Re: Load Balancer for DNS
On Apr 5, 2010, at 2:06 AM, sasa sasa wrote: Hello everyone, Any one used any load balancer for DNSs? any recommendation? it's 2 caching-only DNSs, and I'd like to make a load balance between them using software. They all suck, some just seem to suck less than others -- the Foundry ServerIron products fit in the latter category, or at least did a few years back. No idea what they are like since the acquisition. W best regards, Sasa ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- It is impossible to sharpen a pencil with a blunt axe. It is equally vain to try to do it with ten blunt axes instead -- E.W Dijkstra, 1930-2002 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Load Balancer for DNS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/5/2010 2:06 AM, sasa sasa wrote: Hello everyone, Any one used any load balancer for DNSs? any recommendation? it's 2 caching-only DNSs, and I'd like to make a load balance between them using software. I would recommend that before adding load balancers that you consider the problem that you are actually attempting to solve. For the cost of a load balancing solution you might be able to deploy more caching servers that would probably work better in the long run.. AlanC -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAku5+n4ACgkQcKpYUrUDCYejngCfYritHVZBX8Is5idosnSNykO+ RYwAn2JXm+bF/u0VtRYs4Y+mq9Tb5bqH =vtqb -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Load Balancer for DNS
That answer seems to imply that when load is high enough on existing caching servers the traffic will go to the others. Is that the case? At what point does this occur? -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Alan Clegg Sent: Monday, April 05, 2010 10:58 AM To: bind-users@lists.isc.org Subject: Re: Load Balancer for DNS -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/5/2010 2:06 AM, sasa sasa wrote: Hello everyone, Any one used any load balancer for DNSs? any recommendation? it's 2 caching-only DNSs, and I'd like to make a load balance between them using software. I would recommend that before adding load balancers that you consider the problem that you are actually attempting to solve. For the cost of a load balancing solution you might be able to deploy more caching servers that would probably work better in the long run.. AlanC -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAku5+n4ACgkQcKpYUrUDCYejngCfYritHVZBX8Is5idosnSNykO+ RYwAn2JXm+bF/u0VtRYs4Y+mq9Tb5bqH =vtqb -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Load Balancer for DNS
Load-balancers are used for redundancy as well as performance management. In the case of DNS, one way it might be used is to shunt client requests to the servers that are up, thus side-stepping client-side resolve timeouts. Chris Faehl -Original Message- From: bind-users-bounces+cfaehl=rightnow@lists.isc.org [mailto:bind-users-bounces+cfaehl=rightnow@lists.isc.org] On Behalf Of Lightner, Jeff Sent: Monday, April 05, 2010 9:04 AM To: Alan Clegg; bind-users@lists.isc.org Subject: RE: Load Balancer for DNS That answer seems to imply that when load is high enough on existing caching servers the traffic will go to the others. Is that the case? At what point does this occur? -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Alan Clegg Sent: Monday, April 05, 2010 10:58 AM To: bind-users@lists.isc.org Subject: Re: Load Balancer for DNS -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/5/2010 2:06 AM, sasa sasa wrote: Hello everyone, Any one used any load balancer for DNSs? any recommendation? it's 2 caching-only DNSs, and I'd like to make a load balance between them using software. I would recommend that before adding load balancers that you consider the problem that you are actually attempting to solve. For the cost of a load balancing solution you might be able to deploy more caching servers that would probably work better in the long run.. AlanC -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAku5+n4ACgkQcKpYUrUDCYejngCfYritHVZBX8Is5idosnSNykO+ RYwAn2JXm+bF/u0VtRYs4Y+mq9Tb5bqH =vtqb -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Load Balancer for DNS
2010/4/5 sasa sasa sasasa20...@yahoo.com Hello everyone, Any one used any load balancer for DNSs? any recommendation? it's 2 caching-only DNSs, and I'd like to make a load balance between them using software. Use LVS as freeware load balancer it's good enough. Best regards, Sebastian Tymkow ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Load Balancer for DNS
Yes, we've been using the ip sla feature for some time now, works well. Bgp/ ospf via quagga also are great solutions . Dan Durrer No-ip.com Sent from my iPad On Apr 5, 2010, at 8:39 AM, Matthew Pounsett m...@conundrum.com wrote: On 2010/04/05, at 02:06, sasa sasa wrote: Hello everyone, Any one used any load balancer for DNSs? any recommendation? it's 2 caching-only DNSs, and I'd like to make a load balance between them using software. Unless you're willing to spend a lot of money, load balancers are generally not the best way to go. They tend to be specced out for average internet traffic, which has a much lower packets/megabit ratio than DNS traffic does. You're much better off using routing protocols to balance traffic between DNS servers. Have a look at this[1] how-to .. it'll point you to a technote by ISC about how to do OSPF anycast within a LAN, as well as explain a slightly simpler (but Cisco-only) solution. Cheers, Matt [1] http://mpounsett.blogspot.com/2009/02/load-balancing-dns-using-ciscos-ip-sla.html ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Same source port queries dropped by ServerIron load balancer
On 4/4/2010 2:24 PM, Sten Carlsen wrote: On 04/04/10 17:41, Kevin Darcy wrote: On 4/1/2010 9:19 PM, Barry Margolin wrote: In articlemailman.1048.1270148466.21153.bind-us...@lists.isc.org, Kevin Darcyk...@chrysler.com wrote: Re-use of source ports for DNS queries is a bad security practice. I cast my vote in favor of penalizing it, in the default configuration of any device that responds to DNS requests. It's really not the job of a load balancer or server to force clients to use good security practices. Trouble is, when everyone carves out their little area of responsibility such that enforcing good security practices is not my job, man, then very few things enforce security practices, and ultimately they don't get enforced at all. Certainly a load-balancer can legitimately refuse to serve queries that are suspect, can it not? E.g. that are malformed in particular ways that indicate hostile intent. So, where in the spectrum of suspectness can we draw the line and say, everything on that side, I trust to answer, and everything on the other side of the line, I don't? I think a client that re-uses source ports is untrustworthy. Therefore I think it's a reasonable default to decline to service queries from such clients. The question I saw being raised was not if such queries wer trustworthy or not; but whether it is the job of a load balancer to judge the inner workings of an application protocol. Sorry, pet peeve, but DNS is an application protocol like paddles on a rowboat are merely ornamental trappings. Sure, one _could_ theoretically get along with it/them, but how realistic is that? In practical terms, DNS is a core networking protocol, necessary for most process-to-process communcation at the Transport Layer and above. That's how it's treated by support organizations, too: does one ever see DNS lumped in with applications from a support standpoint? I tend to agree that the load balancer should just hand the packets on to whoever is there to answer the questions/serve the content. It wasn't clear (to me, at least) from the original post whether the load-balancer in question was just front-ending some DNS service, or whether it was a GSLB-type load-balancer that was actually the definitive source of the (dynamically-changing) DNS information, front-ending some other protocol(s), e.g. HTTP/HTTPS, SMTP, LDAP. If it's a GSLB device that is the last link-in-the-chain, then certainly it has the right to enforce whatever security policies the owner/administrator wants. If on the other hand it's just forwarding the query to some back-end DNS infrastructure, and if it can provide the information necessary for the back-end infrastructure to make a reasonable security determination (i.e. using the client's original source port), then fine, pass on the responsibility for enforcement. If not, then the load-balancer needs to do the enforcement itself. This would be the reason we have heard so much about broken routers/bridges/firewalls/... that will not allow EDNS packets, because they were once suspect. Routers/bridges/firewalls, etc. that should, in the normal case, be passing packets back and forth without presuming special knowledge of the DNS protocol, should be lumped together with load-balancers that front-end a DNS infrastructure. But, again, if we're talking about a load-balancer that is a GSLB *definitive* source of the DNS data, then it is in a different class than transparent or proxying devices. It is, in effect, the *source* of the DNS information, and shouldn't be giving out data to clients it suspects may misuse that data or be compromised by the response. When DNSSEC/NSEC/... is completely implemented, who will then reevaluate if this load balancer is in need of a change? maybe there will be nobody to fix it? I think that's part of the larger question of how all of these Stupid DNS Tricks that people are today performing with load-balancers, CDNs, etc. will inter-operate with DNSSEC, if at all. The Stupid DNS Tricks, after all, do essentially amount to *lying* about DNS data, and DNSSEC is essentially a mechanism for detecting, and presumably rejecting, DNS lies. It's hard to get such things to co-exist. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Same source port queries dropped by ServerIron load balancer
On 4/4/2010 3:33 PM, Barry Margolin wrote: In articlemailman.1058.1270395730.21153.bind-us...@lists.isc.org, Kevin Darcyk...@chrysler.com wrote: On 4/1/2010 9:19 PM, Barry Margolin wrote: In articlemailman.1048.1270148466.21153.bind-us...@lists.isc.org, Kevin Darcyk...@chrysler.com wrote: Re-use of source ports for DNS queries is a bad security practice. I cast my vote in favor of penalizing it, in the default configuration of any device that responds to DNS requests. It's really not the job of a load balancer or server to force clients to use good security practices. Trouble is, when everyone carves out their little area of responsibility such that enforcing good security practices is not my job, man, then very few things enforce security practices, and ultimately they don't get enforced at all. There's a well-defined place where security is supposed to be enforced: the firewall. I suppose the device in question may be a combination firewall and load balancer. There's a difference between the product category firewall and the actual *role* firewall (which I believe is classically defined as a device which applies policy-based security controls.to network traffic flowiing between entities at differing levels of trust, or similar wording). Just because a load-balancer (according to product category) may not be labelled as a firewall on its front panel plate, or in a diagram of the network topology, doesn't mean it can't or shouldn't be serving that role in the network/security infrastructure. As for the singular a well-defined place, there's nothing wrong with having multiple levels of security and security enforcement, or multiple levels of firewalls (the role not the product category) in the environment. http://en.wikipedia.org/wiki/Defense_in_depth_(computing) But a firewall in front of a server should be protecting the server, not protecting the clients from themselves. Preventing any complicity in the poisoning of a client's cache is certainly a legitimate security policy objective, is it not? Certainly a load-balancer can legitimately refuse to serve queries that are suspect, can it not? E.g. that are malformed in particular ways that indicate hostile intent. So, where in the spectrum of suspectness can we draw the line and say, everything on that side, I trust to answer, and everything on the other side of the line, I don't? I think a client that re-uses source ports is untrustworthy. Therefore I think it's a reasonable default to decline to service queries from such clients. Since when does a DNS server need to trust the client? The server just answers questions, it doesn't incorporate any information from the client (except for dynamic DNS updates, but these are almost always clients inside the security perimiter). I'm not sure exactly what point you're trying to make. If DNS servers never need to trust their resolving clients, then why does BIND have multiple ways of identifying clients (either source address/range or TSIG key), which then can be used in any of the allow- stuff (-transfer, -query, -query-cache, -recursion), or by match-clients as a basis for view selection, and so forth? - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Same source port queries dropped by ServerIron load balancer
In article mailman.1074.1270505464.21153.bind-us...@lists.isc.org, Kevin Darcy k...@chrysler.com wrote: On 4/4/2010 3:33 PM, Barry Margolin wrote: In articlemailman.1058.1270395730.21153.bind-us...@lists.isc.org, Kevin Darcyk...@chrysler.com wrote: On 4/1/2010 9:19 PM, Barry Margolin wrote: In articlemailman.1048.1270148466.21153.bind-us...@lists.isc.org, Kevin Darcyk...@chrysler.com wrote: Re-use of source ports for DNS queries is a bad security practice. I cast my vote in favor of penalizing it, in the default configuration of any device that responds to DNS requests. It's really not the job of a load balancer or server to force clients to use good security practices. Trouble is, when everyone carves out their little area of responsibility such that enforcing good security practices is not my job, man, then very few things enforce security practices, and ultimately they don't get enforced at all. There's a well-defined place where security is supposed to be enforced: the firewall. I suppose the device in question may be a combination firewall and load balancer. There's a difference between the product category firewall and the actual *role* firewall (which I believe is classically defined as a device which applies policy-based security controls.to network traffic flowiing between entities at differing levels of trust, or similar wording). Just because a load-balancer (according to product category) may not be labelled as a firewall on its front panel plate, or in a diagram of the network topology, doesn't mean it can't or shouldn't be serving that role in the network/security infrastructure. As for the singular a well-defined place, there's nothing wrong with having multiple levels of security and security enforcement, or multiple levels of firewalls (the role not the product category) in the environment. http://en.wikipedia.org/wiki/Defense_in_depth_(computing) But a firewall in front of a server should be protecting the server, not protecting the clients from themselves. Preventing any complicity in the poisoning of a client's cache is certainly a legitimate security policy objective, is it not? I think there's a difference between complicity and forcing the client to protect itself. Especially since end users typically can't fix the problem themselves (they're usually using caching servers operated by someone else -- their ISP or their corporate IT Dept.). So if someone gets blocked by this, what are they supposed to do about it? Even if they can change DNS servers (e.g. switch to OpenDNS or Google DNS), it wouldn't be obvious that the problem is one that would be solved by this. Certainly a load-balancer can legitimately refuse to serve queries that are suspect, can it not? E.g. that are malformed in particular ways that indicate hostile intent. So, where in the spectrum of suspectness can we draw the line and say, everything on that side, I trust to answer, and everything on the other side of the line, I don't? I think a client that re-uses source ports is untrustworthy. Therefore I think it's a reasonable default to decline to service queries from such clients. Since when does a DNS server need to trust the client? The server just answers questions, it doesn't incorporate any information from the client (except for dynamic DNS updates, but these are almost always clients inside the security perimiter). I'm not sure exactly what point you're trying to make. If DNS servers never need to trust their resolving clients, then why does BIND have multiple ways of identifying clients (either source address/range or TSIG key), which then can be used in any of the allow- stuff (-transfer, -query, -query-cache, -recursion), or by match-clients as a basis for view selection, and so forth? All the allow-XXX stuff is for privacy, not trust. And the multiple methods of identifying the client are to work around limitations in TCP/IP (source addresses can be spoofed) and deal with different networking environments. For instance, TSIG key is often useful when you need to transfer two different views to the same slave server, so that it can also serve both views; you can't use match-address because they're the same address. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users