deploying DNS in large ISP

Brad Knowles brad.knowles at skynet.be
Wed Jul 4 09:20:48 UTC 2001 

At 7:45 PM -0700 7/3/01, Duane Powers wrote:

>  I'm wondering if anyone is using a server farm/cluster for DNS?  How are
>  the big guys doing it? Earthlink, AOL etc...

	I can tell you how I set it up for AOL at the time I worked there.

>                                                What device can be run in
>  front of the boxes to load balance the traffic? Any help on this would
>  be greatly appreciated.

	When I set up the central caching farm at AOL, we used a set of 
four DEC Alpha 4100 machines, each with four processors and 4GB of 
RAM, and a separate copy of BIND 8 that was assigned its own virtual 
IP address on the FDDI interface, and was bound to a particular 
processor.  We then set up DECSafeASE in a cross-failover mesh 
between the sixteen processors.  My testing indicated that each copy 
of BIND could serve up to at least 2000 queries per second, and 
having multiple copies of BIND on the machine didn't seem to impact 
the throughput of the others.

	So, the entire farm should have been able to handle at least 
32,000 DNS recursive/caching queries per second.

	What we then did was to set up a set of separate 
recursive/caching-only nameservers for each specific service within 
the company, and if they didn't have the answer in their local cache, 
they would forward that query to the central cache farm I had set up.


	These days, I do not suggest using forwarding.  It creates 
configurations that are too complex and too likely to cause more 
problems than it solves.  See pages 333-335 of Chapter 11 in the 4th 
edition of _DNS and BIND_, written by Paul Albitz & Cricket Liu 
(published by O'Reilly & Assoc).

	If you don't happen to have a copy of this book, there happens to 
be an electronic version of chapter 11 available online at 
<http://www.oreilly.com/catalog/dns4/chapter/ch11.html>.  You can 
search for "The trouble with forwarding" and read what it has to say.


	Also, I do not suggest using BIND 8 any more.  I suggest you use 
BIND 9 instead.  If you are particularly paranoid about not using 
anything at your site that has not been used as a root nameserver, 
then you need to stick with BIND 8 for a little while longer, but 
otherwise I would encourage you to make the upgrade as soon as you 
can feasibly do so.


	In your case, what I would suggest is running a copy of named on 
each machine that needs DNS services.  This helps ensure that as you 
scale the number of clients that need nameservices, you also scale 
the number of systems that are providing nameservices, and you don't 
take a risk of overloading a dedicated set of central 
recursive/caching-only servers.

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'

More information about the bind-users mailing list