The new cloudflare dns is 3ms away from our core, opendns and Google are
12ms away.
And I believe that cloudflare can run way more reliable dns than we can.
They also use anycast so if their Minneapolis pop had trouble, we'll
route to the next closest pop like Chicago.
I would like to host our own DNS and was planning on adding two servers
for this in the spring but with cloudflare introducing this, we may just
point customers to them now.
I've seen cloudflare racks and they have a ton of gear and reliability
built in. They also host two of the root dns servers. Their cache rate
will be much higher than our own servers as well.
On Tue, Apr 3, 2018, 9:49 AM Forrest Christian (List Account)
<li...@packetflux.com <mailto:li...@packetflux.com>> wrote:
I have heard that mikrotik has an acceptable dns caching server
built in.... maybe start there? I don't know if does full
recursive lookups using the root tree.
For some reason everyone over estimates what is really needed for
robust caching dns. You can safely use even a couple of raspberry
pis for almost all wisp sized networks.
The key architecture you need to ensure its that the dns server has
substantially similar connectivity to the net as the clients that
use that dns server. The reason for this is that many web services
use information gleamed from the origin of the dns queries to
determine the closest server. As a result, you want the dns
server to have the same paths to the net as the clients as much as
possible.
On Tue, Apr 3, 2018, 8:19 AM David Coudron
<david.coud...@advantenon.com <mailto:david.coud...@advantenon.com>>
wrote:
Hi folks,____
__ __
This has been a really timely discussion for us as we are
wrestling with the same kinds of questions as Adam mentions.
With enough time (resources) and money, we would put a very
robust DNS at each Direct Internet Access drain point. However,
we have been aggressively moving to reduce our footprint at DIAs
so that we can have more of them and they require less
intervention and maintenance. Putting any kind of server there
(Linux or otherwise) seems to complicate a pretty clean set up
that is currently MikroTik and Powercode BMUs. In fact, that
is one of the biggest concerns we have if we were to move to
Sonar is the need to start putting Linux devices in DIAs and
towers (a topic for another day). We do not provide
authoritative DNS for customers and don’t need it for ourselves,
so this is only a performance/cleanliness discussion. We see
three main options:____
1. Find an appliance based device/server that is easy as heck
to maintain and doesn’t require site visits. Something like
the Mikrotik CCRs. Put them at every DIA____
2. Run a regionally centralized DNS server in a data center and
have the closest DIAs point to their respective data center
DNS server. This would reduce the number of servers and
keep them in a data center environment____
3. Rely on 3^rd Party (google or otherwise). We don’t believe
our servers will be more reliable than the combination of
multiple 3^rd party options, so this is a performance
decision.____
__ __
I think the best decision would be a very simple appliance to
sit in our DIA’s, but we haven’t looked into it enough to see
what exists. By simple, we would be looking for something that
we could do regular firmware updates only, and monitor with SNMP
just like all our other network devices.____
__ __
Regards,____
__ __
David Coudron ____
__ __
*From:* Af <af-boun...@afmug.com <mailto:af-boun...@afmug.com>>
*On Behalf Of *Adam Moffett
*Sent:* Tuesday, April 3, 2018 9:04 AM
*To:* af@afmug.com <mailto:af@afmug.com>
*Subject:* Re: [AFMUG] new DNS____
__ __
It's clearly not hard. It's obviously not expensive. I'm
already doing it and have been for years. But it's more than
$0.____
__ __
I've seen the geolocation issue in the past. More recently I
tried to demonstrate it to someone and it turned out that Google
DNS and our own DNS gave us Netflix content from the same
source. ____
__ __
If I used someone else's DNS and that 3rd party went away, then
there are apparently 10 other "3rd parties" to choose from. I
recognize the point that it's a 3rd party and we don't want to
rely on 3rd parties: But can we honestly say that our DNS
servers are more reliable than Google or Cloudflare?____
__ __
I'm not shutting down the DNS servers today, I'm just trying to
look inward and analyze what we're doing and why. Are we doing
it because it actually makes sense or are we doing it because
we've always done it and we can't imagine another way?____
__ __
__ __
__ __
------ Original Message ------____
From: "Justin Wilson" <li...@mtin.net <mailto:li...@mtin.net>>____
To: af@afmug.com <mailto:af@afmug.com>____
Sent: 4/3/2018 8:48:33 AM____
Subject: Re: [AFMUG] new DNS____
__ __
You have your own DNS for one huge reason. GeoLocation for
when it comes to Content Networks such as Netflix. One of
the mechanisms they employ is using DNS Geolocation to serve
you the closest content. Not only do they do a GeLocate on
your IP, but some also do a check to make sure your DNS
servers are coming from the same place as your customers.
This is especially true if you or one of your upstreams is
peered with Netflix or someone on an exchange. Otherwise, if
you are using Google or other DNS you may be in Kansas, and
you might be getting content from Netflix out of California,
when you could be getting it literally next door. Makes the
customer experience much better. There are RFCs that address
this, but if they are implemented is a crapshoot.____
__ __
Secondly, relying on a 3rd party for such a critical service
such as DNS can be troublesome. Would you rely on someone
else to provide the wireless signal to your customers
blindly? If so, then offloading DNS is okay for you. I want
more control for such a critical service. ____
__ __
I hear folks worry about the bandwidth DNS takes up. It’s
not a concern either way. If your network can’t support the
bandwidth of DNS queries then you have deeper issues.____
__ __
It’s hard. No it’s not. Tons of tutorials on Bind for
every flavor of linux. Just about any old machine laying
around can run DNS. ____
__ __
If anyone wants to know how easy, and how cheap it is to
spin up DNS (both recursive and authoritative) hit me up. I
will gladly talk with you about some strategy.____
__ __
Justin Wilson____
j...@mtin.net <mailto:j...@mtin.net>____
__ __
www.mtin.net <http://www.mtin.net>____
www.midwest-ix.com <http://www.midwest-ix.com>____
____
On Apr 3, 2018, at 6:34 AM, Paul Stewart
<p...@paulstewart.org <mailto:p...@paulstewart.org>>
wrote:____
__ __
I know there is often debates on here about running any
servers, some servers, or doing everything in-house
(mail, web, DNS etc). Even if you outsource everything
I would still run recursive caching DNS …. Performance
and reliability the main reasons. Some CDN’s and other
services determine the path to send you content based on
where the DNS look up occurs and in our case that’s a
significant factor …____
____
We operate our own anycasted DNS …actually two of them.
One set of servers for recursive caching and another set
for authoritative DNS.____
____
Paul____
____
____
*From:*Af <af-boun...@afmug.com
<mailto:af-boun...@afmug.com>> on behalf of "Forrest
Christian (List Account)" <li...@packetflux.com
<mailto:li...@packetflux.com>>
*Reply-To:*<af@afmug.com <mailto:af@afmug.com>>
*Date:*Tuesday, April 3, 2018 at 4:33 AM
*To:*af <af@afmug.com <mailto:af@afmug.com>>
*Subject:*Re: [AFMUG] new DNS____
____
Because it's good for your customers, and it should take
very little time to set one up.____
____
The main reason for this is so that websites serve data
from the closest server due to the way that DNS anycast
works.____
____
And, the biggest one - to have control over a critical
piece of infrastructure for your customers. What
happens if one of these public DNS services go down and
you have hundreds of customers pointing at it? ____
____
On Mon, Apr 2, 2018 at 11:33 PM, Adam Moffett
<dmmoff...@gmail.com <mailto:dmmoff...@gmail.com>>
wrote:____
Someone remind me again why I have my own recursive
DNS.____
____
____
------ Original Message ------____
From: "Josh Reynolds" <j...@kyneticwifi.com
<mailto:j...@kyneticwifi.com>>____
To:af@afmug.com <mailto:af@afmug.com>____
Sent: 4/2/2018 3:22:57 PM____
Subject: Re: [AFMUG] new DNS____
____
Yes, bunch of discussions over the past few days
on NANOG and some of the vendor mailing lists.____
____
On Mon, Apr 2, 2018, 2:21 PM Travis Johnson
<t...@ida.net <mailto:t...@ida.net>> wrote:____
https://gizmodo.com/how-to-speed-up-your-internet-and-protect-your-privacy-1824256587
Faster and more private than Google or
others. :)
Travis____
____
____
--____
*Forrest Christian*/CEO, PacketFlux Technologies, Inc./____
Tel: 406-449-3345 | Address: 3577 Countryside Road,
Helena, MT 59602____
forre...@imach.com <mailto:forre...@imach.com>|
http://www.packetflux.com <http://www.packetflux.com/>____
__ __