nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Recommended DNS server for a medium 20-30k users isp

From: Saku Ytti via NANOG <nanog () lists nanog org>
Date: Sat, 9 Aug 2025 18:40:31 +0300
On Sat, 9 Aug 2025 at 15:42, Måns Nilsson via NANOG
<nanog () lists nanog org> wrote:


I suppose you bring the beer then, because it's going to take both to
endure the cringefest that is "cascading resource exhaustion in DNS /
firewall setup" -- it can pretty fast end up snowballing completely out
of hand. Don't ask me how I know without picking up the bar tab.


I can share lessons from personal mistakes.

a) FW is always additional fuse in front of service, failure modes are
union of FW and Service, so MTBF is lower and MTTR is higher
    - state establishment rate is reduced
    - state count is reduced
    - either FW has protocol intelligence and occasionally as
protocols evolve or more exotic use cases exist drops valid protocol
packets or protocol unintelligent and doesn't add anything to
stateless HW based filter on edge router
    - any service protected by FW is easier to DoS than same service without FW

b) Even if FW is ran (like in front of corporate LAN which doesn't
have to deal with denial of service issues and regulator or PCI or
equivalent may require FW) valid configurations in my mind are
    - if 2 == cluster, 1 == single and + == routing separation
    - 1, 1+1, 2+1 are valid configurations
    - 2 and 2+2 are invalid configurations
    - every time i've ran '2', eventually there has been case where
cluster is dead and MTTR is high as vendor needs to be engaged and
depending on hour the people at vendor who actually can troubleshoot
the issue are not at work (used to be US hours, now increasingly
experts are in India time)
    - So if you can only afford 2 devices, have two devices separated
by routing, you'll lose state during failure, but you have less
failures, even if you can afford 4 devices, don't buy two clusters,
since the problem that breaks cluster may affect both clusters


Generally FW is needed if what is behind FW has dubious and únknown
state (like user LAN). But if what is behind FW is well thought out
DNS or HTTP service FW adds no utility and a lot of liability.

-- 
  ++ytti
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/DZZOX5JWSLEGYIO45G5HUUYXT5RXHRD2/
Previous By Date Next
Previous By Thread Next

Current thread: