Advice on balancing web traffic using geoip ACls
Scott A. Wozny
sawozny at hotmail.com
Sun Feb 23 19:26:08 UTC 2020
Thanks for your reply. Regarding versioning, while I would like to be on the most current version, I don't want to build from source and that leaves me relying on my distro (CentOS 7.6 is where I put my stake in the ground, at present) package manager's version which is presently 9.11.4-9.P2. I assume someone is backporting critical patches as I'm not getting complaints from a credentialed OpenVAS scan, but I appreciate your caution about the version I'm using and MaxMind GeoIP.
You also make a good point about the delta between round-robin and geoIP being rapidly eaten up with hassle credits, particularly considering the abstraction layer introduced by DNS caches decoupling user location from DNS server location. I feel that the really large public DNS caches would only exacerbate this problem to the point that all my effort will be wasted and my time better spent making my site as responsive as it can be, regardless of source. Lots to think about...
Much obliged,
Scott
________________________________
From: bind-users <bind-users-bounces at lists.isc.org> on behalf of G.W. Haywood via bind-users <bind-users at lists.isc.org>
Sent: February 23, 2020 7:59 AM
To: bind-users at lists.isc.org <bind-users at lists.isc.org>
Subject: Re: Advice on balancing web traffic using geoip ACls
Hi there,
On Sun, 23 Feb 2020, Scott A. Wozny wrote:
> Greetings BIND gurus,
Sorry, I can't make any claim to be a BIND guru.
> ... webserver clusters hosted on the west and east coasts of the US
> and would like to use Bind 9.11.4
Hmmm. You might want to look e.g. at all the fixes since 9.11.4 in
https://downloads.isc.org/isc/bind9/9.11.16/RELEASE-NOTES-bind-9.11.16.html
> with the Maxmind GeoIP database to split the traffic about evenly ...
especially the release notes for 9.11.15 if you're sure about MaxMind.
(After the changes in their APIs a while back cost me many weeks of
effort, and some temporary loss in functionality, I'd be very cautious
about relying on them again. It was a completely different scenario.)
Of course even if you do look at the location of your DNS clients, it
doesn't tell you much about where _their_ clients are, nor much about
the routing of any packets that their clients might exchange with your
webservers. In England I frequently see email from the neighbouring
town that's been routed via Austria, Finland, Japan...
Wouldn't even random routing or round-robin (basically do nothing) be
easier to implement, faster, more reliable, more (perhaps strangely)
predictable, and ... ?
https://en.wikipedia.org/wiki/Round-robin_DNS
For your use case I guess you'd really need to instrument something to
know for sure, and by then you've gone and done it anyway. :)
--
73,
Ged.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200223/b35da0c8/attachment.htm>
More information about the bind-users
mailing list