[BBLISA] Forgoing internal dns?

Neil Schelly neil at jenandneil.com
Wed May 29 07:43:58 EDT 2013


100M/month query volume seems high to me.  Quick math puts that at
40QPS average over the month.  It's possible that I just don't know
the scale of a university zone. Is that just a summary number
including recursive and authoritative queries in your network?
Without separating the two, you really don't have an idea what any
cloud provider is going to cost you in terms of service or bandwidth
on your upstream links.  You mentioned relying on adding caching
nameservers during network downtime, so that leads me to think you're
combining recursive and authoritative servers in one system.  That's
probably not a good idea.  If you send your authoritative traffic out
to a cloud provider, you'll still have to handle the recursive traffic
demands for the site, which must be considerable.  Running a number of
recursive-only nameservers though would definitely simplify your own
network management plenty.

Since you've got an Active Directory, you'll presumably have to at
least have that (or those) zones managed on site still. Perhaps
transferring off-site to some authoritative cloud provider as the
delegated nameservers that transfer zones from your AD master is in
order, since you won't eliminate that nameserver from your network
without some serious re-architecting.  That leads me to think that
Bill's suggestion of having an on-site authoritative server for
requests that originate inside the campus network may still make
sense.

None of these sound like something Route 53 is particularly
well-suited for, but I imagine any large-scale DNS provider can be
made to serve your needs.  As a disclaimer, I work for Dyn.  I'd be
happy to talk with you or brainstorm the problem with you a bit,
sharing what I can about some of the solutions I know other customers
have put in place.  I'm sure I could even put you in contact with a
salesperson who'd be chomping at the bit to talk to you, but I won't
subject you to that without permission. ;-)
-Neil

On Wed, May 29, 2013 at 1:51 AM, John Miller <johnmill at brandeis.edu> wrote:
> Hi everyone,
>
> I've been meaning to bring this up at the previous meetings, but haven't.
> Brandeis is looking to move all authoritative DNS out to a cloud provider
> (Route 53's currently the leading candidate).  We definitely should be doing
> this on some level--an external provider can give better latency and uptime
> than we could ever dream of providing ourselves.
>
> However, a problem arises: we still have tons of internal services--Active
> Directory, financial aid, management servers, print servers, file servers,
> (I could go on)--that live directly in our main domain.  The terms
> "external" and "internal" don't exactly apply in our case--everything's a
> bit of both.
>
> Without hosting some sort of authoritative services within our network, we'd
> have to rely on our caching nameservers to answer queries during network
> downtime.  Do you know of anyone who's attempted this on such a large scale
> ("my home Comcast connection" isn't exactly what I had in mind)?
>
> It seems to me that the cost of major failure would outweigh any small
> amount of time I'd spend setting up some local authoritative DNS servers.
> Also worth noting would be that our current ~100M/month query volume would
> severely restrict us, cost-wise, in choosing a cloud DNS provider.
>
> Thoughts?  Anyone think this is possible?  Clearly I have serious doubts, or
> I wouldn't still be chewing on this at nearly 2 am.
>
> John
> --
> John Miller
> Systems Engineer
> Brandeis University
> johnmill at brandeis.edu
>
>
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa



More information about the bblisa mailing list