(no subject)

Brad Knowles brad.knowles at skynet.be
Fri Sep 28 11:01:05 UTC 2001 

At 11:54 PM -0600 9/27/01, Cricket Liu wrote:

>>  I manage name servers for a several state agencies. We host
>>  BIND on FreeBSD and NT. In light of recent events  the powers
>>  that be have decided to beef up the BIND servers to prevent
>>  denial of service type issues.

	[ ... deletia ... ]

>>                                                Anyone care to
>>  point me at bullet proofing DNS literature? Currently our load
>>  is in the range of 20 million plus queries a day across 4 servers.
>
>  There are two articles I wrote available from
>
>  http://www.menandmice.com/9000/9300_DNS_Corner.html
>
>  plus the Security chapter from "DNS and BIND."

	The other thing that I would add is that you should search the 
archives of the bind-users mailing list (which is gatewayed to the 
USNET newsgroup comp.protocols.dns.bind, for which Google provides 
additional archives), and look for postings from various people that 
have benchmarked their servers, using tools such as "queryperf" which 
comes with the more recent versions of the BIND 9.2.0 betas and 
release candidates.

	With this kind of tool being used in the right environment with 
the right clients, you should be able to push your servers as hard as 
they can possibly be pushed, and then management can decide if this 
is enough spare capacity or if there need to be further tweaks & 
upgrades.


	If you really are seeing about 20 million queries evenly spread 
over four machines, then this would be a daily average of about 57.87 
queries per second per machine, but you should have occasional peaks 
that are considerably higher than this.  I have personally built 
machines that could handle up to 2000 queries per second per process, 
but that was a pretty highly customized configuration for a 
high-volume application.

	Others on this list have provided information about even higher 
levels of performance that they've seen or been able to get with 
highly specialized AIX installations (for a.root-servers.net, 
handling around 12,000 queries per second at peak), or in specialized 
testing environments (the work that Rick Jones had done at 
Hewlett-Packard on some pretty high-end machines).


	With a search of the archives, you should be able to turn up all 
this information, and hopefully be able to use it to help you make 
your determination.

	If you should want/need some specialized consulting in this area, 
I'm sure that Men & Mice (the company that Cricket works for) would 
be able to help, as could the folks at Nominum (who wrote BIND 9 
under contract from the ISC).

-- 
Brad Knowles, <brad.knowles at skynet.be>

H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA

More information about the bind-users mailing list