BIND server dimensioning
Brad Knowles
brad.knowles at skynet.be
Wed May 16 08:25:35 UTC 2001
At 6:44 AM +0000 5/16/01, Laurent Perruche wrote:
> In fact, I'd like to dimension an authoritative DNS BIND server for an ISP,
> with about 70000 users behind.
Skynet (my ISP, and my former employer) has about a million users
(of which about 200-250k are down in France), and has two main
caching nameservers. To the best of my knowledge, neither of these
machines does much more than about 200-250 queries per second, and
that is with both the clients *AND* most of the servers pointed at
them.
> This ISP requires (sorry, but I don't know much about DNS and how much it is
> used in practice) that with 70000 users behind an authoritative DNS server,
> only about 25% (-> 18000 users) aresimultaneously connected and that a user
> makes one DNS request every 6 second (so it makes about 3000 requests/sec.)
One DNS request every six seconds per user is *HIGHLY*
unrealistic. They should instead look at the number of queries per
connected user that they see today, and extrapolate from that.
> According to what you said, it's too much high.
> Do you know what is the average use of an authoritative DNS server ?
Consider that many users will just do e-mail for most of the
time, and this means that they will make a DNS query for
"pop.yourisp.com", connect to this machine, download all their mail,
read and queue up replies to all their mail, query for
"smtp.yourisp.com" and upload all their replies (perhaps with as much
as thirty minutes to an hour or more between download and upload
sessions), and that would be the entirety of their Internet usage for
the day.
Back in 1997, I built what is probably still the worlds largest
nameserver farm at AOL, because the nameservers we had at the time
for the Internet e-mail gateway system were overloaded, and
Operations wanted a centralized set of nameservers that could be used
for all services.
I took four DEC Alpha 4100 servers with 4GB of RAM and four
processors each, and set them up with a high-availability solution
from DEC called "DECsafe ASE", whereby a pair of machines will each
monitor the other, and if the other machine dies, it will take over
the IP addresses and restart the services that it had been running.
This way, clients see a very brief interruption in services, but the
IP addresses they had been using just keep working.
Each DEC Alpha 4100 was running four copies of BIND 8, each one
bound to a separate processor and a separate virtual IP address. I
benchmarked this system as being able to handle at least 2000 DNS
queries per copy of BIND (limited by the tool I was using to measure
the performance of the system), and it didn't seem to make any impact
whatsoever when there were multiple copies of BIND on the system that
were being stressed. So, the overall system should have been able to
handle up to 32,000 queries per second (or perhaps considerably more).
We then created a complex set of rules for determining which
client would be pointed at which instance of BIND as their primary
nameserver (in /etc/resolv.conf), and made sure that the secondary
and tertiary nameservers were on physically separate machines (the
second was even on the opposite cluster, just in case there was a
failure that took down both machines in a pair).
I watched that system fairly carefully for months, and despite
the more than ten million customers AOL had at the time, and the
multiple millions of mail messages per day that we were processing
per day, and the untold billions of web pages that we were serving up
per day, I still don't think I ever saw that system do anything much
above 2000 DNS queries per second across the entire cluster.
You really need to get a proper idea of how many DNS queries per
second you can really expect to have, before you start specifying the
kinds of systems you need to be able to handle those levels of
queries.
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list