[nylug-talk] thoughts on distributed DNS?
Joachim Rosenfeld
joerosenfeld at gmail.com
Tue May 6 12:28:43 EDT 2008
On Mon, May 05, 2008 at 08:28:40PM -0400, Chris Knadle wrote:
> > they will call you up (or more likely, your CTO) and say, "Hey, did
> > you know your DNS guys are dropping 20% of your queries?")
>
> I wonder how they pound the DNS servers to get those numbers. :-/ I
> see what you mean.
Read and laugh/weep:
http://readlist.com/lists/trapdoor.merit.edu/nanog/4/24667.html
http://readlist.com/lists/trapdoor.merit.edu/nanog/4/24668.html
> > They only have about 15 domains and maybe 300 records total, but
> > their 3 most popular domains get about 90 million queries per month.
>
> that's an average 35 DNS queries per second. Looking at it that way
> that doesn't sound so bad. Seems like one master and a couple of
> slaves should be able to take care of that.
Right, while they are a fairly high traffic site, they know they aren't
doing a crazy amount of DNS traffic. The real fear is that that if they
ever get DDOS'd again, will the DNS servers be able to handle it? The
only thing that seems to give them peace of mind is the big guys.
But there must be a way to inexpensively design a DNS infrastructure
that is resilient enough to withstand a DDOS attack -- at least for less
than $10k/month.
> If you haven't set up your own master DNS server before, then I also
> suggest looking into how to secure it. Specifically:
Thanks Chris, I think what you listed are all good solutions, but I'm
looking to set up DNS servers for the following very specific case:
- single datacenter
- single pipe (I think)
- site gets DDOS'd
- DNS should stay up
Right now, I don't have any better answers than to outsource DNS to
someone with geographically disparate severs.
Joe
More information about the nylug-talk
mailing list