Re: Per server instance vs central / shared / redundant instances of BIND
Grant Taylor via bind-users wrote: > > Do you think that per (mail) server instances of BIND are worth the additional > administrative overhead as compared to more central shared instances? Yes, that's what I did when I was doing mail things. There are a few reasons: reduce load on the shared central resolvers; reduce the latency of anti-spam blocklist lookups; better fate-sharing between the SMTP and DNS parts of the mail service. There's not much overlap between the kinds of queries done by mail servers and other DNS users, so there's limited benefit from sharing a single cache. There probably is benefit from sharing a DNS cache between multiple mail servers, but from my point of view it was easier to have one kind of machine that does SMTP + DNS than two different flavours of machine. (The admin effort is per flavour, not per server.) Tony. -- f.anthony.n.finchhttps://dotat.at/ Cape Wrath to Rattray Head including Orkney: Northeast 3 to 5 backing north 3 or 4. Slight or moderate. Showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] Re: Per server instance vs central / shared / redundant instances of BIND
For me, I run one locally per data center with forwarders, etc. defined but for a "How to spin up your own mail server", I would likely just keep it to one per mail server. For someone more advanced, DNS is lightweight and anti-spam is very heavy. So anything you can save on anti-spam processing will likely save more resources. On 4/27/2021 12:46 PM, Grant Taylor via bind-users wrote: E.g. if you had 29 mail servers, would you run BIND on each of their lo's? Or would you use a small number of central / shared / redundant servers? -- *Kevin A. McGrail* /CEO Emeritus/ *Peregrine Computer Consultants Corporation* +1.703.798.0171 kmcgr...@pccc.com https://pccc.com/ https://raptoremailsecurity.com 10311 Cascade Lane, Fairfax, Virginia 22032-2357 USA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Per server instance vs central / shared / redundant instances of BIND
On 4/27/21 10:24 AM, Kevin A. McGrail wrote: Agreed on the OT and good subject change. :-) For me, I wouldn't bind DNS to the eth0, just another attack surface hence I would use local loopback. I think the main reason to bind to eth0 / LAN is for when there are multiple (mail) servers that can benefit from a common instance of BIND. As opposed to having a dedicated instance of BIND on lo per (mail) server. Having a DNS on the lan is good too but caching on any mail server is good. Do you think that per (mail) server instances of BIND are worth the additional administrative overhead as compared to more central shared instances? E.g. if you had 29 mail servers, would you run BIND on each of their lo's? Or would you use a small number of central / shared / redundant servers? There are a lot of DNS queries for email and anti-spam. Yep. But the key takeaway is don't use something like quad-8. }:-) -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users