When the DNS was designed, one primary assumption was that name/address
mappings changed *infrequently*. Hence caching was integrated into the
protocol, and is absolutely necessary for any kind of reasonable DNS
performance.
If you twist DNS to perform load-balancing and/or failover functions,
then you must *defeat* caching, since otherwise resolvers will keep
giving out "stale" answers from their cache, even if the resource at a
particular address is unavailable or overloaded. Thus you cause
everyone's resolvers to work sub-optimally and inefficiently; not the
way it was designed to work.
Similarly, other components -- such as browsers and operating systems --
make a similar assumptions about cacheability as DNS itself. So they
cache name lookups, and this adds more layers that need to be
"defeated". In the case of browsers, there are special protections
against defeating its name cache, because of so-called "rebinding"
attacks, see e.g. http://crypto.stanford.edu/dns/dns-rebinding.pdf
(although many, including myself, consider this circumstance more the
result of a broken browser security model, than a failure or
imperfection of DNS).
It is better to replicate your content (and/or the database for which
the visible content is only a front-end) and then use some technology
like "anycast", or something similar, to direct users to the "closest"
or, if one or more of the replicas in a set is known to be "dead", to
some other replica which is known to still be "alive" . Perform the
load-balancing and/or failover at a lower level of the network stack, in
other words, and leave the name/address association alone.
For an influential opinion of the folly of DNS-based
load-balancing/failover, although it's a little out-of-date now:
http://www.tenereillo.com/GSLBPageOfShame.htm
- Kevin
Tech W. wrote:
----- Original Message ----
From: Alan Clegg <acl...@isc.org>
To: bind-users@lists.isc.org
Sent: Fri, 15 January, 2010 11:37:58 AM
Subject: Re: a question on bind cache
You could monitor your services and then use dynamic DNS to change
resource records based on the results, but it's not the best way to go
about doing it.
Thanks Alan and others.
What's the reason we should not do this with DNS?
And what's the best way?
Thanks again.
__________________________________________________________________________________
See what's on at the movies in your area. Find out now:
http://au.movies.yahoo.com/session-times/
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
