Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 13 Jul 2009 13:03:24 -0400
From:      Jon Radel <jon@radel.com>
To:        John Almberg <jalmberg@identry.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Should DNS be on same server as webserver?
Message-ID:  <4A5B68DC.2070505@radel.com>
In-Reply-To: <8195A2D9-F7AC-49F8-969E-A13EDFA3C05A@identry.com>
References:  <8195A2D9-F7AC-49F8-969E-A13EDFA3C05A@identry.com>

next in thread | previous in thread | raw e-mail | index | archive | help

This is a cryptographically signed message in MIME format.

--------------ms080305090308080902050303
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

John Almberg wrote:
> 
> The other day, a FreeBSD 'expert' told me that it is important to have 
> the DNS server for a domain on the same server as the domain's web 
> server. Supposedly, this saves doing tons of DNS look ups over the 
> network. Instead, they are done locally.
> 
> This makes sense to me, but I wonder if the performance difference is 
> really that significant?

In my experience, you're straying well into "it all depends" and "you'll 
have to benchmark your situation and see" territory.

I once walked into a situation where a web server was setup to do a 
reverse lookup on all log entries, and the DNS servers were on the far 
end of an overloaded 56 kbps line.  That was miserable, stupid slow and 
quickly cured by setting up a resolving name server on the web server.

On the other hand, in situations where my name servers have been on the 
same high-quality gigE switch as the web servers, I've never noticed an 
issue, but then I don't run any really high-volume servers.

On the third hand (too many years in front of CRTs), Apache and Bind 
have both had their security issues over the years, and there's 
something to be said for running them on different servers to reduce 
both the "all eggs in one basket" factor and the ease of spreading an 
attack.  (Yes, I'm assuming what you're actually running....)

If you want performance and security, you might consider running your 
authoritative dns servers for your domain on a different server, while 
on your web server you run a light-weight caching dns server reachable 
only on the loopback interface.

-- 

--Jon Radel
jon@radel.com

--------------ms080305090308080902050303
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJMTCC
AvMwggJcoAMCAQICEB1eDeVYxhAO39zOEnHiAbwwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDIyNTA0MTMyNloX
DTEwMDIyNTA0MTMyNlowXjEOMAwGA1UEBBMFUmFkZWwxEzARBgNVBCoTCkpvbiBUaG9tYXMx
GTAXBgNVBAMTEEpvbiBUaG9tYXMgUmFkZWwxHDAaBgkqhkiG9w0BCQEWDWpvbkByYWRlbC5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeT7qtj+euqWr2wXM7OnwrXJe9
Jlc0CGaM69AcTWOFakRY7MUXrqcmF5WjrqrMoagfGjS362eb6787x313ZdLoGuQPh/o2Mqp4
BbSgcnGZRj82SxkUmSN6+2q5ZOOYA6JmfvJwmBuRQ8sHki4GnoSwbIc11a70/z4at5qRi8bb
/RtmJYewnpwXErfuuq0hhVSsYKFPXELzSahlpyC+lUfIdgvLJGxc7eU5QuvtYmuohNjn4k9C
SJinvfjFbkvgbIgtvZxxmcE74NsKTeW2bEwgoCjZlcAD/QMgLE9KGSVn4/LzC/OZwkPKcWKO
CPTNIZK1P+HxaIW4BvvYtjLu2Qx5AgMBAAGjKjAoMBgGA1UdEQQRMA+BDWpvbkByYWRlbC5j
b20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQBT+qFXV8sexrNOJuK8rhVpnCNF
iFslD9Kelhon5Tt1tlTsw+B9F9B8ys9tfV559tzVqE+ULcqnjX2rsaJCwFmn6gyucCN0yGML
h1O4ddsNQmoTOILyBCv/rkfO4tbXJM3si2JDNPZnL/0Rf3FpDTc3U3SnAdqE1a/8PGBTTmay
VDCCAvMwggJcoAMCAQICEB1eDeVYxhAO39zOEnHiAbwwDQYJKoZIhvcNAQEFBQAwYjELMAkG
A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV
BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDIyNTA0MTMy
NloXDTEwMDIyNTA0MTMyNlowXjEOMAwGA1UEBBMFUmFkZWwxEzARBgNVBCoTCkpvbiBUaG9t
YXMxGTAXBgNVBAMTEEpvbiBUaG9tYXMgUmFkZWwxHDAaBgkqhkiG9w0BCQEWDWpvbkByYWRl
bC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeT7qtj+euqWr2wXM7Onwr
XJe9Jlc0CGaM69AcTWOFakRY7MUXrqcmF5WjrqrMoagfGjS362eb6787x313ZdLoGuQPh/o2
Mqp4BbSgcnGZRj82SxkUmSN6+2q5ZOOYA6JmfvJwmBuRQ8sHki4GnoSwbIc11a70/z4at5qR
i8bb/RtmJYewnpwXErfuuq0hhVSsYKFPXELzSahlpyC+lUfIdgvLJGxc7eU5QuvtYmuohNjn
4k9CSJinvfjFbkvgbIgtvZxxmcE74NsKTeW2bEwgoCjZlcAD/QMgLE9KGSVn4/LzC/OZwkPK
cWKOCPTNIZK1P+HxaIW4BvvYtjLu2Qx5AgMBAAGjKjAoMBgGA1UdEQQRMA+BDWpvbkByYWRl
bC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQBT+qFXV8sexrNOJuK8rhVp
nCNFiFslD9Kelhon5Tt1tlTsw+B9F9B8ys9tfV559tzVqE+ULcqnjX2rsaJCwFmn6gyucCN0
yGMLh1O4ddsNQmoTOILyBCv/rkfO4tbXJM3si2JDNPZnL/0Rf3FpDTc3U3SnAdqE1a/8PGBT
TmayVDCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUw
EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhh
d3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNp
b24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJ
ARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3
MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo
UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD
QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me
7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQq
E88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEA
AaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9j
cmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIB
BjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcN
AQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNw
PP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq72
6jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNkMIIDYAIBATB2MGIxCzAJBgNVBAYT
AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQHV4N5VjGEA7f3M4SceIBvDAJ
BgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP
Fw0wOTA3MTMxNzAzMjRaMCMGCSqGSIb3DQEJBDEWBBQ09YfPVZCOcD0t5HpqOmM0bc6acjBS
BgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D
AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYD
VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE
AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEB1eDeVYxhAO39zOEnHi
AbwwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl
IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt
YWlsIElzc3VpbmcgQ0ECEB1eDeVYxhAO39zOEnHiAbwwDQYJKoZIhvcNAQEBBQAEggEAH0Qw
KJxKQy8VzD8bprwrbppII23015V8hSqjSKbC05MIyzQT1oM/2bswj0pDrP+hEXC31Vg77fut
pNAOtFjamJ35vA4aO9WCZuZPoiorIJfRDAzsNrsCxy14X4ZLzb1/WusRa7Wa8s1IHPchN5bA
bp/+G3g/xnYb6QRnmkYOO6PKlm3EqEurCVkuLrt3bONpW+SV11ucoJgZ6ToA3vcBRYMdzjMR
2rWLUKFUIFYoazPgNe67DjXLKEtbDHItRNpiUoT3twt6WPPirG7uKFYvvNlYHMiSTPPSe3eU
U7rP2rZqjLEpQ0MAsqmJOR+vyrxRd0ldQLBji+PCVElWCHMoXAAAAAAAAA==
--------------ms080305090308080902050303--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A5B68DC.2070505>