0

New Thought and possible answer to my Question? Would it be possible to change the root config file (the db.root with A/B/C/D/E/F/etc.ROOT-SERVERS.NET) and remove the original entries (i.e: ican ip address) and replace them with 4 of our own dns server IP's - thus tricking our DNS server into spreading the load off our servers. The root configs on the 4 servers we are directing to would of course have the proper root contents.

We have two forwarding servers that are configured with static ip addresses. We're seeing a steady increase in our CPU load. We want to start thinking about how to scale these two servers and start preparing for it before it becomes an issue.

I understand how to load balance a DNS server using name servers for an authoritative domain. What I am having difficulty finding information on, is figuring out how to scale a forwarding only server that has 0 authoritative domains.

My first assumption was to dig googles and OpenDNS's servers 8.8.8.8 (even though I suspected it would be fruitless) and hope to see a few servers in the list, but came back with something else:

Google's 8.8.8.8
----------------
; <<>> DiG 9.8.3-P1 <<>> 8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47269
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;8.8.8.8.           IN  A

;; AUTHORITY SECTION:
.           4636    IN  SOA a.root-servers.net. nstld.verisign-grs.com. 2014120401 1800 900 604800 86400

;; Query time: 41 msec
;; SERVER: X.X.X.X#53(X.X.X.X) (censored by me)
;; WHEN: Thu Dec  4 20:41:21 2014
;; MSG SIZE  rcvd: 100

2nd Dig

OpenDNS's
; <<>> DiG 9.8.3-P1 <<>> 208.67.222.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60816
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;208.67.222.222.            IN  A

;; AUTHORITY SECTION:
.           10800   IN  SOA a.root-servers.net. nstld.verisign-grs.com. 2014120401 1800 900 604800 86400

;; Query time: 43 msec
;; SERVER: 54.85.249.206#53(54.85.249.206)
;; WHEN: Thu Dec  4 20:44:53 2014
;; MSG SIZE  rcvd: 107

Don't see much in the above, although wondering if it would be possible to somehow specify some ip additional addresses in the a.root-servers record in my bind config to spread the load? Would this work? i.e: change my db.root config file to look something like this:

.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     1.2.3.4 
A.ROOT-SERVERS.NET.      3600000      A     1.2.3.5
A.ROOT-SERVERS.NET.      3600000      A     1.2.3.6
A.ROOT-SERVERS.NET.      3600000      A     1.2.3.7

And of course, on the servers that are listed, just leave the default db.root as follows:

.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
Kladskull
  • 1,265
  • 5
  • 15
  • 32
  • 1
    Before you try to solve this problem, you make sure you understand *why* your CPU is getting that high. Try graphing UDP datagram I/O (refer to UDP-MIB) and keep an eye out for whether you're maintaining a 1:1 ratio. If you're seeing more output than input and this correlates to CPU load, there are much bigger problems that need solving. (and most of them involve abuse) – Andrew B Dec 05 '14 at 04:59
  • 3
    As for the rest of your post, this is a classic example of an [X-Y problem](http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). Your query to Google's server doesn't make any sense: your test query was for a record called `8.8.8` in a TLD named `8`. This suggests to me that you need to spend a little more time learning the essentials before you start playing with root hints. :( – Andrew B Dec 05 '14 at 05:03
  • Did my usual thing: [How do I understand my CPU usage on a DNS server?](http://serverfault.com/q/649559/152073) – Andrew B Dec 05 '14 at 22:41

2 Answers2

2

Messing around with how your DNS servers find the root zone is a completely wrong approach to solving this problem. I can't imagine how it could possibly help. I can imagine how it could cause lots of things to break. The IP addresses of other resolvers than your own are not of importance to your setup. If you think you need to know the IP addresses of those resolvers, you are probably doing something wrong.

Instead what you need to do is to find out if you really have enough legitimate requests to overload your existing DNS servers. If the requests are not legitimate, you need to track down the source and eliminate it. If the requests are legitimate, you need more servers.

If you do need more DNS servers, you need to load balance among them. The simplest way to do that is to have your DHCP servers hand out different sets of IP addresses to different clients. Each client should get a list of three different DNS servers. If you have six DNS servers in total, you could decide they are grouped into two pools of three servers, half the clients get IP addresses in one pool, the other half of the clients get IP addresses in the other pool.

Another way to load balance among DNS servers is by using anycast, but that is more complicated, and doesn't seem to offer any advantage in the scenario you are describing.

kasperd
  • 29,894
  • 16
  • 72
  • 122
  • The root hints idea is coming from a misunderstanding about how DNS works. I think Mike is confusing the fact that DNS provides its own [Layer 7 load redundancy](http://en.wikipedia.org/wiki/OSI_model#Layer_7:_application_layer) (application level) with his desire to spread traffic out at [Layer 4](http://en.wikipedia.org/wiki/OSI_model#Layer_4:_transport_layer) (transport). – Andrew B Dec 05 '14 at 20:35
1

While you could set up load balancing software to balance your caching name servers, the easiest way to do it is to simply add more name servers to the network and the clients' configuration. Almost every operating system will randomly choose a name server out of the list it's given by DHCP or it's /etc/resolv.conf file, or whatever that particular OS uses to keep it's dns resolvers straight, so you can just give your clients a giant list and everything will, I think, sort it's self out.

Some Linux Nerd
  • 3,157
  • 3
  • 18
  • 20