We're using a BGP based solution currently to solve the problem of highly available DNS resolvers.
That might be a route worth taking, and one that could still work via marathon on top of Mesos. -- Tom Arnfeld Developer // DueDil (+44) 7525940046 25 Christopher Street, London, EC2A 2BS On Thu, Apr 2, 2015 at 10:07 PM, John Omernik <j...@omernik.com> wrote: > True :) > On Thu, Apr 2, 2015 at 3:37 PM, Tom Arnfeld <t...@duedil.com> wrote: >> Last time I checked haproxy didn't support UDP which would be key for >> mesos-dns. >> >> -- >> >> Tom Arnfeld >> Developer // DueDil >> >> (+44) 7525940046 >> 25 Christopher Street, London, EC2A 2BS >> >> >> On Thu, Apr 2, 2015 at 3:53 PM, John Omernik <j...@omernik.com> wrote: >> >>> That was my first response as well... I work at a bank, and the thought >>> of changing dns servers on the clients everywhere made me roll my eyes :) >>> >>> John >>> >>> >>> On Thu, Apr 2, 2015 at 9:39 AM, Tom Arnfeld <t...@duedil.com> wrote: >>> >>>> This is great, thanks for sharing! >>>> >>>> It's nice to see other members of the community sharing more realistic >>>> implementations of DNS rather than just "update your resolv conf" and it >>>> works :-) >>>> >>>> -- >>>> >>>> Tom Arnfeld >>>> Developer // DueDil >>>> >>>> (+44) 7525940046 >>>> 25 Christopher Street, London, EC2A 2BS >>>> >>>> >>>> On Thu, Apr 2, 2015 at 3:30 PM, John Omernik <j...@omernik.com> wrote: >>>> >>>>> Based on my earlier emails about the state of service discovery. I did >>>>> some research and a little writeup on how to use mesos-dns as a forward >>>>> lookup zone in a enterprise bind installation. I feel this is more secure, >>>>> and more comfortable for an enterprise DNS team as opposed to changing the >>>>> first resolver on every client that may interact with mesos to be the >>>>> mesos-dns server. Please feel free to modify/correct and include this in >>>>> the mesos-dns documentation if you feel it's valuable. >>>>> >>>>> >>>>> Goals/Thought Process >>>>> - Run mesos-dns on a non-standard port. (such as 8053). This allows >>>>> you to run it as a non-root user. >>>>> - While most DNS clients may not understand this (a different port), in >>>>> an enterprise, most DNS servers will respect a forward lookup zone with a >>>>> server using a different port. >>>>> - Setup below for BIND9 allows you to keep all your mesos servers AND >>>>> clients in an enterprise pointing their requests at your enterprise DNS >>>>> server, rather than mesos-dns. >>>>> - This is easier from an enterprise configuration standpoint. Make >>>>> one change on your dns servers, rather than adding a resolver on all the >>>>> clients. >>>>> - This is more secure in that you can run mesos-dns as non-root (53 >>>>> is a privileged port, 8053 is not) no sudo required >>>>> - For more security, you can limit connections to the mesos-dns >>>>> server to only your enterprise dns servers. This could help mitigate any >>>>> unknown vulnerabilities in mesos-dns. >>>>> - This allows you to HA mesos-dns in that you can specify multiple >>>>> resolvers for your bind configuration. >>>>> >>>>> >>>>> >>>>> >>>>> Bind9 Config >>>>> This was put into my named.conf.local It sets up the .mesos zone and >>>>> forwards to mesos dns. All my mesos servers already pointed at this >>>>> server, >>>>> therefore no client changes required. >>>>> >>>>> >>>>> #192.168.0.100 is my host running mesos DNS >>>>> zone "mesos" { >>>>> type forward; >>>>> forward only; >>>>> forwarders { 192.168.0.100 port 8053; }; >>>>> }; >>>>> >>>>> >>>>> >>>>> >>>>> config.json mesos-dns config file. >>>>> I DID specify my internal DNS server in the resolvers (192.168.0.10) >>>>> however, I am not sure if I need to do this. Since only requests for >>>>> .mesos will actually be sent to mesos-dns. >>>>> >>>>> { >>>>> "masters": ["192.168.0.98:5050"], >>>>> "refreshSeconds": 60, >>>>> "ttl": 60, >>>>> "domain": "mesos", >>>>> "port": 8053, >>>>> "resolvers": ["192.168.0.10"], >>>>> "timeout": 5, >>>>> "listener": "0.0.0.0", >>>>> "email": "root.mesos-dns.mesos" >>>>> } >>>>> >>>>> >>>>> marathon start json >>>>> Note the lack of sudo here. I also constrained it to one host for now, >>>>> but that could change if needed. >>>>> >>>>> { >>>>> "cmd": "/mapr/brewpot/mesos/mesos-dns/mesos-dns >>>>> -config=/mapr/brewpot/mesos/mesos-dns/config.json", >>>>> "cpus": 1.0, >>>>> "mem": 1024, >>>>> "id": "mesos-dns", >>>>> "instances": 1, >>>>> "constraints": [["hostname", "CLUSTER", "hadoopmapr1.brewingintel.com >>>>> "]] >>>>> } >>>>> >>>> >>>> >>> >>