Building Nameserver Clusters with Free Software

Similar documents
Advanced BGP Policy. Advanced Topics

DNS Best Practices. Mike Jager Network Startup Resource Center

Deploying IP Anycast. Core DNS Services for University of Minnesota Introduction and General discussion

F root anycast: What, why and how. João Damas ISC

Configuring a Load-Balancing Scheme

Load Balancing. Final Network Exam LSNAT. Sommaire. How works a "traditional" NAT? Un article de Le wiki des TPs RSM.

Interconnecting Cisco Network Devices 1 Course, Class Outline

Final Network Exam 01-02

Use Domain Name System and IP Version 6

ISP Systems Design. ISP Workshops. Last updated 24 April 2013

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

JPNIC Public Forum. Paul Vixie. Chairman, Internet Software Consortium. January 21, 2003

BGP FORGOTTEN BUT USEFUL FEATURES. Piotr Wojciechowski (CCIE #25543)

Making Internet Services Highly Available. Joe Abley

Building a small Data Centre

INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1)

IPv6 Fundamentals: A Straightforward Approach

IPV6 SERVICES DEPLOYMENT

Load balancing and traffic control in BGP

Configuring a Load-Balancing Scheme

Design, Implementation and Evolution of a DNS anycast resolving service in a country-wide ISP network

Implementing Anycast in IPv4 Networks

How to Configure Cisco 2600 Routers

Load balancing and traffic control in BGP

ISP Case Study. UUNET UK (1997) ISP/IXP Workshops. ISP/IXP Workshops. 1999, Cisco Systems, Inc.

Chapter 2 Lab 2-2, EIGRP Load Balancing

Chapter 3 Configuring Basic IPv6 Connectivity

Juniper Exam JN0-343 Juniper Networks Certified Internet Specialist (JNCIS-ENT) Version: 10.1 [ Total Questions: 498 ]

Configuring a Load-Balancing Scheme

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

How To Load Balance On A Bgg On A Network With A Network (Networking) On A Pc Or Ipa On A Computer Or Ipad On A 2G Network On A Microsoft Ipa (Netnet) On An Ip

Networking Domain Name System

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Anycast Rou,ng: Local Delivery. Tom Daly, CTO h<p://dyn.com Up,me is the Bo<om Line

Course Contents CCNP (CISco certified network professional)

Advanced Computer Networks. Layer-7-Switching and Loadbalancing

IP addressing and forwarding Network layer

Configuring IP Load Sharing in AOS Quick Configuration Guide

Superior Disaster Recovery with Radware s Global Server Load Balancing (GSLB) Solution

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

BorderWare Firewall Server 7.1. Release Notes

TCP/IP Fundamentals. OSI Seven Layer Model & Seminar Outline

Leveraging Advanced Load Sharing for Scaling Capacity to 100 Gbps and Beyond

Troubleshooting Bundles and Load Balancing

MikroTik RouterOS Workshop Load Balancing Best Practice. Warsaw MUM Europe 2012

VXLAN Bridging & Routing

Managing (VoIP) Applications DYSWIS

About the Technical Reviewers

VXLAN: Scaling Data Center Capacity. White Paper

What communication protocols are used to discover Tesira servers on a network?

Firewalls 1 / 43. Firewalls

Table of Contents. Cisco How Does Load Balancing Work?

Claudio Jeker. RIPE 41 Meeting Amsterdam, 15. January Using BGP topology information for DNS RR sorting

How To Learn Cisco Cisco Ios And Cisco Vlan

Network Security - ISA 656 Firewalls & NATs

Availability Digest. Redundant Load Balancing for High Availability July 2013

"Charting the Course...

CCT vs. CCENT Skill Set Comparison

Address Scheme Planning for an ISP backbone Network

Copyright International Business Machines Corporation All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure

The Root of the Matter: Hints or Slaves

Interconnecting Cisco Networking Devices Part 2

APNIC IPv6 Deployment

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

: Interconnecting Cisco Networking Devices Part 2 v1.1

Securing an Internet Name Server

IP Routing Configuring Static Routes

Tomás P. de Miguel DIT-UPM. dit UPM

Cisco Configuring Commonly Used IP ACLs

Network Fundamentals Carnegie Mellon University

Network Infrastructure for Critical DNS. Steve Gibbard

Overview: Load Balancing with the MNLB Feature Set for LocalDirector

Understanding Virtual Router and Virtual Systems

Tunnel Client FAQ. Table of Contents. Version 0v5, November 2014 Revised: Kate Lance Author: Karl Auer

Networking Domain Name System

ACL Compliance Director FAQ

Application Note: Securing BGP on Juniper Routers

Network layer: Overview. Network layer functions IP Routing and forwarding

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

MPLS RSVP-TE Auto-Bandwidth: Practical Lessons Learned

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0

GLOBAL SERVER LOAD BALANCING WITH SERVERIRON

CS514: Intermediate Course in Computer Systems

Monitoring Load-Balancing Services

ExamPDF. Higher Quality,Better service!

Voice Over IP. MultiFlow IP Phone # 3071 Subnet # Subnet Mask IP address Telephone.

MPLS RSVP-TE Auto-Bandwidth: Practical Lessons Learned. Richard A Steenbergen <ras@gt-t.net>

Firewall Load Balancing

A High-Availability Architecture for the Dynamic Domain Name System

USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION

Boosting Capacity Utilization in MPLS Networks using Load-Sharing MPLS JAPAN Sanjay Khanna Foundry Networks

ServerIron TrafficWorks Firewall Load Balancing Guide

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

DNS ROUND ROBIN HIGH-AVAILABILITY LOAD SHARING

Implementing IPv6 at ARIN Matt Ryanczak

Application Note. Stateful Firewall, IPS or IDS Load- Balancing

Lab Diagramming Intranet Traffic Flows

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Transcription:

Building Nameserver Clusters with Free Software Joe Abley, ISC NANOG 34 Seattle, WA, USA

Starting Point Discrete, single-host authoritative nameservers several (two or more) several (two or more) geographically dispersed Discrete, single-host recursive resolvers

What is Broken? Single points of failure in service delivery (single host providing service) Maintenance windows (we can t take the host down for maintenance without breaking the service) Scaling for request loads (we need to take the server down for upgrades, and that breaks the service)

How Broken is it? Authoritative DNS servers: not very broken resolvers good at retrying, then caching depends on how important the zone is multiple, independent servers in an NS set However, even for zones of only moderate importance, adding redundancy cheaply can make sysadmins lives easier

How Broken is it? Recursive Resolvers: quite broken clients are typically stupid; they might have multiple configured nameservers, but they re not very good at coping when one disappears when the DNS doesn t work, nothing works, makes the helpdesk phone ring My Internet Is Down

Some Solutions Commercial O/S clusters (Sun, HP, etc) Commercial load-balancers (Foundry, Arrowpoint/Cisco, Cisco, Alteon/Nortel) CARP (kind of) Anycast with equal-cost paths and flow hashing

Common Requirement The service being distributed has its own IP address sometimes called a VIP by the commercial load-balancing people useful for other reasons than just load balancing (e.g. moving services between hosts, sites)

General Approach

Toolbag FreeBSD (or something UNIX y) BIND 9 Zebra or Quagga, or GateD, or something that will run on your host that can talk OSPF

IP Addressing Rest of Internet router 1 router 2... Globally-unique, unicast addresses on each host switch 1 switch 2 host 1 host 2 host 3 host 4......... Service addresses configured on loopbacks on hosts (anycast)

Connectivity Rest of Internet router 1 router 2... switch 1 switch 2 host 1 host 2 host 3 host 4......... Routers and hosts communicate within a common subnet (e.g. a VLAN plumbed through some switches)

Host Configuration Rest of Internet Hosts are autonomous router 1 router 2... switch 1 switch 2 host 1 host 2 host 3 host 4......... Hosts respond to requests on the service address, and are managed via their unique, unicast addresses

Routing Routers and hosts speak OSPF Rest of Internet router 1 router 2... Routers originate a default route for the hosts to use switch 1 switch 2 host 1 host 2 host 3 host 4......... Hosts originate a host route (an IPv4 /32, or an IPv6 /128) for the service address

Routing Rest of Internet Request from Internet routed to one of the hosts by the routers router 1 router 2... switch 1 switch 2 host 1 host 2 host 3 host 4......... Response generated by host sent out towards one of the routers by the host Life is Good Smile Happily

Niggly Details

Routers The routers need equal-cost multipath (ECMP) support multiple candidate routes to the same destination multiple routes used (installed in the FIB) most commercial routers can do this; most host operating systems can t

Stateless Transactions For DNS queries carried over UDP, with no fragmentation, a transaction consists of a single packet request and a single packet response no additional requirements on the routers easy

Stateful Transactions Transactions carried over TCP involve multipacket requests, and state is kept on the hosts All packets associated with a single transaction need to be routed to the same host, or nothing will work

Flow Hashing Routers are required to make their ECMP route selection such that packets associated with a single transaction are routed to a single host cisco and Juniper routers can do this; the route selection can be done according to a hash of something like (source addr, source port, dest addr, dest port) which provides the flow grouping we need

Hash Space (source addr, source port, dest addr, dest port) 1/3 host 1 1/3 host 2 1/3 host 3

Flow Hashing On cisco routers this ECMP selection algorithm is turned on with Cisco Express Forwarding (CEF) On Juniper routers, the magic phrase is load-balance per-packet

Flow Hashing The hash table is per-router, so we also need to make sure that packets associated with a single flow are always routed inbound from the Internet through the same router turn on CEF everywhere avoid ECMP routes use routing protocols that don t support ECMP (like BGP)

Example Configuration ip cef! interface FastEthernet1/0 description interface facing the hosts ip address 192.168.1.1 255.255.255.0! router ospf 1 network 192.168.1.0 0.0.0.255 area 0 default-information originate always

Host Requirements No need for ECMP support Availability of service signalled to routers using OSPF link-state advertisements Zebra s (and Quagga s) ospfd does everything that you need

Example Configuration interface lo1 ip address 192.5.5.241 255.255.255.255! interface fxp0 ip address 192.168.1.6 255.255.255.0! router ospf 1 network 192.5.5.241 0.0.0.0 area 0 network 192.168.1.0 0.0.0.255 area 0 passive-interface lo0

BIND Bits bind() to service address for receiving requests bind() to the host s unique unicast address for everything else (recursive lookups, zone transfers, etc)

Zone Transfers Slave servers do zone transfers Rest of Internet router 1 router 2... switch 1 switch 2 host 1 host 2 host 3 host 4......... Zone transfers authenticated by source address are problematic if the source is the anycast service address Only 1/n requests will succeed

Zone Transfers Rest of Internet router 1 router 2... Workaround: all hosts attempt zone transfers from the master server and from each other switch 1 switch 2 host 1 host 2 host 3 host 4......... BIND falls back to unbound socket after failing with configured transfer-source Or, use TSIG instead

Reliability If a nameserver goes bad, we don t want requests routed to it named dumps core if internal assertions fail simple wrapper can be used to raise/lower the service loopback address when named exits, withdrawing and announcing the service as appropriate

Service Monitoring Need to check individual hosts, since checking the service address from one test client only really checks one host that doesn t reveal whether the routing system is working, though, or whether there are bad firewall rules in place

Troubleshooting HOSTNAME.BIND CH TXT BIND 8, BIND 9 from 9.3 Future EDNS extension, maybe, one day Keep reminding people that different clients will hit different servers, and that the customer on the phone is not necessarily lying

Limitations

General Commercial load balancers usually offer a bucket load of load-sharing schemes (leastrecently-used, least-loaded-server, etc) Doing rigourous, real-life tests of the service is problematic due to anycast common to most load-sharing solutions It is not possible, in general, to determine the precise host that answered a request from a particular client

Operational Practicalities The idea of letting the systems people introduce their legion of unpatched servers into your IGP may cause nightmares isolated, service-specific IGP filtering, where possible threats of terrible retribution

Other Protocols DNS most traffic is stateless transactions are short-lived Other applications different

Related Exercises

IGP-Wide Anycast Distribution of recursive resolvers through a network use a local server, fall back to a remote one may avoid load-sharing considerations, if there are no ECMP routes

Global Anycast Distribute nameservers around the Internet, and announce a route which covers the nameserver address from each place Key differences: other peoples networks probable lack of ECMP issues routing protocols used (BGP)

References http://www.isc.org/pubs/tn/isc-tn-2004-1.html http://www.isc.org/pubs/tn/isc-tn-2004-1.txt http://www.isc.org/pubs/pres/nanog/34/ dns-clusters.pdf

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information