The story of dnsdist - or - Do we need a DNS Delivery Controller? http://dnsdist.org/



Similar documents
The story of dnsdist - or - Do we need a DNS Delivery Controller?

PowerDNS dnsdist. OX Summit 2015 All presentations will be on:

PowerDNS dnsdist. NLUUG Najaarsconferentie Presentation is on:

PowerDNS Introduction

Global Service Loadbalancing & DNSSEC. Ralf Brünig Field Systems Engineer r.bruenig@f5.com DNSSEC

All about the PowerDNS nameserver and how you can use it.

DNSSEC and DNS Proxying

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

DNS Caching Krytyczna infrastruktura operatora i ostatni element układanki

Web Application Hosting Cloud Architecture

1. Comments on reviews a. Need to avoid just summarizing web page asks you for:

Lecture 3: Scaling by Load Balancing 1. Comments on reviews i. 2. Topic 1: Scalability a. QUESTION: What are problems? i. These papers look at

Alteon Global Server Load Balancing

CS 188/219. Scalable Internet Services Andrew Mutz October 8, 2015

Products, Features & Services

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

CS514: Intermediate Course in Computer Systems

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

How To Understand The Power Of A Content Delivery Network (Cdn)

dnsperf DNS Performance Tool Manual

DNS ROUND ROBIN HIGH-AVAILABILITY LOAD SHARING

APV9650. Application Delivery Controller

Chapter 10: Scalability

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

Load Balancing for Microsoft Office Communication Server 2007 Release 2

High-Performance DNS Services in BIG-IP Version 11

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

Global Server Load Balancing

Load Balancing using Pramati Web Load Balancer

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

BASICS OF SCALING: LOAD BALANCERS

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

Barracuda Load Balancer Online Demo Guide

FortiBalancer: Global Server Load Balancing WHITE PAPER

Annexure - " SERVICE REQUIREMENTS"

Appendix D: Configuring Firewalls and Network Address Translation

Understanding Slow Start

Citrix NetScaler Global Server Load Balancing Primer:

The Survey Report on DNS Cache & Recursive Service in China Mainland

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

Scalability of web applications. CSCI 470: Web Science Keith Vertanen

PES. High Availability Load Balancing in the Agile Infrastructure. Platform & Engineering Services. HEPiX Bologna, April 2013

HUAWEI OceanStor Load Balancing Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

GLOBAL SERVER LOAD BALANCING WITH SERVERIRON

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

Ranch Networks for Hosted Data Centers

The Application Front End Understanding Next-Generation Load Balancing Appliances

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010

Load Balancing Microsoft Sharepoint 2010 Load Balancing Microsoft Sharepoint Deployment Guide

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

The Future of DNS. Johan Ihrén Netnod. October 15,

Large-Scale Web Applications

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5

Global Load Balancing Solutions

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM with Apache Tomcat and Apache HTTP Server

THE UNIVERSITY OF AUCKLAND

Monitoring and Alerting

TRUFFLE Broadband Bonding Network Appliance. A Frequently Asked Question on. Link Bonding vs. Load Balancing

Global Server Load Balancing

Load Balancing Web Applications

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

The Application Delivery Controller Understanding Next-Generation Load Balancing Appliances

DPtech ADX Application Delivery Platform Series

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

APV x600 Series. Application Delivery Controller APV1600, APV2600, APV4600, APV5600, APV6600, APV8600, APV9600

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family

DNS and LDAP persistent search

Managing SIP-based Applications With WAN Optimization

Linux MDS Firewall Supplement

FAQs for Oracle iplanet Proxy Server 4.0

WAN Traffic Management with PowerLink Pro100

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

SIDN Server Measurements

Computer Networks CCNA Module 1

Cisco GSS 4492R Global Site Selector

Best Practices with Argent

The secret life of a DNS query. Igor Sviridov <sia@nest.org>

Load Balancing Using PCC & RouterOS

Implementing Reverse Proxy Using Squid. Prepared By Visolve Squid Team

Oracle Collaboration Suite

Snapt Balancer Manual

Load Balancing McAfee Web Gateway. Deployment Guide

How to scan/exploit a ssl based webserver. by xxradar. mailto:xxradar@radarhack.com. Version 1.

OpenFlow Based Load Balancing

How To Run A Web Farm On Linux (Ahem) On A Single Computer (For Free) On Your Computer (With A Freebie) On An Ipv4 (For Cheap) Or Ipv2 (For A Free) (For

ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE

Internet Measurement Research

Mithi Connect Server deployment options

Linux Server Support by Applied Technology Research Center. Proxy Server Configuration

Apache Tomcat Clustering

Configuring Citrix NetScaler for IBM WebSphere Application Services

Transcription:

The story of dnsdist - or - Do we need a DNS Delivery Controller? http://dnsdist.org/

PowerDNS Very briefly so you know where we come from Open source nameserver, around since 2000, open source since 2002, high-end commercial support since 2006, part of Open- Xchange (together with Dovecot IMAP) since 2015 Authoritative serving from text files, databases, JSON/RESTful interfaces, pipe-scripts, Lua scripts, geographical load balancing etc. Biggest host & signer of DNSSEC domains Recursor: strives to be a no-worry, high-performance, robust resolver Lots of interesting tooling (dnsreplay, dnsdist, dnsscope, calidns )

The story of dnsdist Started out as a need to do dnsdist listen-ip destip-1 destip-2 Simple query spreading w/o hassle, also just forwarding Been around for a year or two When debugging with a large customer, we found they were willing & able to switch out PowerDNS versions at the drop of a hat since they were comfortable with their loadbalancer Asked around, no one else was happy with their DNS load balancer solution Open question: does the world new a DNS Delivery Controller?

dnsdist: a smart DNS Delivery Controller Runtime configurable from console (accessible remotely, tab-completing interface) Console & configuration file actually Lua Host of built-in load balancing/blocking/shunting/shaping policies (C++), custom policies can be written in Lua (plenty fast) Provides features ranging from simple round robin load balancing to quarantining of infected customers Vendor-neutral open source - please join in!

Existing load balancers Most (HW) load balancers know about http, https, imap etc. DNS is sufficiently different that it is hard to treat it as a weird kind of web, so many vendors mess it up Plus the quaint observation that a busy nameserver is a happy name server Caches HOT! Leads to need for a concentrating load balancer : as much traffic on as little servers as possible Exactly the reverse of http etc

Some tests With various companies we tested shutting down all their nameservers but a few, leading to lots of traffic going to one server In all cases, we observed lower query/response latencies and far lower cache miss rates (±50% lower) Happier customers We also observed only minor increases in CPU load, very much sub-linear to the many-fold traffic increase One name server doing millions of cable modems One name server doing 700k domains with online signing We have a winner!

dnsdist implementation Various load balancing policies Roundrobin, hashed, weighted random, least outstanding, first available Implementation: newserver {address="2001:4860:4860::8888", qps=1} newserver {address="2001:4860:4860::8844", qps=1} newserver {address="2620:0:ccc::2", qps=10} newserver {address="2620:0:ccd::2", qps=10} newserver("192.168.1.2") setserverpolicy(firstavailable) -- first server within its QPS limit

Main resolver pool DNSSEC resolver pool Abuse pool Server1 Server2 Server3 Server4 Server5 Server4 Server5 30 kqps 30 kqps 20 kqps DNSDIST Policy = firstavailable If trouble domain or trouble source -> abuse pool If any hint of DNSSEC query -> DNSSEC pool Otherwise main pool, first server that has not hit qps limit If all servers hit limit, round robin

Second use case DoS attacks of the algorithmic kind - don t kill you with bandwidth, do cause outgoing traffic that does, do cause degraded performance Frequently blocked with complicated iptables rules, or deployed custom zones within name servers Option in dnsdist: move senders of harmful DNS traffic to dedicated servers Where they only soil their own nest

Other things we added Moving traffic to different server pools, dropping it, shaping it, based on: Header bits, DNSSEC flags Domain names Regular expressions Source address Generating TC=1 responses based on all of the above Generating custom answers from Lua to silence specific clients

Other things we added Live statistics built-in webserver with moving graphs ( up to the second ) Live traffic inspection: Top-N queries, top-n clients, top-n servfail generating queries, top-n servfail generating domains & clients Latency distribution histogram A substantial Lua runtime which should facilitate everything for those that need flexibility

First use-cases TC=1 redirection for a huge nameserver installation that does not support that Symptom: frontend can be more flexible than backend, because far away from business logic DNSSEC only for people that want it Symptom: fear DNSSEC will somehow infect rest of service Latency graphs for backends that don t support it Symptom: hard to measure from name server itself Solve the undisconnectable nuisance customer problem Symptom: subscribers are hacked, little we can do about it

Discussion: do we need this? A pure load balancer knows nothing of DNS and can be very fast ( lob packets ) A nameserver is fully featured and can also do load balancing itself ( forwarders ) Is there room or need for something in between? People tell us yes, but are they right? Or will we end up making another nameserver in front of your nameserver?

The story of dnsdist or Do we need a DNS Delivery Controller? http://dnsdist.org/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information