[AusNOG] ISP DNS Options

[Chris]

On 03/05/2016 11:17 AM, Tony Wicks wrote:

> Personally, I’d recommend sticking with bind, but load balance a 
> couple of VM’s behind a couple of pairs of entry level (say 100D, VM01 
> or larger) Fortigate pairs (built in basic but perfectly adequate load 
> balancing/health checking). That way you can easily and cheaply scale, 
> grow and maintain as needed. This works well.
>

My go to setup for caching DNS is:

PowerDNS or Unbound (I prefer PowerDNS as I make extensive use of it for 
authoritative DNS and make use of some of its features that Unbound/Bind 
do not have), this setup will work fine with any resolver.
Each DNS server has ExaBGP installed, BGP peering with core router. BGP 
sessions have multipath enabled.
ExaBGP configured to use a health check script, all DNS servers 
advertise the same prefixes to the router.

The router takes care of spreading the load across the DNS servers 
(equal cost multipath), BGP ensures that traffic is only hitting servers 
that are being advertised as up, ExaBGP takes care of health checks to 
make sure the DNS service is working as expected.

I use the same IP's for DNS from all data centers which are advertised 
to each other over IPSEC tunnels so that worst case if all of the DNS is 
offline for one data center it will be routed to the others.

I prefer doing it like this as there is no extra cost 
(licensing/hardware/support) for load balancers and one less failure 
point to worry about.

I wrote a script for health checking with ExaBGP which I recently stuck 
on github: https://github.com/shthead/exabgp-healthcheck. There is a 
python health check script that comes with ExaBGP but at the time there 
was none available, I made this script to do exactly what I wanted.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160503/21459e57/attachment.html>