BIND server dimensioning

Brad Knowles brad.knowles at skynet.be
Wed May 16 08:25:35 UTC 2001 

At 6:44 AM +0000 5/16/01, Laurent Perruche wrote:

>  In fact, I'd like to dimension an authoritative DNS BIND server for an ISP,
>  with about 70000 users behind.

	Skynet (my ISP, and my former employer) has about a million users 
(of which about 200-250k are down in France), and has two main 
caching nameservers.  To the best of my knowledge, neither of these 
machines does much more than about 200-250 queries per second, and 
that is with both the clients *AND* most of the servers pointed at 
them.

>  This ISP requires (sorry, but I don't know much about DNS and how much it is
>  used in practice) that with 70000 users behind an authoritative DNS server,
>  only about 25% (-> 18000 users) aresimultaneously connected and that a user
>  makes one DNS request every 6 second (so it makes about 3000 requests/sec.)

	One DNS request every six seconds per user is *HIGHLY* 
unrealistic.  They should instead look at the number of queries per 
connected user that they see today, and extrapolate from that.

>  According to what you said, it's too much high.
>  Do you know what is the average use of an authoritative DNS server ?

	Consider that many users will just do e-mail for most of the 
time, and this means that they will make a DNS query for 
"pop.yourisp.com", connect to this machine, download all their mail, 
read and queue up replies to all their mail, query for 
"smtp.yourisp.com" and upload all their replies (perhaps with as much 
as thirty minutes to an hour or more between download and upload 
sessions), and that would be the entirety of their Internet usage for 
the day.


	Back in 1997, I built what is probably still the worlds largest 
nameserver farm at AOL, because the nameservers we had at the time 
for the Internet e-mail gateway system were overloaded, and 
Operations wanted a centralized set of nameservers that could be used 
for all services.

	I took four DEC Alpha 4100 servers with 4GB of RAM and four 
processors each, and set them up with a high-availability solution 
from DEC called "DECsafe ASE", whereby a pair of machines will each 
monitor the other, and if the other machine dies, it will take over 
the IP addresses and restart the services that it had been running. 
This way, clients see a very brief interruption in services, but the 
IP addresses they had been using just keep working.

	Each DEC Alpha 4100 was running four copies of BIND 8, each one 
bound to a separate processor and a separate virtual IP address.  I 
benchmarked this system as being able to handle at least 2000 DNS 
queries per copy of BIND (limited by the tool I was using to measure 
the performance of the system), and it didn't seem to make any impact 
whatsoever when there were multiple copies of BIND on the system that 
were being stressed.  So, the overall system should have been able to 
handle up to 32,000 queries per second (or perhaps considerably more).

	We then created a complex set of rules for determining which 
client would be pointed at which instance of BIND as their primary 
nameserver (in /etc/resolv.conf), and made sure that the secondary 
and tertiary nameservers were on physically separate machines (the 
second was even on the opposite cluster, just in case there was a 
failure that took down both machines in a pair).

	I watched that system fairly carefully for months, and despite 
the more than ten million customers AOL had at the time, and the 
multiple millions of mail messages per day that we were processing 
per day, and the untold billions of web pages that we were serving up 
per day, I still don't think I ever saw that system do anything much 
above 2000 DNS queries per second across the entire cluster.


	You really need to get a proper idea of how many DNS queries per 
second you can really expect to have, before you start specifying the 
kinds of systems you need to be able to handle those levels of 
queries.

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'

More information about the bind-users mailing list