it is highly recommended you cruise the DNS rfcs and/or read the dns bible.. these are problems solved 20 years ago
On 8/28/07, reje <[EMAIL PROTECTED]> wrote: > In the sense of expanding DNS infrastructure, your > comments seem sane enough (you definitely read that > DNS & BIND book :-) > > On the other side, I really need to introduce > _additional_ availability of DNS servers/resolvers. > This is especially true for resolvers as they are the > first layer users are facing. Assume the situation > when ordinary Windows user tries to access a web page > not yet cached in his box local DNS cache. From my > experience, it's needed up to 15 seconds for Windows > box to contact the other resolver. And that is > something I'm trying to avoid by using > high-availability and load-balancing. > > As already seen, it cannot be done (yet) using > hoststated or "rdr" alone because packet payload > inspection and modification is needed for it to work, > and it is a hack, etc.etc. > > I was also reading about new features of IP-based > load-balancing in carp(4) in the upcoming release of > OpenBSD (4.2). It seems that it would be enough to > install a farm of OpenBSD resolver boxes with CARP and > IP load balancing enabled on the boxes themselves. No > external load-balancing boxes, no packet modifications > required. Altough, it seems that it does require some > extra configuring depending on network equipment being > used. Also, IP load-balancing imposses additional load > to network equipment. (I'm dealing with Cisco Catalyst > 6500 series switches) > > To conclude my goals: > - remove 15 second timeout for end users, > - deal with only 2 resolver addresses, > - use more than 2 resolver boxes. > > Anyone successfully running similar scenario ? > > Cheers (and thanks for all suggestions), > r. > > > reje wrote: > > > Yes, we have that much DNS requests hiting our > > > servers > > > (we are not experiencing any DoS but from > > > legitimate > > > user requests :-) > > > > > > Furthermore, the DNS infrastructure tiemouts are > > > unacceptable in our scenario. Registering > > > additinal NS records is also unacceptable. > > > > > > FYI: our primary DNS experiences cca. 4000 > > > requests per second, secondary goes with cca. 3000 > > > req/sec. > > > > > > Primary server is SUN Fire V480 with 16GB RAM, > > > secondary is also SUN Fire V480 with 8GB RAM. > > > Both servers are running Solaris 9 + BIND 9. > > > Firewall is PIX 535, works like a charm. > > > > Increase some of your heavily used records' TTLs. > > > > Add more public slave servers, 5-7 is a good number. > > > > Have them pull from a hidden master. > > > > Put some of the servers far away from you, but near > > your clients. e.g: London, Franfurt, Paris, Sydney, > > where ever (can't do that with load bal). > > > > If you have both of your only 2 servers in the same > > rack, you will have problems. I once saw one idiot > > put both DNS servers into Solaris 10 zones on a > > single box (e15k). What is the point?????? > > > > I used to work for an ISP serving some popular > > domains. Used white i386 boxes in various colo racks > > (own and others), nae probs. > > > > Fire walling was done by Juniper, no load balancing. > > > > Go re-read the DNS and BIND book. > > -- > > > > ==================================================== > > Craig Skinner [EMAIL PROTECTED] > > > > Phone +44 (0) 1506 673024 5-digit > > shortdial:x73024 > > > > Sun Remote Support Centre, Linlithgow, Scotland, UK > > > > ==================================================== > > > > ____________________________________________________________________________________ > Be a better Heartthrob. Get better relationship answers from someone who > knows. Yahoo! Answers - Check it out. > http://answers.yahoo.com/dir/?link=list&sid=396545433
