[nylug-talk] thoughts on distributed DNS?

Chris Knadle Chris.Knadle at coredump.us
Mon May 5 20:28:40 EDT 2008 

On Monday 05 May 2008, Joachim Rosenfeld wrote:
> I was recently tasked to redo the DNS at a company that is currently
> outsourcing their DNS.
>
> They are using a well-known provider, but they are getting raped on the
> price -- think on the order of $10k/month. So they clearly need to move
> to someone else.

   Wow, that's ridiculous.  What are they charging per query?  :-P

> (Also, the DNS provider in question uses very sleazy sales tactics to
> get people to use their service -- they will call you up (or more
> likely, your CTO) and say, "Hey, did you know your DNS guys are dropping
> 20% of your queries?")

   I wonder how they pound the DNS servers to get those numbers.  :-/
   I see what you mean.

> I had initially told them they should set up their own DNS servers on
> two Linux boxes and forget it, but they were hit with a DDOS attack a
> few years ago which interfered severely with their DNS traffic until
> they were able to mitigate it, so they are terrified of that scenario.
>
> They only have about 15 domains and maybe 300 records total, but their 3
> most popular domains get about 90 million queries per month.

   Hmm.  Assuming that's (90 M / 30 days * 24 hours * 60 min * 60 sec), that's 
an average 35 DNS queries per second.  Looking at it that way that doesn't 
sound so bad.  Seems like one master and a couple of slaves should be able to 
take care of that.

> The current idea is to setup a Linux box as an authoritative DNS server,
> and then distribute the rest with Akamai's CDN. This is doable, but I am
> told Akamai charges $2k/month for this (I haven't verified that though).
>
> $2k/month is acceptable to them, but I think they can get just as much
> resiliency for a lower price by going with someone else for CDN.
>
> Any suggestions? Perhaps something similar to the Akamai setup, but with
> a different CDN provider? Basically, what they want is to setup DNS and
> not worry about it. The price is a factor, but not *that* much of a
> factor.

   Yeah that works; a place I worked at did that with AT&T.  [If you want to 
see: 'dig aeroflex.com ns +short']  Their local DNS server is the master, 
with two AT&T slave DNS servers.  Some admins take this one step further and 
have their master DNS server on-site not be listed as one of the NS servers 
to query to try to avoid any possible issues related to DDOS attacks.

   If you haven't set up your own master DNS server before, then I also 
suggest looking into how to secure it.  Specifically:
   1) limiting recursive lookups to just your networks
   2) limiting zone transfers to just the save DNS servers
   3) limiting the number of simultaneous queries per IP

   -- Chris

-- 

Chris Knadle
Chris.Knadle at coredump.us

More information about the nylug-talk mailing list