Using DNS for 99,99% reliability

Simon Waters Simon at wretched.demon.co.uk
Fri Mar 22 17:37:50 UTC 2002


Jakob Bak wrote:
> 
> 1) Does (most) nameservers on the net respect a TTL of only 5 minutes when
> caching our DNS records?
>     (or do they often keep the information over longer periods e.g 1 hour to
> avoid to much load)

If they keep the information for longer they are broken -
"Somebody elses problem" as Douglas Adams put it.

> 2) How much traffic does a secondary DNS get when the primary is running?
>    (nothing at all or 5% or up to 50% ?)

External traffic doesn't know which is your primary and which is
your secondary. That is purely an internal administrative issue.
If you list then in a given order the first listed gets more
traffic, in part due to non-BIND DNS server I suspect.

> our system must now provide 99,99% uptime on our web site while our
> host/provider "only" garanties 99,9%

Can you not run both clusters as active, as you will have to
deal with the case where the Internet splits into two distinct
chunks, and you have independant concurrent transactions at both
sites. If you can handle this case, you can probably just run 2
or more copies of your website at redundant locations.

I don't have any figures to hand, but I suspect if you are
trying to get 99.99% out of the Internet, once you have allowed
for core infrastructure problems, like routing table foul ups,
and loss of global DNS service for you TLD, DDoS attacks and the
like, you probably have to achieve something closer to 99.999%
in house, so make sure you aren't overengineering on the risks
you can control whilst ignoring those you have no control over.

For example bak.com has 4 DNS servers.

One is running a version of DNS with known security flaws.
The other three are in a network I can't currently route to.

So one nasty hacker poking a malformed packet at the first
nameserver would block access to the domain entirely for some
subset of the Internet user base.


More information about the bind-users mailing list