Re: Anycast DNS - LB/LTM
Exactly. The script runs inside the LTM, and wraps nslookup or dig. It should output a distinct output for success, and another distinct output for failure. It should only check the pool members, not the VIPA itself. If the pool is empty, the LTM will stop advertise the VIPA. -DTK On Fri, Mar 9, 2012 at 1:16 PM, ju wusuo juwu...@yahoo.com wrote: so the script would run on the LTM, it will periodically check each physical DNS node, if one cannot resolve then takes it out of the pool; it will also check the VIP, if the VIP cannot resolve, pool is empty or LTM issue, stop the advertising? -- *From:* David Klein r...@nachtmaus.us *To:* ju wusuo juwu...@yahoo.com *Cc:* bind-users@lists.isc.org bind-users@lists.isc.org *Sent:* Wednesday, March 7, 2012 11:18 PM *Subject:* Re: Anycast DNS You would need to create a custom script to use as your monitor, which does a lookup of an address that you know will always be in your domain. If that fails, force-down/inactive the node, and tie this script as a monitor to the pool holding the DNS server nodes. You can advertise the /32 containing the VIPA to the up-stream router via either OSPF or IBGP, and if the pool goes empty, stop advertising the route (the only option is stop advertising, not actively withdraw the route, since that could cause a massive reconvergence cycle in your enterprise-wide RIB, if done wrong, just because of a flapping interface). HTH, -DTK On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo juwu...@yahoo.com wrote: thanks everyone for all responses with the great inputs .. now if I want to put the DNS servers behind LBs, 1) would the LTMs be able to announce the routes dynamically for the DNS servers, and a VIP can be withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS service failure and stop sending over DNS queries, i.e., in the case a named is still up but just not able to resolve names (assuming LTM can detect a named is down)? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS
You would need to create a custom script to use as your monitor, which does a lookup of an address that you know will always be in your domain. If that fails, force-down/inactive the node, and tie this script as a monitor to the pool holding the DNS server nodes. You can advertise the /32 containing the VIPA to the up-stream router via either OSPF or IBGP, and if the pool goes empty, stop advertising the route (the only option is stop advertising, not actively withdraw the route, since that could cause a massive reconvergence cycle in your enterprise-wide RIB, if done wrong, just because of a flapping interface). HTH, -DTK On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo juwu...@yahoo.com wrote: thanks everyone for all responses with the great inputs .. now if I want to put the DNS servers behind LBs, 1) would the LTMs be able to announce the routes dynamically for the DNS servers, and a VIP can be withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS service failure and stop sending over DNS queries, i.e., in the case a named is still up but just not able to resolve names (assuming LTM can detect a named is down)? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: load balance of DNS
With stock DNS, no; all you can do is recommend by ordering the responses. But there are solutions. There are load-balancing DNS servers (they have a pool of responses, and hand out an answer of that pool, based on rules, and can even remove an answer from the pool if a watchdog/monitor fails). F5 GTM and Cisco GSS are examples, but you need to talk with the vendor or a VAR to help you to understand some of the nuances and complexities of doing this way. On Fri, Jan 13, 2012 at 8:52 AM, Matus UHLAR - fantomas uh...@fantomas.skwrote: On 13.01.12 22:40, MyDots.net wrote: Is there a good way of running the current BIND (9.7 and later) for load balancing a special record? for example, www.example.com IN A 192.168.1.1 www.example.com IN A 192.168.1.2 kind of. I want the first one to get more web traffic than the second one. With DNS you can only hint clients to send their requests by sorting provided RRs in particular order. You can not be sure that they will preserve the order and that they will send their requests to different servers. In fact, most of clients take first server and will communicate with it. I know other 4 or 7 layer software (like LVS and Nginx) can do that, but also want to know if BIND supports this. better get such solution then... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average. __**_ Please visit https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone name conflicts / overlapping
I don't know from Power DNS, but BIND expects to have one master where all changes are initiated, and all other servers receive replication from the single master, via incremental zone transfers. This is how conflicts and race conditions are prevented. You would do better to designate one of the two boxes as master, migrate all of the zones to that box, and have the other box only receive replication from the first. If you want multi-master replication (not recommended, because it introduces a lot of strange behavior in edge cases), you would need to use something like DLZ and move your zone management out of the nameserver itself, and into an application that would feed DLZ. Note, this is nontrivial, and will add a lot of complexity and processing overhead. A best design would be to make both of your current servers consume replication and add a third server, which does not have NS record, and which is not in SOA, but which is designated the master and provides replication to the other two. This way you decouple where you make the changes from where you serve the data to the final consumers, and may be able to put it in a secure walled-garden, with only connectivity allowed to the DNS servers (which one presumes would be Internet facing). HTH, -DTK On Mon, Sep 19, 2011 at 12:45 AM, Ben C. armon...@gmail.com wrote: Hello all, This is my first post to bind-users, so I would like to first of all say hello, and thanks to everyone who takes their time to read and respond to any mailing list post. =) I have a fairly complex situation where I have a pDNS server and a ISC BIND server, both containing unique zones. I'm trying to make them sync to each other so that the end result is they both contain the same list of zones, and update the opposite's zone files regularly. I am doing my best in designing it so that it *shouldn't* have the possibility of a zone conflict, where server A says something about zone foo.com, and server B contains it's own unique record, so when they sync, .. well ... I noticed with BIND, what I expected happens if the situation occurs: zone foo.com { type master; file /path/to/some.file; }; // .. some stuff zone foo.com { type master; file /path/to/some.other.file; // ^^ They can be the same file, too .. }; -- BIND simply refuses to start, which is great because it allows me to /see/ the error a little easier. However, the situation got interesting when the following occurs: zone ns1.foo.com { type master; file /path/to/ns1.foo.com; }; zone foo.com { type master; file /path/to/foo.com; }; Where ns1.foo.com's zone file would obviously contain an A record for itself (ns1.foo.com.) and then foo.com's zone file contains an A record for the same zone / hostname, ns1.foo.com. It appears to me, BIND sees the conflict / overlap but does not care about the order they are in, nor cares to exit (or even tell anybody about it), but simply use the more specific zone file which would be ns1.foo.com. I'm pretty sure this is intended behavior. Although for my specific and very individual circumstance, this is not ideal for me, but I'm by no means saying this is a bug, or bad behavior. I'm simply trying to figure out (1) if this is indeed the correct assumption, that BIND will always use the more specific zone, ... (2) if there are ways to modify the behavior (short of editing the way BIND, or even DNS works) ... (3) if there is a way to at least identify this kind of behavior in logs (error/warning message? maybe I'm missing it..) .. (4) a link or referral to any kind of relevant information would be useful -- documentation, mailing lists, anything -- I did a _lot_ of googling and even peeked around on IRC asking around, but either I'm not asking the question correctly, or it's not a very common thing :) Thanks for your time, Ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS update on host down
There are tools which do this, such as F5's GTM or Cisco's GSS; essentially, you have multiple servers in a pool/answer group, and during normal operations, they are handed out in either RR or WRR. If one server fails his health-check, he is taken out of the mix. I believe under the covers, it is essentially a rules-engine, BIND, nsupdate and a few monitoring scripts. -DTK On Tue, Jul 26, 2011 at 9:23 AM, Paul Reilly parei...@tcd.ie wrote: Is there a simple utility, which can ICMP ping or HTTP ping a host, and update the hosts DNS entry if the host is down? I'm thinking I could have 2 include files, and swap between then if the host is down or not. Any pointers ? Paul ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GUI for bind
It's a little less novice-friendly than Men Mice, but it has price going for it. Take a look at GADMIN Tools for BIND (http://gadmintools.flippedweb.com/index.php?option=com_contenttask=viewid=14Itemid=33). Even better, take a look at Infoblox NIOS-based IPAM appliance; you could easily set one up as gridmaster and BIND master, and then do IXFR from him to your BIND slave-servers. -DTK On Mon, Mar 28, 2011 at 5:55 PM, Jorg B. jor...@cwo.com wrote: Hello, I'm looking for a GUI for bind that meets the following requirements: (1) Must still be under development (and supported, either commercially or via community support) (2) Supports accounts/groups that will allow me to create user accounts that are able to modify only zone records assigned to the account/group. (3) Administrator access with the permissions to modify any zone record. (4) Should support most common features of bind. (5) Should support 100's of zone records. (6) Should be somewhat easy to use, so that non-experts can figure it out. The product does not have to be free... a commercial product is perfectly fine. I've spend some time searching around, but most of the GUI products either don't support bind or are no longer maintained... Any recommendations would be appreciated... Thanks JB ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Optimising rndc reload times on a slave server with 50,000 zones
One other thing: on the filesystem in which reside directories that house the zone files, set the mount option noatime. This will improve the performance of re-reading the zone files because it will take out the necessity of updating a time-stamp for each read. -DTK On Mon, Feb 28, 2011 at 7:34 AM, david klein r...@nachtmaus.us wrote: 5 files in a single directory will make difficult for any filesystem. I would recommend breaking that out into groups of less than 1 per directory. For better performance, separate them onto directories that are on different spindles; the parallelization of seek (and with thousands of small files that can each be read in one or two reads, your disks will spend a lot of this time seeking) should show noticeable performance improvement. Do only some of the zones update at any given 15 minute cycle? If so, you may show an even bigger improvement by only reloading those that will have changed. On Sat, Feb 26, 2011 at 8:56 PM, Dennis Perisa dennis.per...@gmail.com wrote: Hi folks, I'm looking for suggestions to substantially improve reload times on a slave that is serving 50,000 zones (mostly customer zones). 'rndc reload' is being executed on the slave every 15 minutes. Due to the large number of zones to trawl through, the reload process is causing intermittent outages and/or significant delays to zone transfers. Here are some ideas I have: - use rndc reconfig instead - separate zone files into separate dirs to improve O/S performance (currently, all zone files are in a single dir) Are these viable options? Any other thoughts/suggestions? This is expected to be a short-term fix while we consider brute force approach of throwing more cpu/mem/IO at this. DP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Optimising rndc reload times on a slave server with 50,000 zones
5 files in a single directory will make difficult for any filesystem. I would recommend breaking that out into groups of less than 1 per directory. For better performance, separate them onto directories that are on different spindles; the parallelization of seek (and with thousands of small files that can each be read in one or two reads, your disks will spend a lot of this time seeking) should show noticeable performance improvement. Do only some of the zones update at any given 15 minute cycle? If so, you may show an even bigger improvement by only reloading those that will have changed. On Sat, Feb 26, 2011 at 8:56 PM, Dennis Perisa dennis.per...@gmail.com wrote: Hi folks, I'm looking for suggestions to substantially improve reload times on a slave that is serving 50,000 zones (mostly customer zones). 'rndc reload' is being executed on the slave every 15 minutes. Due to the large number of zones to trawl through, the reload process is causing intermittent outages and/or significant delays to zone transfers. Here are some ideas I have: - use rndc reconfig instead - separate zone files into separate dirs to improve O/S performance (currently, all zone files are in a single dir) Are these viable options? Any other thoughts/suggestions? This is expected to be a short-term fix while we consider brute force approach of throwing more cpu/mem/IO at this. DP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind Clustering
One solution that was floated recently around here was to use dynamically loaded zones (http://bind-dlz.sourceforge.net/) with an underlying storage mechanism that does bidirectional replication (a directory service like LDAP or a database) for the masters, this way, whichever one gets the update, the others get. The downside is that DLZ is basically a rearchitecture of your DNS setup, and will require the two extra pieces to maintain (the DLZ portion and the underlying replicating source). -DTK On Thu, Jul 29, 2010 at 6:25 AM, Gordon A. Lang gl...@goalex.com wrote: I know BIND does not currently support multi-master. And I understand that trying to strap together my own pseudo-multi-master implementation using BIND, bubble gum, and tape isn't a sustainable solution. But, nevertheless, I don't really need a true multi-master implementation -- I just need to keep my backup master relatively up to date without relying on frequent freeze-copy-thaw operations. I would be happy to have the updates go to one slave, and then be replicated to both the active master and the backup master. I would deal with drift via brute force i.e. I would have the active master copy over to the backup master on a once or twice a day basis, not once every 5 minutes. I think it would be great if there were a new config construct added whereby the update-forward target(s) are explicitly specified. In the case where the masters are slaves of a hidden master that is directly reachable, it would allow for the updates to be directly forwarded to the primary master instead of being forwarded twice. And if multiple update-forward targets are specified, then all targets always get an update. This could be used to maintain a duplicate (hidden) master and/or eliminate the failure-delay when the multiple masters switch over, take turns being the master. And possibly the specified update-forward target construct could also have an optional behavior of forward-to-all or stop-on-first-success. if current behavior is preferred, but with a different list than then zone-transfer master list. Better yet, I would like add update-forwarding for master zones -- perhaps it could be called update-replication. I guess what I would really like to see is multiple MNAME targets accommodated right in the SOA, but I imagine that would have a serious compatibility challenge. Or else maybe a new zone type called backup-master that acts like a slave until an rndc control flips its operation state. I would like to get see some more comments on this. And I would really appreciate it if someone could tell me where in the source code I should look to find where the update-forward targets are obtained so that I can evaluate what it would take for me to write my own modifications. Thanks. -- Gordon A. Lang - Original Message - From: Chris Buxton chris.p.bux...@gmail.com To: Gordon A. Lang gl...@goalex.com; bind-users@lists.isc.org Sent: Wednesday, July 28, 2010 11:22 PM Subject: Re: Bind Clustering Updates are always forwarded to the zone masters, as configured in the zone statement itself. And yes, the update is only forwarded (successfully) once. BIND assumes that each zone has exactly one primary master. That's why updates are forwarded only once. If you want a true multi-master setup, you'll need to look at other options. For example: - BIND with modifications or additional software. - Microsoft DNS and AD-integrated zones. There are other options. Regards, Chris Buxton Bluecat Networks On 7/28/10, Gordon A. Lang gl...@goalex.com wrote: This reply is a few months delayed, but this issue is still very important to me, and I'm hoping you can take a few minutes to help out. I finally took some time to read through the code, and unfortunately I was unable to identify where forward target(s) are obtained in the update forwarding action. There's a lot of structure to reverse engineer -- too much for a casual effort. So perhaps you can tell me where I can find the pertinent code... ? My belief was that somewhere in the code, the SOA record is obtained, and the MNAME is used as the forward target -- this belief was based on trial and error observations. What you suggested is that the update forwarding actually uses the masters list from the named.conf file for forwarding targets. I was unable to find clues one way or another. But another thing about your response that leaves me wondering if I fully understand your response is that you say it walks the list of masters trying each one in turn, and with the word trying in there, it suggests that it walks the list only until the first successful update. Perhaps I am incorrectly reading into it, but if you could clarify that point, I would appreciate it. --- I would expect that if the masters list is used, then ALL masters should always get the updates. Thanks in advance. -- Gordon A.