[lug] Clustering for Load-Balancing and Fault-Tolerance??

Nate Duehr nate at natetech.com
Wed Jan 30 07:31:03 MST 2002


This sounds more like you need to implement rules on your DNS servers with
ACL's about who can query them and expect to get a recursive answer.  You
should not be providing recursive query functionality to people off your
network.

It's a lot harder to DoS a DNS server when you can't get it to do any work
for you.

Also, seriously consider turning back some of the default logging if you're
not using it.  BIND 8's logging setup is hard on disk I/O under load...
turning off all that junk really helps.

Nate, nate at natetech.com

----- Original Message -----
From: "Shannon Johnston" <sjohnston at cavion.com>
To: <lug at lug.boulder.co.us>
Sent: Tuesday, January 29, 2002 10:11 AM
Subject: Re: [lug] Clustering for Load-Balancing and Fault-Tolerance??


> > Do you really?  I suppose you could look at the sites mentioned and put
a
> > load balancing machine in front of several DNS servers.
>
> This is exactly the effect that I'm looking for.
> Currently my DNS server is overloaded and the secondary server can't
> really handle the increase in traffic when the primary goes offline.
>
> I've suffered 3 DNS DoS attacks within the past few weeks and I'm not
> sure they're really attacks or just spikes in queries.
>
> I'm expecting to add upwards of 400 domains that I'm authoritative for
> within the next few months and I need something I can easily scale to
> handle the increase in traffic.
>
> The linux virtual server seems to be the way to go...
>
> Shannon
>
>
>
> On Mon, 2002-01-28 at 20:24, Dave Anselmi wrote:
> > Shannon Johnston wrote:
> >
> > > Hello all!
> > > I'm looking for opinions here...
> > > I need load-balancing, fault-tolerant DNS servers. (Not load-balancing
> > > for http, but distributing DN resolution requests.) I've never worked
> > > with clusters before so I would like to know where a good starting
point
> > > would be, and if anybody has any suggestions as to what to use.
> >
> > Do you really?  I suppose you could look at the sites mentioned and put
a
> > load balancing machine in front of several DNS servers.
> >
> > When you list several name servers as authoritative for a domain, I
would
> > guess that other name servers will pick between them at random.  You
don't
> > need any session sharing type fault tolerance because DNS only uses one
> > packet each direction.
> >
> > The only thing clustering will buy you is that all the name servers
could
> > share one IP, so if one goes down there's no delay from asking it for a
> > lookup.  Unless you're talking about load balancing recursive requests
> > (i.e., from resolver clients rather than name servers).
> >
> > I'm curious what setup you have and why you think clustering is the way
to
> > go.
> >
> > Dave
> >
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>





More information about the LUG mailing list