a question on bind cache

Kevin Darcy kcd at chrysler.com
Sat Jan 16 00:33:07 UTC 2010 

When the DNS was designed, one primary assumption was that name/address 
mappings changed *infrequently*. Hence caching was integrated into the 
protocol, and is absolutely necessary for any kind of reasonable DNS 
performance.

If you twist DNS to perform load-balancing and/or failover functions, 
then you must *defeat* caching, since otherwise resolvers will keep 
giving out "stale" answers from their cache, even if the resource at a 
particular address is unavailable or overloaded. Thus you cause 
everyone's resolvers to work sub-optimally and inefficiently; not the 
way it was designed to work.

Similarly, other components -- such as browsers and operating systems -- 
make a similar assumptions about cacheability as DNS itself. So they 
cache name lookups, and this adds more layers that need to be 
"defeated". In the case of browsers, there are special protections 
against defeating its name cache, because of so-called "rebinding" 
attacks, see e.g. http://crypto.stanford.edu/dns/dns-rebinding.pdf 
(although many, including myself, consider this circumstance more the 
result of a broken browser security model, than a failure or 
imperfection of DNS).

It is better to replicate your content (and/or the database for which 
the visible content is only a front-end) and then use some technology 
like "anycast", or something similar, to direct users to the "closest" 
or, if one or more of the replicas in a set is known to be "dead", to 
some other replica which is known to still be "alive" . Perform the 
load-balancing and/or failover at a lower level of the network stack, in 
other words, and leave the name/address association alone.

For an influential opinion of the folly of DNS-based 
load-balancing/failover, although it's a little out-of-date now: 
http://www.tenereillo.com/GSLBPageOfShame.htm

- Kevin


Tech W. wrote:
>
>
> ----- Original Message ----
>   
>> From: Alan Clegg <aclegg at isc.org>
>> To: bind-users at lists.isc.org
>> Sent: Fri, 15 January, 2010 11:37:58 AM
>> Subject: Re: a question on bind cache
>>     
>
>   
>> You could monitor your services and then use dynamic DNS to change
>> resource records based on the results, but it's not the best way to go
>> about doing it.
>>     
>
> Thanks Alan and others.
> What's the reason we should not do this with DNS?
> And what's the best way?
>
> Thanks again.
>
>
>       __________________________________________________________________________________
> See what's on at the movies in your area. Find out now: http://au.movies.yahoo.com/session-times/
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>

More information about the bind-users mailing list