination of two
    > things. First, the number of domains you have and 2nd the TTL on
    > those domains.
    > We currently use a TTL of 12 hours. This serves us well. If you halve
    > the TTL to say, 6 hours, expect to double the number of DNS queries.
    > If you double the TTL to 24 hours, expect to halve the number of DNS
    > queries.
    >
    > >
    > > Thanks in advance
    > > John
    > > _______________________________________________
    > > freebsd-isp@freebsd.org mailing list
    > > http://lists.freebsd.org/mailman/listinfo/freebsd-isp
    > > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
    > >
    >
    > _______________________________________________
    > freebsd-isp@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-isp
    > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
    >
    _______________________________________________
    freebsd-isp@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-isp
    To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

  • Next message: Dan Ross: "Re: option 82 on isc dhcp"

    Relevant Pages

    • Re: Can I change the public IP of a website on dual wan router without losing customers?
      ... TTL settings on the zone or individual records ... clients (both other DNS servers and client machines) ... It is in additional to the TTL. ...
      (microsoft.public.windows.server.dns)
    • Re: Please help a DNS dummie!
      ... > Thank you very much for your generosity in trying to explain my DNS ... Zone is a file of records that roughly corresponds to ... DNS server to know about and provide when asked. ... copy of the entire zone file. ...
      (microsoft.public.windows.server.dns)
    • Re: Server is Moving
      ... The best thing to do would asking your current DNS hoster to ... that point you will relocate your server, update the zone file as ... setup the replacement DNS as master for your zone using the ... just ensure to lower the TTL for the records ...
      (microsoft.public.windows.server.dns)
    • Re: The DNS server wrote version 18 of zone (over and over again)
      ... > see it numerous time writing the same version of the zone to it's ... > zone file. ... > pointing to itself for DNS and running Active Directory. ... but it still will write the 'change' the zone file. ...
      (microsoft.public.windows.server.dns)
    • Re: split zones not resolving correctly intermittently...
      ... zone: ... Either the client is still using an external DNS address, ... See about reducing the TTL ... to 15-20 minutes on the public DNS. ...
      (microsoft.public.windows.server.dns)