BIND server dimensioning
Laurent Perruche
I'm a newbie in the DNS/BIND world, but after seeking the all web, I found
no solutions to my questions.
I'd like to know if there are some tips for designing a BIND server (on
Solaris) that can handle :
- about 3000 requests/second
- about 1000 requests/second
Did someone built such servers ? What hardware did you use (RAM, CPU...) ?
I'd like that my DNS service is available at 99.995%. What is the
architecture I have to use ?
I know that it may be hard to answer, but if some of you could describe me
their experiences in deploying BIND Solaris servers, it would be great.
Thanks in advance
--
Lolo
Brad Knowles
At 12:12 PM +0000 5/15/01, Laurent Perruche wrote:
> I'd like to know if there are some tips for designing a BIND server (on
> Solaris) that can handle :
> - about 3000 requests/second
> - about 1000 requests/second
> Did someone built such servers ? What hardware did you use (RAM, CPU...) ?
>
> I'd like that my DNS service is available at 99.995%. What is the
> architecture I have to use ?
>
> I know that it may be hard to answer, but if some of you could describe me
> their experiences in deploying BIND Solaris servers, it would be great.
I don't know of anyone who has specifically done these things
with Solaris. However, you can read Rick Jones' papers on how they
did these things with HP-UX -- see
<ftp://ftp.cup.hp.com/dist/networking/briefs/>. You should also look
at RFC 2870 <http://www.faqs.org/rfcs/rfc2870.html>.
I am not personally aware of anyone that is doing even 1000
queries per second with a Sun/Solaris box, but it is possible that
one of the root nameservers is running Solaris. If you can find out
which one might be running Solaris, you can ask them what they did
and how they configured their machine.
That said, it will depend greatly on the type of queries you're
doing -- it's not too hard to handle 2000 queries per second when you
are running an authoritative-only server, but it is much, much harder
to handle 2000 queries per second when you're running a caching-only
server.
The former is pretty much entirely within your control, and you
can add more memory, faster disks, etc... to keep up with the load.
The latter is going to be largely dependant on the latency and
connectivity between you and the remote nameservers, and that's
really going to seriously cripple your expected throughput in a
real-world situation.
--
Brad Knowles, <brad.k...@skynet.be>
/* efdtt.c Author: Charles M. Hannum <ro...@ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
Bill Larson
Given Brad's explaination, which is absolutely correct, why not try and
provide your users with a farm of DNS servers rather than provide only
a single server. This way you can break up your 1000-3000 queries/sec
into a more easily managed 100-300 queries/sec/server, if you provide 10
servers.
This would assist your users by avoiding a possible single point of
failure when one (or more) of your DNS servers are unavailable.
Also, if you are expecting to be receiving this many queries from a web
server that is performing reverse, in-addr.arpa, lookups, an effective
solution would be to avoid these DNS lookups simply for logging
purposes. You can summarize your logs and then perform these queries
only for the addresses that you are seriously interested in rather than
everything, which may not buy you much.
Bill Larson
Laurent Perruche
> provide your users with a farm of DNS servers rather than provide only
> a single server. This way you can break up your 1000-3000 queries/sec
> into a more easily managed 100-300 queries/sec/server, if you provide 10
> servers.
>
Actually, the number of simultaneous requests is maybe too high.
In fact, I'd like to dimension an authoritative DNS BIND server for an ISP,
with about 70000 users behind.
This ISP requires (sorry, but I don't know much about DNS and how much it is
used in practice) that with 70000 users behind an authoritative DNS server,
only about 25% (-> 18000 users) aresimultaneously connected and that a user
makes one DNS request every 6 second (so it makes about 3000 requests/sec.)
According to what you said, it's too much high.
Do you know what is the average use of an authoritative DNS server ?
Thanks in advance
--
Laurent
Brad Knowles
At 6:44 AM +0000 5/16/01, Laurent Perruche wrote:
> In fact, I'd like to dimension an authoritative DNS BIND server for an ISP,
> with about 70000 users behind.
Skynet (my ISP, and my former employer) has about a million users
(of which about 200-250k are down in France), and has two main
caching nameservers. To the best of my knowledge, neither of these
machines does much more than about 200-250 queries per second, and
that is with both the clients *AND* most of the servers pointed at
them.
> This ISP requires (sorry, but I don't know much about DNS and how much it is
> used in practice) that with 70000 users behind an authoritative DNS server,
> only about 25% (-> 18000 users) aresimultaneously connected and that a user
> makes one DNS request every 6 second (so it makes about 3000 requests/sec.)
One DNS request every six seconds per user is *HIGHLY*
unrealistic. They should instead look at the number of queries per
connected user that they see today, and extrapolate from that.
> According to what you said, it's too much high.
> Do you know what is the average use of an authoritative DNS server ?
Consider that many users will just do e-mail for most of the
time, and this means that they will make a DNS query for
"pop.yourisp.com", connect to this machine, download all their mail,
read and queue up replies to all their mail, query for
"smtp.yourisp.com" and upload all their replies (perhaps with as much
as thirty minutes to an hour or more between download and upload
sessions), and that would be the entirety of their Internet usage for
the day.
Back in 1997, I built what is probably still the worlds largest
nameserver farm at AOL, because the nameservers we had at the time
for the Internet e-mail gateway system were overloaded, and
Operations wanted a centralized set of nameservers that could be used
for all services.
I took four DEC Alpha 4100 servers with 4GB of RAM and four
processors each, and set them up with a high-availability solution
from DEC called "DECsafe ASE", whereby a pair of machines will each
monitor the other, and if the other machine dies, it will take over
the IP addresses and restart the services that it had been running.
This way, clients see a very brief interruption in services, but the
IP addresses they had been using just keep working.
Each DEC Alpha 4100 was running four copies of BIND 8, each one
bound to a separate processor and a separate virtual IP address. I
benchmarked this system as being able to handle at least 2000 DNS
queries per copy of BIND (limited by the tool I was using to measure
the performance of the system), and it didn't seem to make any impact
whatsoever when there were multiple copies of BIND on the system that
were being stressed. So, the overall system should have been able to
handle up to 32,000 queries per second (or perhaps considerably more).
We then created a complex set of rules for determining which
client would be pointed at which instance of BIND as their primary
nameserver (in /etc/resolv.conf), and made sure that the secondary
and tertiary nameservers were on physically separate machines (the
second was even on the opposite cluster, just in case there was a
failure that took down both machines in a pair).
I watched that system fairly carefully for months, and despite
the more than ten million customers AOL had at the time, and the
multiple millions of mail messages per day that we were processing
per day, and the untold billions of web pages that we were serving up
per day, I still don't think I ever saw that system do anything much
above 2000 DNS queries per second across the entire cluster.
You really need to get a proper idea of how many DNS queries per
second you can really expect to have, before you start specifying the
kinds of systems you need to be able to handle those levels of
queries.