Date: Tue, 28 Jun 2005 11:23:14 -0400 (EDT) From: John Von Essen <john@essenz.com> To: Adam Jacob Muller <adam@oxeo.com> Cc: freebsd-isp@freebsd.org, John Von Essen <john@essenz.com> Subject: Re: Thoughts on a large-scale DNS server... Message-ID: <20050628111413.J15817@beck.quonix.net> In-Reply-To: <1D0EBF69-F1EB-4056-BCA1-2E91207D11E8@oxeo.com> References: <20050628102618.J13559@beck.quonix.net> <1D0EBF69-F1EB-4056-BCA1-2E91207D11E8@oxeo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Adam,
Thanks for the info. The two servers will be in two geographically
separated datacenters. I am unfamiliar with djbdns. The first question I
have is, are zone file configurations the same. We currently have all
11,000 zone files ready to go within a BIND environment, and we really
dont want to have to change the core config style of all those domains.
As for TTL, we currently use a 24 hour TTL, for zone file itself we then
do something like:
$TTL 86400
@              IN SAO ...
               2004100500      ; Serial
               10800           ; Refresh after 3 hour
               3600            ; Retry after 1 hour
               604800          ; Expire after 1 week
               86400 )         ; Minimum TTL of 1 day
The majority of our dns will rarely if "ever" change. I would only use
Linux if I was really convinced that BIND (or djbdns) for some reason or
another ran better (better pthread support, etc.,.) on it. But then again
I'm partial to FreeBSD.
-John
On Tue, 28 Jun 2005, Adam Jacob Muller wrote:
> I annotated your message below, basically explaining our similar setup.
>
> On Jun 28, 2005, at 10:42 AM, John Von Essen wrote:
>
> > I have been tasked with setting up a large-scale dns server
> > environment
> > (One ISP is taking over another ISP) and would greatly appreciate any
> > thouhts or experiences that could help me out.
> >
> > In the end we will probably be doing authoritative DNS for 11,000
> > domains,
> > and another 200 or so in-arpa address ranges for reverse resolution.
>
> we have ~ 10k domains right now, and much less than 200 ptr's
>
> >
> > The plan is to have 3 core machines. One is the master, and gets
> > its zone
> > files created from local cvs exports. The other two are slaves, and do
> > zone transfers from the master. The Public will actually only talk to
> > these two slave DNS servers (NS1 and NS2). The machines themselves
> > will be
> > Single 3Ghz Xeon, 1Gb Memory, and 70Gb RAID 1 U320 SCSI. For every
> > machine, we will have a standby machine waiting and ready.
>
> sounds like a very conservative setup, and for DNS that's good. if at
> all possible I
> would suggest that you move at least one of those servers to a
> totally seperate network.
> This is important, if your network is unreachable for say, 20 minutes
> for any reason, anyone who queries
> your dns in that time and caches the result will be unable to connect
> until that invalid entry clears from their cache.
>
> As slashdot tells us, some providers ignore your set records,
> http://ask.slashdot.org/article.pl?
> sid=05/04/18/198259&tid=95&tid=128&tid=4
> so this is a very prudent step as i'm sure providers also tweak the
> retry times since a failed lookups are
> more likely to be repeated and consume more resources than successful
> ones.
>
>
> >
> > The first question is, do I have enough CPU/Memory. Keep in mind these
> > machines will nothing but DNS.
>
> Yes
>
> >
> > Are there any performace issues with using regular filesystem
> > directory
> > zone file storage. For example, we will have a very large
> > named.conf file
> > with some 11,000 zone entries (I have never worked with a named.conf
> > file that big before). Those entries will just reference the local
> > filesystem, file "s/a/adam.com"; and so on.
> >
> > The next big question is BIND8 or BIND9. I would like to take
> > advantage of
> > threading in BIND9, but saw a previous post that BIND9 can have
> > difficulty
> > working with BIND8 servers which were incorrectly setup, whereas
> > BIND8 can
> > allow for a certain level of "external" incompetence.
>
> the real question is, do you want to use bind at all?
> We currently use djbdns to manage everything, i personally find it to
> be much more tolerant of errors than any version of bind.
> http://cr.yp.to/djbdns.html
>
>
> >
> > And finally, Linux or FreeBSD, and if FreeBSD, 4 or 5.
>
> FreeBSD
>
> >
> > Current staff (besides me) whats to run Debian Linux, but BIND9
> > pthreads
> > dont work in Linux, do they work in FreeBSD? I want to use FreeBSD
> > just
> > because it better overall with regards to TCP/IP.
>
> Debian is a good, stable linux distro, my personal favorite in fact.
> (though gentoo is also nice).
> Linux is more reliable out of the box, FreeBSD can and is more
> reliable if you know how to work it.
>
> >
> > The only performance numbers we got from the other ISP, is that
> > existing
> > dns servers use about a constanst 400 kbps (bits) of bandwidth.
>
> The bandwidth, the needed server specs are a combination of two
> things. First, the number of domains you have and 2nd the TTL on
> those domains.
> We currently use a TTL of 12 hours. This serves us well. If you halve
> the TTL to say, 6 hours, expect to double the number of DNS queries.
> If you double the TTL to 24 hours, expect to halve the number of DNS
> queries.
>
> >
> > Thanks in advance
> > John
> > _______________________________________________
> > freebsd-isp@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
> >
>
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050628111413.J15817>
