Thanks for your reply.  Regarding versioning, while I would like to be on the 
most current version, I don't want to build from source and that leaves me 
relying on my distro (CentOS 7.6 is where I put my stake in the ground, at 
present) package manager's version which is presently 9.11.4-9.P2.  I assume 
someone is backporting critical patches as I'm not getting complaints from a 
credentialed OpenVAS scan, but I appreciate your caution about the version I'm 
using and MaxMind GeoIP.

You also make a good point about the delta between round-robin and geoIP being 
rapidly eaten up with hassle credits, particularly considering the abstraction 
layer introduced by DNS caches decoupling user location from DNS server 
location.  I feel that the really large public DNS caches would only exacerbate 
this problem to the point that all my effort will be wasted and my time better 
spent making my site as responsive as it can be, regardless of source.  Lots to 
think about...

Much obliged,

Scott

________________________________
From: bind-users <bind-users-boun...@lists.isc.org> on behalf of G.W. Haywood 
via bind-users <bind-users@lists.isc.org>
Sent: February 23, 2020 7:59 AM
To: bind-users@lists.isc.org <bind-users@lists.isc.org>
Subject: Re: Advice on balancing web traffic using geoip ACls

Hi there,

On Sun, 23 Feb 2020, Scott A. Wozny wrote:

> Greetings BIND gurus,

Sorry, I can't make any claim to be a BIND guru.

> ... webserver clusters hosted on the west and east coasts of the US
> and would like to use Bind 9.11.4

Hmmm.  You might want to look e.g. at all the fixes since 9.11.4 in

https://downloads.isc.org/isc/bind9/9.11.16/RELEASE-NOTES-bind-9.11.16.html

> with the Maxmind GeoIP database to split the traffic about evenly ...

especially the release notes for 9.11.15 if you're sure about MaxMind.
(After the changes in their APIs a while back cost me many weeks of
effort, and some temporary loss in functionality, I'd be very cautious
about relying on them again.  It was a completely different scenario.)

Of course even if you do look at the location of your DNS clients, it
doesn't tell you much about where _their_ clients are, nor much about
the routing of any packets that their clients might exchange with your
webservers.  In England I frequently see email from the neighbouring
town that's been routed via Austria, Finland, Japan...

Wouldn't even random routing or round-robin (basically do nothing) be
easier to implement, faster, more reliable, more (perhaps strangely)
predictable, and ... ?

https://en.wikipedia.org/wiki/Round-robin_DNS

For your use case I guess you'd really need to instrument something to
know for sure, and by then you've gone and done it anyway. :)

--

73,
Ged.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to