Tests revealed that old djbdns seem to be too old as it processes requests 10 times slower then slow bind does.
The final decicsion and contest winner is powerDNS recursor for recursor part and BIND for authoritative part. And yes, finaly we've split them.
Idea to have 12 caches and split-horizon auth DNS server still continiuoes to be just an idea.
Instead it apperaed that powerDNS recursor has a very nice feature - it can pass all incoming requests to a lua script and all request ended with NX answer to another lua script. This is enought to fullfill all our split horizon demands.
The only exception we don't know destination IP of DNS query in script when nice "packet cache" feature is on. Thats why at the moment two copies of powerDNS recursor is on duty. Not a big problem, two!=twelve.
It took about 10 working days to transfer all recursive payload from named to powerDNS. All went smooth, without server lost.
Some things to notice:
At the moment we are leaving named as authoritative server. Mostly because of noc duty guys are comfortable to work with it, and absense of high traffic now, most mission-critical requests for customers processed inside recursor without asking auth server.
The CPU usage diagram:
The final decicsion and contest winner is powerDNS recursor for recursor part and BIND for authoritative part. And yes, finaly we've split them.
Idea to have 12 caches and split-horizon auth DNS server still continiuoes to be just an idea.
Instead it apperaed that powerDNS recursor has a very nice feature - it can pass all incoming requests to a lua script and all request ended with NX answer to another lua script. This is enought to fullfill all our split horizon demands.
The only exception we don't know destination IP of DNS query in script when nice "packet cache" feature is on. Thats why at the moment two copies of powerDNS recursor is on duty. Not a big problem, two!=twelve.
It took about 10 working days to transfer all recursive payload from named to powerDNS. All went smooth, without server lost.
Some things to notice:
- the most recent version of powerDNS recursor doesn't do round robin correct when answering queries with many resources. I didn't have time to figure out why, just downgraded to one minor version, it's ok.
- to have all private thing functional ( .local adresses and "grey" networks PTR resolving) recursor should be specifically told where auth server for them is, as root servers will not answer/know about such a resources.
- restarts instantly,
- memory consumtion as 200-300 megs, ten times less than named.
At the moment we are leaving named as authoritative server. Mostly because of noc duty guys are comfortable to work with it, and absense of high traffic now, most mission-critical requests for customers processed inside recursor without asking auth server.
The CPU usage diagram:
Doesn't look impressive, but please note that user load (middle line) with bind couldn't get more then 50% (one CPU), The user load magnitude after upgrade is because named cleaning it's empty cache (recursive part still on, but no real requests go to bind).
No comments:
Post a Comment