[Nottingham] MySQL backed nameserver

Graeme Fowler graeme at graemef.net
Fri Nov 3 09:59:49 GMT 2006 

On 02/11/2006 23:14, Tom Bird wrote:
> Well, the idea behind bind-dlz is a good one, and should be introduced 
> into the main BIND release IMO, however I do feel that backing it with 
> SQL databases is just pure folly.  I recently was the happy recipient of 
> a DNS attack of some kind, I still am not sure exactly why it happened 
> but I was seeing upwards of 10Mbit/s of DNS traffic at times on my two 
> hosted resolvers, thousands of queries a second (imagine the size of a 
> query packet and you get some idea).  BIND running as it does served the 
> queries and shrugged it off with a few percent of CPU used.

...because everything is in RAM. Nice and low-impact.

> Now imagine each query hits a full fat database rather than the quick 
> and cheap DB, optimised for serving DNS internal to BIND.  Plop, there 
> go my services.

Aha! There's a number of tricks to fix this, the first of which I would 
do (nowadays):

1. Frontline "authoritative" (from a client perspective) servers run a 
caching, forwarding-only service bound to the service IP addresses.

2. The forwarders for those could be local (bound to localhost or a 
private IP address) or on a separate machine. Either way, only the 
forwarder - which really is the authoritative server - has access to the 
DB, which could again be local or on a separate machine.

3. The DB instances being queried by the forwarders must support query 
caching, and must be slaves of another DB server (or more than one)

4. That (those) DB server(s) should NOT BE THE MASTER.

5. The master DB(s) should be on an entirely hardened, private box which 
then replicates forwards to the various slaves.

What this gives you is a number of buffers against various type of 
problem. Starting at the back:

  = Doing a database backup can be done on the intermediate DB server(s) 
instead of the master; as (with MySQL at least) a complete dump locks 
the tables and would prevent any management interface from successfully 
doing and INSERT or UPDATE operations until it unblocked.

  = You can replicate in real time, or start/stop either the slave or 
the master link in some way such that corruption to the master isn't 
automagically propagated to every other machine.

  = The frontend servers' BIND (or otherwise) instances will cache 
positive and negative responses from the forwarders and will therefore 
not send as many queries to the DB.

  = The DB instances being queried by the forwarders will cache queries 
(positive and negative) and will return results from RAM rather than disk.

  = Having a timed replication means that the tables don't change in 
real time, so the query cache will remain until a replication takes 
place. With realtime replication of a fluid DB with many INSERT, UPDATE 
or DELETE operations taking place will destroy the query cache very 
quickly and reduce its' efficiency.

Taken together, for a large system the steps above *should* result in a 
nice, robust system. They might not mind you, I haven't touched that 
code in several months. Someone else is sort-of responsible for it until 
next Thursday, and then, well, who knows!

Graeme

More information about the Nottingham mailing list