Re: Anycast DNS

[David Klein]

You would need to create a custom script to use as your monitor, which does
a lookup of an address that you know will always be in your domain. If that
fails, force-down/inactive the node, and tie this script as a monitor to
the pool holding the DNS server nodes.

You can advertise the /32 containing the VIPA to the up-stream router via
either OSPF or IBGP, and if the pool goes empty, stop advertising the route
(the only option is stop advertising, not actively withdraw the route,
since that could cause a massive reconvergence cycle in your
enterprise-wide RIB, if done wrong, just because of a flapping interface).



HTH,

 -DTK


On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo  wrote:

>
> thanks everyone for all responses with the great inputs ..
>
> now if I want to put the DNS servers behind LBs, 1) would the LTMs be able
> to announce the routes dynamically for the DNS servers, and a VIP can be
> withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS
> service failure and stop sending over DNS queries, i.e., in the case a
> named is still up but just not able to resolve names (assuming LTM can
> detect a named is down)?
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 

david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Anycast DNS - LB/LTM

[David Klein]

Exactly. The script runs inside the LTM, and wraps "nslookup" or "dig". It
should output a distinct output for success, and another distinct output
for failure. It should only check the pool members, not the VIPA itself. If
the pool is empty, the LTM will stop advertise the VIPA.


 -DTK


On Fri, Mar 9, 2012 at 1:16 PM, ju wusuo  wrote:

> so the script would run on the LTM, it will periodically check each
> physical DNS node, if one cannot resolve then takes it out of the pool; it
> will also check the VIP, if the VIP cannot resolve, pool is empty or LTM
> issue, stop the advertising?
>
>   ------
> *From:* David Klein 
> *To:* ju wusuo 
> *Cc:* "bind-users@lists.isc.org" 
> *Sent:* Wednesday, March 7, 2012 11:18 PM
> *Subject:* Re: Anycast DNS
>
>
> You would need to create a custom script to use as your monitor, which
> does a lookup of an address that you know will always be in your domain. If
> that fails, force-down/inactive the node, and tie this script as a monitor
> to the pool holding the DNS server nodes.
>
> You can advertise the /32 containing the VIPA to the up-stream router via
> either OSPF or IBGP, and if the pool goes empty, stop advertising the route
> (the only option is stop advertising, not actively withdraw the route,
> since that could cause a massive reconvergence cycle in your
> enterprise-wide RIB, if done wrong, just because of a flapping interface).
>
>
>
> HTH,
>
>  -DTK
>
>
> On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo  wrote:
>
>
> thanks everyone for all responses with the great inputs ..
>
> now if I want to put the DNS servers behind LBs, 1) would the LTMs be able
> to announce the routes dynamically for the DNS servers, and a VIP can be
> withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS
> service failure and stop sending over DNS queries, i.e., in the case a
> named is still up but just not able to resolve names (assuming LTM can
> detect a named is down)?
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
> --
>
> david t. klein
>
> Cisco Certified Network Associate (CSCO11281885)
> Linux Professional Institute Certification (LPI000165615)
> Redhat Certified Engineer (805009745938860)
>
> Quis custodiet ipsos custodes?
>
>
>
>
>
>


-- 

david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Optimising rndc reload times on a slave server with 50,000 zones

[david klein]

5 files in a single directory will make difficult for any
filesystem. I would recommend breaking that out into groups of less
than 1 per directory. For better performance, separate them onto
directories that are on different spindles; the parallelization of
seek (and with thousands of small files that can each be read in one
or two reads, your disks will spend a lot of this time seeking) should
show noticeable performance improvement.

Do only some of the zones update at any given 15 minute cycle? If so,
you may show an even bigger improvement by only reloading those that
will have changed.



On Sat, Feb 26, 2011 at 8:56 PM, Dennis Perisa  wrote:
> Hi folks,
> I'm looking for suggestions to substantially improve reload times on a slave
> that is serving 50,000 zones (mostly customer zones).
> 'rndc reload' is being executed on the slave every 15 minutes.  Due to the
> large number of zones to trawl through, the reload process is causing
> intermittent outages and/or significant delays to zone transfers.
> Here are some ideas I have:
> - use rndc reconfig instead
> - separate zone files into separate dirs to improve O/S performance
> (currently, all zone files are in a single dir)
> Are these viable options?  Any other thoughts/suggestions?
> This is expected to be a short-term fix while we consider brute force
> approach of throwing more cpu/mem/IO at this.
> DP
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 

david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Optimising rndc reload times on a slave server with 50,000 zones

[david klein]

One other thing: on the filesystem in which reside directories that
house the zone files, set the mount option "noatime". This will
improve the performance of re-reading the zone files because it will
take out the necessity of updating a time-stamp for each read.


 -DTK


On Mon, Feb 28, 2011 at 7:34 AM, david klein  wrote:
> 5 files in a single directory will make difficult for any
> filesystem. I would recommend breaking that out into groups of less
> than 1 per directory. For better performance, separate them onto
> directories that are on different spindles; the parallelization of
> seek (and with thousands of small files that can each be read in one
> or two reads, your disks will spend a lot of this time seeking) should
> show noticeable performance improvement.
>
> Do only some of the zones update at any given 15 minute cycle? If so,
> you may show an even bigger improvement by only reloading those that
> will have changed.
>
>
>
> On Sat, Feb 26, 2011 at 8:56 PM, Dennis Perisa  
> wrote:
>> Hi folks,
>> I'm looking for suggestions to substantially improve reload times on a slave
>> that is serving 50,000 zones (mostly customer zones).
>> 'rndc reload' is being executed on the slave every 15 minutes.  Due to the
>> large number of zones to trawl through, the reload process is causing
>> intermittent outages and/or significant delays to zone transfers.
>> Here are some ideas I have:
>> - use rndc reconfig instead
>> - separate zone files into separate dirs to improve O/S performance
>> (currently, all zone files are in a single dir)
>> Are these viable options?  Any other thoughts/suggestions?
>> This is expected to be a short-term fix while we consider brute force
>> approach of throwing more cpu/mem/IO at this.
>> DP
>>
>> ___
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
>
> --
>
> david t. klein
>
> Cisco Certified Network Associate (CSCO11281885)
> Linux Professional Institute Certification (LPI000165615)
> Redhat Certified Engineer (805009745938860)
>
> Quis custodiet ipsos custodes?
>



-- 

david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: GUI for bind

[david klein]

It's a little less novice-friendly than Men & Mice, but it has price
going for it. Take a look at GADMIN Tools for BIND
(http://gadmintools.flippedweb.com/index.php?option=com_content&task=view&id=14&Itemid=33).

Even better, take a look at Infoblox NIOS-based IPAM appliance; you
could easily set one up as gridmaster and BIND master, and then do
IXFR from him to your BIND slave-servers.


 -DTK




On Mon, Mar 28, 2011 at 5:55 PM, Jorg B.  wrote:
> Hello,
>
> I'm looking for a GUI for bind that meets the following requirements:
>
> (1)     Must still be under development (and supported, either commercially 
> or via community support)
> (2)     Supports "accounts/groups" that will allow me to create user accounts 
> that are able to modify only zone records assigned to the account/group.
> (3)     Administrator access with the permissions to modify any zone record.
> (4)     Should support most common features of bind.
> (5)     Should support 100's of zone records.
> (6)     Should be somewhat easy to use, so that "non-experts" can figure it 
> out.
>
> The product does not have to be free... a commercial product is perfectly 
> fine.
> I've spend some time searching around, but most of the GUI products either 
> don't support bind or are no longer maintained...
>
> Any recommendations would be appreciated...
>
> Thanks
> JB
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 

david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS update on host down

[david klein]

There are tools which do this, such as F5's GTM or Cisco's GSS;
essentially, you have multiple servers in a pool/answer group, and
during normal operations, they are handed out in either RR or WRR. If
one server fails his health-check, he is taken out of the mix. I
believe under the covers, it is essentially a rules-engine, BIND,
nsupdate and a few monitoring scripts.


 -DTK

On Tue, Jul 26, 2011 at 9:23 AM, Paul Reilly  wrote:
> Is there a simple utility, which can ICMP ping or HTTP ping a host, and
> update the hosts DNS entry if the host is down?
> I'm thinking I could have 2 include files, and swap between then if the host
> is down or not.
>
> Any pointers ?
>
> Paul
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 

david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone name conflicts / overlapping

[david klein]

I don't know from Power DNS, but BIND expects to have one master where all
changes are initiated, and all other servers receive replication from the
single master, via incremental zone transfers. This is how conflicts and
race conditions are prevented. You would do better to designate one of the
two boxes as master, migrate all of the zones to that box, and have the
other box only receive replication from the first.

If you want multi-master replication (not recommended, because it introduces
a lot of strange behavior in edge cases), you would need to use something
like DLZ and move your zone management out of the nameserver itself, and
into an application that would feed DLZ. Note, this is nontrivial, and will
add a lot of complexity and processing overhead.

A best design would be to make both of your current servers consume
replication and add a third server, which does not have NS record, and which
is not in SOA, but which is designated the master and provides replication
to the other two. This way you decouple where you make the changes from
where you serve the data to the final consumers, and may be able to put it
in a secure walled-garden, with only connectivity allowed to the DNS servers
(which one presumes would be Internet facing).

HTH,

 -DTK



On Mon, Sep 19, 2011 at 12:45 AM, Ben C.  wrote:

> Hello all,
>
> This is my first post to bind-users, so I would like to first of all
> say hello, and thanks to everyone who takes their time to read and
> respond to any mailing list post. =)
>
> I have a fairly complex situation where I have a pDNS server and a ISC
> BIND server, both containing unique zones.  I'm trying to make them
> "sync" to each other so that the end result is they both contain the
> same list of zones, and update the opposite's zone files regularly.  I
> am doing my best in designing it so that it *shouldn't* have the
> possibility of a zone conflict, where server A says something about
> zone "foo.com", and server B contains it's own unique record, so when
> they sync, .. well ...
>
> I noticed with BIND, what I expected happens if the situation occurs:
>
> zone "foo.com" {
>  type master;
>  file "/path/to/some.file";
> };
>
> // .. some stuff
> zone "foo.com" {
>  type master;
>  file "/path/to/some.other.file";
>  // ^^ They can be the same file, too ..
> };
>
> -- BIND simply refuses to start, which is great because it allows me
> to /see/ the error a little easier.
>
> However, the situation got interesting when the following occurs:
>
> zone "ns1.foo.com" {
>  type master;
>  file "/path/to/ns1.foo.com";
> };
>
> zone "foo.com" {
>  type master;
>  file "/path/to/foo.com";
> };
>
> Where ns1.foo.com's zone file would obviously contain an A record for
> itself (ns1.foo.com.) and then foo.com's zone file contains an A
> record for the same zone / hostname, ns1.foo.com.
>
> It appears to me, BIND sees the conflict / overlap but does not care
> about the order they are in, nor cares to exit (or even tell anybody
> about it), but simply use the more "specific" zone file which would be
> "ns1.foo.com".  I'm pretty sure this is intended behavior. Although
> for my specific and very individual circumstance, this is not ideal
> for me, but I'm by no means saying this is a bug, or "bad" behavior.
>
> I'm simply trying to figure out (1) if this is indeed the correct
> assumption, that BIND will always use the more "specific" zone,  ...
> (2) if there are ways to modify the behavior (short of editing the way
> BIND, or even DNS works) ...  (3) if there is a way to at least
> identify this kind of behavior in logs (error/warning message? maybe
> I'm missing it..) .. (4) a link or referral to any kind of relevant
> information would be useful -- documentation, mailing lists, anything
> -- I did a _lot_ of googling and even peeked around on IRC asking
> around, but either I'm not asking the question correctly, or it's not
> a very common thing :)
>
> Thanks for your time,
> Ben
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 

david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: load balance of DNS

[David Klein]

With stock DNS, no; all you can do is recommend by ordering the responses.
But there are solutions. There are load-balancing DNS servers (they have a
pool of responses, and hand out an answer of that pool, based on rules, and
can even remove an answer from the pool if a watchdog/monitor fails). F5
GTM and Cisco GSS are examples, but you need to talk with the vendor or a
VAR to help you to understand some of the nuances and complexities of doing
this way.




On Fri, Jan 13, 2012 at 8:52 AM, Matus UHLAR - fantomas
wrote:

> On 13.01.12 22:40, MyDots.net wrote:
>
>> Is there a good way of running the current BIND (9.7 and later) for load
>> balancing a special record?
>> for example,
>>
>> www.example.com  IN  A  192.168.1.1
>> www.example.com  IN  A  192.168.1.2
>>
>
> kind of.
>
>
>  I want the first one to get more web traffic than the second one.
>>
>
> With DNS you can only hint clients to send their requests by sorting
> provided RRs in particular order. You can not be sure that they will
> preserve the order and that they will send their requests to different
> servers. In fact, most of clients take first server and will communicate
> with it.
>
>
>  I know other 4 or 7 layer software (like LVS and Nginx) can do that, but
>> also want to know if BIND supports this.
>>
>
> better get such solution then...
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Remember half the people you know are below average.
> __**_
>
> Please visit 
> https://lists.isc.org/mailman/**listinfo/bind-usersto
>  unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users
>



-- 

david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind Clustering

[david klein]

One solution that was floated recently around here was to use dynamically
loaded zones (http://bind-dlz.sourceforge.net/) with an underlying storage
mechanism that does bidirectional replication (a directory service like LDAP
or a database) for the masters, this way, whichever one gets the update, the
others get. The downside is that DLZ is basically a rearchitecture of your
DNS setup, and will require the two extra pieces to maintain (the DLZ
portion and the underlying replicating source).


 -DTK



On Thu, Jul 29, 2010 at 6:25 AM, Gordon A. Lang  wrote:

> I know BIND does not currently support multi-master.  And I understand that
> trying to strap together my own pseudo-multi-master implementation using
> BIND, bubble gum, and tape isn't a sustainable solution.  But, nevertheless,
> I don't really need a true multi-master implementation -- I just need to
> keep my backup master relatively up to date without relying on frequent
> freeze-copy-thaw operations.  I would be happy to have the updates go to one
> slave, and then be replicated to both the active master and the backup
> master.  I would deal with drift via brute force i.e. I would have the
> active master copy over to the backup master on a once or twice a day basis,
> not once every 5 minutes.
>
> I think it would be great if there were a new config construct added
> whereby the update-forward target(s) are explicitly specified.  In the case
> where the masters are slaves of a hidden master that is directly reachable,
> it would allow for the updates to be directly forwarded to the primary
> master instead of being forwarded twice.  And if multiple update-forward
> targets are specified, then all targets always get an update.  This could be
> used to maintain a duplicate (hidden) master and/or eliminate the
> failure-delay when the multiple masters "switch over," take turns being the
> master.  And possibly the specified update-forward target construct could
> also have an optional behavior of "forward-to-all" or
> "stop-on-first-success." if current behavior is preferred, but with a
> different list than then zone-transfer master list.
>
> Better yet, I would like add update-forwarding for master zones -- perhaps
> it could be called update-replication.
>
> I guess what I would really like to see is multiple MNAME targets
> accommodated right in the SOA, but I imagine that would have a serious
> compatibility challenge.
>
> Or else maybe a new zone type called backup-master that acts like a slave
> until an rndc control flips its operation state.
>
> I would like to get see some more comments on this.
>
> And I would really appreciate it if someone could tell me where in the
> source code I should look to find where the update-forward targets are
> obtained so that I can evaluate what it would take for me to write my own
> modifications.
>
> Thanks.
>
> --
> Gordon A. Lang
>
> - Original Message - From: "Chris Buxton" <
> chris.p.bux...@gmail.com>
> To: "Gordon A. Lang" ; 
> Sent: Wednesday, July 28, 2010 11:22 PM
>
> Subject: Re: Bind Clustering
>
>
>  Updates are always forwarded to the zone masters, as configured in the
>> zone statement itself. And yes, the update is only forwarded
>> (successfully) once.
>>
>> BIND assumes that each zone has exactly one "primary master". That's
>> why updates are forwarded only once. If you want a true multi-master
>> setup, you'll need to look at other options. For example:
>>
>> - BIND with modifications or additional software.
>> - Microsoft DNS and AD-integrated zones.
>>
>> There are other options.
>>
>> Regards,
>> Chris Buxton
>> Bluecat Networks
>>
>> On 7/28/10, Gordon A. Lang  wrote:
>>
>>> This reply is a few months delayed, but this issue is still very
>>> important
>>> to me, and I'm hoping you can take a few minutes to help out.
>>>
>>> I finally took some time to read through the code, and unfortunately I
>>> was
>>> unable to identify where forward target(s) are obtained in the update
>>> forwarding action.  There's a lot of structure to reverse engineer -- too
>>> much for a casual effort.  So perhaps you can tell me where I can find
>>> the
>>> pertinent code...  ?
>>>
>>> My belief was that somewhere in the code, the SOA record is obtained, and
>>> the MNAME is used as the forward target -- this belief was based on trial
>>> and error observations.
>>>
>>> What you suggested is that the update forwarding actually uses the
>>> masters
>>> list from the named.conf file for forwarding targets.
>>>
>>> I was unable to find clues one way or another.
>>>
>>> But another thing about your response that leaves me wondering if I fully
>>> understand your response is that you say it "walks the list of masters
>>> trying each one in turn," and with the word "trying" in there, it
>>> suggests
>>> that it walks the list only until the first successful update.  Perhaps I
>>> am
>>> incorrectly reading into it, but if you could clarify that point, I would
>>> appreciate it.  ---  I would expec