In the sense of expanding DNS infrastructure, your
comments seem sane enough (you definitely read that
DNS & BIND book :-)
On the other side, I really need to introduce
_additional_ availability of DNS servers/resolvers.
This is especially true for resolvers as they are the
first layer users are facing. Assume the situation
when ordinary Windows user tries to access a web page
not yet cached in his box local DNS cache. From my
experience, it's needed up to 15 seconds for Windows
box to contact the other resolver. And that is
something I'm trying to avoid by using
high-availability and load-balancing.
As already seen, it cannot be done (yet) using
hoststated or "rdr" alone because packet payload
inspection and modification is needed for it to work,
and it is a hack, etc.etc.
I was also reading about new features of IP-based
load-balancing in carp(4) in the upcoming release of
OpenBSD (4.2). It seems that it would be enough to
install a farm of OpenBSD resolver boxes with CARP and
IP load balancing enabled on the boxes themselves. No
external load-balancing boxes, no packet modifications
required. Altough, it seems that it does require some
extra configuring depending on network equipment being
used. Also, IP load-balancing imposses additional load
to network equipment. (I'm dealing with Cisco Catalyst
6500 series switches)
To conclude my goals:
- remove 15 second timeout for end users,
- deal with only 2 resolver addresses,
- use more than 2 resolver boxes.
Anyone successfully running similar scenario ?
Cheers (and thanks for all suggestions),
r.
> reje wrote:
> > Yes, we have that much DNS requests hiting our
> > servers
> > (we are not experiencing any DoS but from
> > legitimate
> > user requests :-)
> >
> > Furthermore, the DNS infrastructure tiemouts are
> > unacceptable in our scenario. Registering
> > additinal NS records is also unacceptable.
> >
> > FYI: our primary DNS experiences cca. 4000
> > requests per second, secondary goes with cca. 3000
> > req/sec.
> >
> > Primary server is SUN Fire V480 with 16GB RAM,
> > secondary is also SUN Fire V480 with 8GB RAM.
> > Both servers are running Solaris 9 + BIND 9.
> > Firewall is PIX 535, works like a charm.
>
> Increase some of your heavily used records' TTLs.
>
> Add more public slave servers, 5-7 is a good number.
>
> Have them pull from a hidden master.
>
> Put some of the servers far away from you, but near
> your clients. e.g: London, Franfurt, Paris, Sydney,
> where ever (can't do that with load bal).
>
> If you have both of your only 2 servers in the same
> rack, you will have problems. I once saw one idiot
> put both DNS servers into Solaris 10 zones on a
> single box (e15k). What is the point??????
>
> I used to work for an ISP serving some popular
> domains. Used white i386 boxes in various colo racks
> (own and others), nae probs.
>
> Fire walling was done by Juniper, no load balancing.
>
> Go re-read the DNS and BIND book.
> --
>
> ====================================================
> Craig Skinner [EMAIL PROTECTED]
>
> Phone +44 (0) 1506 673024 5-digit
> shortdial:x73024
>
> Sun Remote Support Centre, Linlithgow, Scotland, UK
>
> ====================================================
____________________________________________________________________________________
Be a better Heartthrob. Get better relationship answers from someone who knows.
Yahoo! Answers - Check it out.
http://answers.yahoo.com/dir/?link=list&sid=396545433
