Saturday, January 29, 2011

Lightweight Linux DNS

Hi.

Can anyone recommend a lightweight Linux DNS server, which would be suitable for the data center?

EDIT: We speak about data-center typically within 10 - 20 servers, up to 100 at maximum. For larger amount there is a sense to use BIND indeed.

I'm looking for something more lightweight the BIND (if anything like this exist).

If it's included in the common YUM repos, the better.

Thanks.

  • Have a look at DJB's DNS (djbdns and tinydns) from http://cr.yp.to/djbdns.html? It's even possible to use BIND's zone files.

    Matt Simmons : As much as I hate it, tinydns and dnscache are more lightweight than bind, although they do require daemontools and sacrificing a goat to DJB
    pfo : Totally agree with you, DJB is kinda strange (mathematician) but his software is very carefully written and designed.
    chris : If one of the goals is "easy to install using yum" that may not be a slam-dunk with tinydns because of the historical ire towards DJB and his "don't distribute my binaries" license. That's history now, but there still don't seem to be many binary packages of qmail/daemontools/tinydns. Also, if the goal is a "don't have to think about it" recursor, dnscache isn't ideal because it has issues with really long cname chains.
    womble : @chris: Debian has awesome packages for tinydns/daemontools.
    womble : @Matt: You don't have to run djbdns or dnscache under daemontools, although I'm not sure why you wouldn't. It is an awesome way to run daemons.
    chris : @womble -- Isn't yum a redhatism? I'm glad to hear that djbdns has gotten easier to install (it was always easy, if you know how to type "make" but still). And, of course, as a recursor, there is still the cname issue if it isn't patched in the binary package you're installing. Not that it is a huge issue, but it is a pain.
    Matt Simmons : I haven't used it in the past..uhh..3 years...Does it still require patches to compile to work around the "gnu make bug"?
    From pfo
  • IMHO the "weight" of DNS service is not the software itself, but the traffic it handles and the workd it has to do in order to resolve an address. You can deploy multiple DNS in your data centre in order to minimize load and decrease the possible single point of failure. But keep in mind that a low performance DNS could lower the performance of other services.

    womble : I take it you've never compared the resource usage of a several-hundred-thousand-zone bind server with a several-hundred-thousand-zone djbdns server?
    John Gardeniers : I haven't, nor am every likely to, but I am curious about the results. Any published figures you can point us to?
    From lrosa
  • dnsmasq may be a good option. It can do both dns and dhcp. Just uses the host file and has simple configuration. And it should be in the default repositories for your distribution.

    Edit: Let me clarify my answer since it's getting some down votes and comments. The question isn't clear as to the entire use case and scale. So while you may not agree dnsmasq is a completely valid solution under the correct circumstances. The OP is going to have to figure out what fits their particular case since their question was a bit lacking in details.

    I would only recommend this as a viable solution if it's for the internal dns resolution on the data center private LAN segment. Assuming that we aren't talking about 100's of servers. If you looking to run your own public DNS then you better be prepared to run a grown up DNS solution in at least 2 geo diverse datacenters.

    womble : "For the datacentre"... really?
    3dinfluence : Well in certain use cases I would say yes why not. If it's your primary or secondary public DNS server then hell no. But if it's just so that the servers in the data center can resolve each other's ip address on the local subnet then assuming we aren't talking 100's of server then I think it's a viable option. The question isn't super clear on the entire use or scale.
    : "But if it's just so that the servers in the data center can resolve each other's ip address on the local subnet" This exactly what I wanted to say - I just clarified the question a bit. In summary, dnsmasq can provide me with such functionality? I do see it's mostly a forwarder solution, so how the DNS entries gets managed? Is there any web front for this? Also, can 2+ dnsmasq server reference each one as the master, and support zone sync, for HA environment? Thanks again.
    3dinfluence : Dnsmasq just like Bind in that it will forward and cache dns requests for zones where it's not the authoritive dns server. With dnsmasq there are no zone files you just add the entry's to the server's host file. However if you're looking for something with HA then you'll likely need a more robust dns solution. Personally I use Bind in all but the simple small networks or where any more advanced features are needed. You can have a primary and 2ndary dns server defined each running dnsmasq but you'd have to keep the host files in sync yourself somehow.
  • I use nsd for authoritative name servers I admin. Keep in mind that all nsd does is act as an authoritative name server, so I use "unbound" (from the same developers) internally for the recursive queries from the servers themselves.

    For a (somewhat meaningless) reference, one primary name server, serving a half-dozen zones with maybe 20 records each, has a resident memory footprint of about 1.1MB.

    I have found nsd to be very stable. The only issue is zone transfers between servers can be tricky, certainly not as plug-and-play as between 2 BIND servers. I ended up using an rsync script to update/rebuild/reload my secondary name server's records.

    Another option I've tried is MaraDNS, which is a good performer, but not much lighter than BIND.

    : So just to understand: * you use NSD for maintaining and providing DNS records * you use unbound as a "proxy" between DNS servers and clients. Unbound is located on same machine as NSD You have active-passive DNS structure, where your passive servers get the zone update from the master server, via rsync. And it's all only takes 1.1 MB of RAM. Is this correct?
    Geoff Fritz : NSD runs on our public (hosted) name servers, the ones that provide the internet with *our* host names. Unbound runs both on other hosted public servers to cache recursive queries, as well as running on an internal server to handle queries of office PCs. As they both bind to port 53, you can't run them on the same machine unless it has multiple interfaces (or multiple IP aliases). Unbound, since it caches queries, takes up a lot more memory, though it is tunable. For example, on one server, Unbound is taking about 72MB in resident memory, but it caches lookups for the mail server.
  • What sort of DNS do you need? Do you need a recursive resolver for clients in the datacenter? An authoritative server for some domains you're hosting? Do you want to remove a dependency (external recursive DNS lookups) from your own servers?

    The short answer (and this is something of a religious issue, so take it with a lump of salt):

    • run recursive resolvers on each server's localhost, each server uses itself for recursive DNS. PowerDNS makes a resolver that works on windows and unix; DJB's dnscache, part of the tinydns package, is also 100% bullet proof but you may need to adjust it so it can follow really long cname chains (akamai, I'm looking at you).

    • run a separate DNS server for addresses you own. Again, PowerDNS is a choice, used by Wikipedia. It's got all sorts of nice back-ends from bind zone files to postgresql databases. Tinydns is great as well, though a little bit odd if you're coming from bind land. Run these DNS servers on your "non-localhost" interfaces, and publish those addresses with your registrar. Be master of your own domain!

    • if you're providing recursive service to other hosts in the data center, run dnscache or pdns-recursor on a machine that isn't otherwise providing DNS services, and set the ACLs for the resolver to only service requests from inside the data center. Random hosts on the internet can conduct wacky cache poisoning attacks against DNS servers, so they shouldn't be trusted if you've got a choice.

    PowerDNS is likely easiest to install from a package; in the distant past, DJB was extra super paranoid about third parties messing up his babies so he had weird license restrictions on binary distributions; these have since been removed but the ill feelings towards the DJB suite of DNS utilities remains.

    : I'm looking to maintain host-names for small amount of data centers (up to 100 per data-center), and looking for solution to be as lightweight and taking as lower resources as possible. Another requirement, is for the solution to be HA, meaning the DNS servers will sync the data between themselves. And last (preferred but not a must), is to have some simple web front-end for the whole stuff.
    chris : Are these DNS names that are to be published for the global IPv4 network, or are you offering split-horizon DNS, or are you offering DNS for a "private" domain such as datacenter1.local?
    : Private domain - with .local names.
    From chris

0 comments:

Post a Comment