DNS Requirements Large domain registrar A few hundred thousand - - PowerPoint PPT Presentation

dns
SMART_READER_LITE
LIVE PREVIEW

DNS Requirements Large domain registrar A few hundred thousand - - PowerPoint PPT Presentation

Dec 18, 2023 344 likes •563 views

Scaling DNS Requirements Large domain registrar A few hundred thousand domains using our DNS. Nearly a million domains Still growing Need fast updates on the authoritative servers Especially when a new domain is added

slide-1
SLIDE 1

Scaling

DNS

slide-2
SLIDE 2

Requirements

  • Large domain registrar
  • A few hundred thousand domains using our

DNS.

– Nearly a million domains

  • Still growing
  • Need fast updates on the authoritative servers

– Especially when a new domain is added – Or removed

slide-3
SLIDE 3
  • Why use a database?
  • Choosing an option

– Stability – Performance – Support

  • Options considered

– BIND – BIND-DLZ – PowerDNS – MyDNS

slide-4
SLIDE 4

Flat files don't always rock

  • Flat files rock for system administrators

– DNS administrators may not have root access – Editing flat files from the web is ... insane

  • Delegating single zone management is difficult
  • Edits and reloads have to be batched
  • Startup times for nameserver processes
slide-5
SLIDE 5

Flat files don't always rock

  • Flat files cause a startup time delay on the

server process

– For BIND, this penalty is huge

  • A single host, with 113K small zones took slightly over an

hour to start with flat files

  • It then served data at about 30K qps

– PowerDNS is “optimised” for this task

  • It took over 6 minutes to parse 113K small zones and

start serving data

  • This served data at about 26K qps
slide-6
SLIDE 6

BIND

  • Native BIND has “some” support.

– One connection to the backend for each domain – Low performance

slide-7
SLIDE 7

BIND-DLZ

  • Patch to BIND

– See http://bind-dlz.sourceforge.net/

  • One/Two connections to the backend for all

domains

  • User defined queries, including stored

procedures

  • Supports MySQL, PostgreSQL, OpenLDAP,

BDB

slide-8
SLIDE 8

BIND-DLZ architecture

DBMS BIND DLZ

slide-9
SLIDE 9

DLZ schema

  • BENEFITS

– Single connection to database – Single table needed to store all records

  • Keeps it simple
  • DISADVANTAGES

– No caching – Bad performance – Third party patch to BIND

slide-10
SLIDE 10

PowerDNS

  • DNS server written in C++
  • Separate authoritative and recursive servers
  • Strong focus on security
slide-11
SLIDE 11

PowerDNS architecture

PowerDNS frontend Database Cache Database abstraction layer

slide-12
SLIDE 12

PowerDNS

  • BENEFITS

– One or more connections to the database – Two tables needed – Internal in-memory cache makes responses fast – Low memory footprint

  • DISADVANTAGES

– Cache management – DNSSEC (partial support, WIP) and views (no

support)

– http://www.powerdnssec.org/

slide-13
SLIDE 13

MyDNS

  • Not maintained – last update was 2006
  • Hardcoded schema

– We have our own.

slide-14
SLIDE 14

Lies, damn lies and statistics

  • Actually, performance benchmarks
  • Native BIND wasn't going to be very useful to
  • us. We didn't test it at all, except as a baseline

statistic.

slide-15
SLIDE 15

Testing

  • Test infrastructure was a single host with two

dual core Xeon CPUs at 2.something GHz and 16 GB of RAM with one disk, running the nameserver and the database

  • The clients were three pentium boxes with 1 GB
  • f RAM connected over a 100 Mbps network.
  • We used the commandline queryperf tool to

run queries.

– queryperf -q 20 -s <IP> -d <FILE>

slide-16
SLIDE 16

Results

4000 5600 1800 2000 4800 25200 30000 Raw BIND 21700 20000 7000 21000 23000 46000 BIND-DLZ with BDBHPT, 2 queryperf clients, transaction mode BIND-DLZ with BDBHPT, 2 queryperf clients, transaction mode, RAMDisk BIND-DLZ with PostgreSQL, raw queries BIND-DLZ with PostgreSQL, Stored procedures BIND-DLZ with PostgreSQL, SP, 8 DLZ threads Nominum ANS, default cache size Nominum ANS, cache size 512 MB PowerDNS, hash as cache, 115K domains PowerDNS, hash as cache, 3M domains PowerDNS, RBT with single threaded cache, 3M domains PowerDNS, RBT w/ single threaded cache, 10M domains PowerDNS, RBT w/ multi-threaded cache, 10M domains, 2.9.22

slide-17
SLIDE 17

Same numbers, as a graph

5000 10000 15000 20000 25000 30000 35000 40000 45000 50000 qps

slide-18
SLIDE 18

Operational architecture

Slave DC1 Slave DC3 Master DC1 PowerDNS PowerDNS PowerDNS PowerDNS Slave DC2 Slony Management Script Web UI

slide-19
SLIDE 19

Software

  • Master database is PostgreSQL 8.2.x
  • Read-only slaves have some tables replicated

from the master database via Slony.

  • Cache maintainance is a homegrown script.
slide-20
SLIDE 20

In Practice

  • Maximum database replication lag is 10

seconds.

  • PowerDNS has peaked at ~ 10000 qps during a

DdoS

– This would have brought down the previous BIND-

DLZ installations

– We didn't notice the blip

  • Yes, monitoring needs improvement ;)
slide-21
SLIDE 21

Questions?