Re: High performance DNS server configuration?

[Reindl Harald]

Am 15.09.2016 um 17:19 schrieb Benny Pedersen:

On 2016-09-15 15:42, John Levine wrote:

Problem is procmail + postfix with rbl's (zen.spamhaus.org and others).

Really big problem are spam botnet's and some day we can get over 5-6
million messages per day or even more.

Procmail/postfix is doing every check per msg at localdns (localdns =>
rbl's) server and average check time is 1-2 sec per message and it's
too much.


I agree that bind is likely not the best DNS cache for this purpose.
You might look at unbound.


i hear the opposite, unbound have dnssec issues that is not in bind


where?


unbound would need forward first in forward zone else it serves stale
data, since unbound miss forward only, i have no problem with bind there


besides it's not true (i remember your mail on the SA list pretending 
that nonsense - read the docs and read this 
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=818 - exactly the 
context where you pretended stale data because missing forward-first 
statement which is nonsense) for the task of the OP *no forwarding must 
happen* at all


you either do *only* forwarding for a zone - "forward first" would lead 
to recursion too if no forwarding response or you do recursion without 
any forwarding


we talk about a inbound mailserver - nothing else
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Load balancer for Bind

[bert hubert]

On Wed, Sep 14, 2016 at 03:41:31PM -0400, Matthew Pounsett wrote:
> > I read something about HAProxy but it does not manage udp connection and
> > the interesting security proxy/balancer DnsDist does not pass original
> > client ip for Bind-DLZ...
> >
> Your best option is something that can do the job statelessly.  As Warren
(...)

> Mostly that means using a routing protocol to do LAN-scope Anycast via
> ECMP.  ISC has a technote that explains how to do it.

Actually, in our not so humble opinion, your best option is both. 

ECMP is good at distributing the pain using some hash of addresses and port
numbers.  But it does nothing about the pain itself.  Also, it does not know
about the health of individual backends.

dnsdist does know, and can also filter many forms of attack without touching
the state table. dnsdist has a fixed amount of state so it won't die from
people trying to overload its state tables. And the state is dimensioned so
it will not be exceeded without forwarding more traffic than your backends
could handle anyhow.

So what we recommend is using dnsdist to balance to your backends, and have
it prefer one backend when all things are equal.  Then run multiple dnsdists
which each prefer a different backend.  And then announce your dnsdist
service addresses a few times over BGP.

Finally, query dnsdist about its drop rates, and if these exceed a certain
level, prepend your BGP announcement so another dnsdist gets the traffic,
unless that too measures drops. If all of them prepend, the pain is spread
out evenly again.

Sorry for running advertisement here. But please know dnsdist is software
neutral, it is not "powerdnsdist".

Bert

> 

> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Load balancer for Bind

[Phil Mayers]

On 14/09/16 20:41, Matthew Pounsett wrote:


Your best option is something that can do the job statelessly.  As
Warren says, anything that keeps state (firewall, load balancer, etc.)
becomes a DoS target... or, at best, becomes the thing that runs out of
resources before your network or your DNS servers do.

Mostly that means using a routing protocol to do LAN-scope Anycast via
ECMP.  ISC has a technote that explains how to do it.


Agreed. We use exaBGP to anycast our resolvers into our BGP routing 
table and ECMP on top of that. Works well.


In the past we did a split - one resolver IP via anycast, one via 
load-balancers, but TBH the heterogeneity didn't buy us anything, and 
the SLB load was substantial, so we moved to all-anycast.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: High performance DNS server configuration?

[John Levine]

>Problem is procmail + postfix with rbl's (zen.spamhaus.org and others).
>
>Really big problem are spam botnet's and some day we can get over 5-6
>million messages per day or even more.
>
>Procmail/postfix is doing every check per msg at localdns (localdns =>
>rbl's) server and average check time is 1-2 sec per message and it's
>too much.

I agree that bind is likely not the best DNS cache for this purpose.
You might look at unbound.

More importantly, at that query volume you should be running a local
copy of rbndnsd and rsync'ing the DNSBLs.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: High performance DNS server configuration?

[/dev/rob0]

On Thu, Sep 15, 2016 at 02:20:16PM +0300, Pekka Jalonen wrote:
> I'm looking solution for very high performance DNS server.
> 
> Background information;
> We are running centos-release-6-8.el6.centos.12.3.x86_64
> 
> Hardware is Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz with 32 GB 
> memory and SSD disks (with raid controller).
> 
> We have local bind running at same box (bind, caching) with default 
> configuration.

Ask on a CentOS list if you don't wish to provide the configuration 
in use.  We don't all know what "default" means there.

> Server is mail server with ~+150 K users.
> 
> Problem is procmail + postfix with rbl's (zen.spamhaus.org and 
> others).

Hmm, procmail, why?  Is that doing DNS lookups?  Sounds ugly.

Are you using postscreen(8)?  If not, why not?  I would strongly 
suggest upgrading to a recent Postfix version (the "ghettoforge" RPM 
repo might be an easy way to do this), then implement postscreen.

> Really big problem are spam botnet's and some day we can get over 
> 5-6 million messages per day or even more.
> 
> Procmail/postfix is doing every check per msg at localdns (localdns 
> => rbl's) server and average check time is 1-2 sec per message and 
> it's too much.
> 
> We are getting very fancy error messages etc ...
> named[10008]: error (connection refused) resolving
> 'ns1.actcorp.co.in/A/IN': 162.251.82.251#53
> named[10008]: error (connection refused) resolving
> 'www.sleekgroup.co.uk/A/IN': 104.155.71.90#53

If your queries are refused, you can't fix that with tweaks to your 
named.conf(5).  For some reason the destination server has been 
configured not to allow your queries.  That condition will still 
exist after any changes you make to your system.

> named[10008]: error (unexpected RCODE SERVFAIL) resolving
> 'sunbatheda.megabulkmessage223.com/A/IN': 8.8.8.8#53
^^^

This suggests you are using forwarders.  That certainly could be a 
problem for DNSBL usage, as many DNSBL providers do limiting on 
queries.  Remove the forwarders.

> named[10008]: error (host unreachable) resolving
> '40.17.107.150.bl.emailbasura.org/A/IN': 80.38.217.151#53

This is similar to the refused errors in that the condition is 
external; if you can't reach that host now, named.conf changes cannot 
make that host reachable.

> named[10008]: validating @0x7ff45c04aae0: gansend4.com A: no valid
> signature found

This suggests you have enabled DNSSEC validation.  Nothing wrong with 
that, but understand what it means: when a signature for a signed 
zone fails to verify (or is missing) you get a SERVFAIL.

> ... it's slowing down system of course.

The slow system is not demonstrated to point to named.

> Loads are very high at server when botnets are attacking average is
> about 500 or even more.
> 
> Does anyone have ideas how recude server loads because bind is 
> problem...

If that is so, how did you determine that?  How could we know?

> Thank you for answers or ideas.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: High performance DNS server configuration?

[Reindl Harald]

Am 15.09.2016 um 13:20 schrieb Pekka Jalonen:

Server is mail server with ~+150 K users.

Problem is procmail + postfix with rbl's (zen.spamhaus.org and others).

Really big problem are spam botnet's and some day we can get over 5-6
million messages per day or even more.

Procmail/postfix is doing every check per msg at localdns (localdns =>
rbl's) server and average check time is 1-2 sec per message and it's
too much


bind is probably the wrong software for that task
if the caching-resolver is only for inbound mail use unbound

"cache-min-ttl: 100" violates standards but on the other hand works 
around the 5 seconds TTL of many RBL and may reduce the outbound 
dns-requests at peak times dramatically without much bad impact (slip 
through while listed within the 100 seconds)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users