Load balancer for Bind

[bert hubert]

On Wed, Sep 14, 2016 at 03:41:31PM -0400, Matthew Pounsett wrote:
> > I read something about HAProxy but it does not manage udp connection and
> > the interesting security proxy/balancer DnsDist does not pass original
> > client ip for Bind-DLZ...
> >
> Your best option is something that can do the job statelessly.  As Warren
(...)

> Mostly that means using a routing protocol to do LAN-scope Anycast via
> ECMP.  ISC has a technote that explains how to do it.

Actually, in our not so humble opinion, your best option is both. 

ECMP is good at distributing the pain using some hash of addresses and port
numbers.  But it does nothing about the pain itself.  Also, it does not know
about the health of individual backends.

dnsdist does know, and can also filter many forms of attack without touching
the state table. dnsdist has a fixed amount of state so it won't die from
people trying to overload its state tables. And the state is dimensioned so
it will not be exceeded without forwarding more traffic than your backends
could handle anyhow.

So what we recommend is using dnsdist to balance to your backends, and have
it prefer one backend when all things are equal.  Then run multiple dnsdists
which each prefer a different backend.  And then announce your dnsdist
service addresses a few times over BGP.

Finally, query dnsdist about its drop rates, and if these exceed a certain
level, prepend your BGP announcement so another dnsdist gets the traffic,
unless that too measures drops. If all of them prepend, the pain is spread
out evenly again.

Sorry for running advertisement here. But please know dnsdist is software
neutral, it is not "powerdnsdist".

	Bert

> <http://ftp.isc.org/isc/pubs/tn/isc-tn-2004-1.html>

> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users