[dns-operations] PowerDns Recursive Daemon
bert hubert
bert.hubert at netherlabs.nl
Thu Aug 31 06:33:11 UTC 2006
Simon Lyall wrote:
> Anybody have much experience with the PowerDNS recursive Daemon?
Well, yes. It is currently the exclusive nameserver for around 40 million
paying internet users - that we know of. As often with open source, we don't
have an inclusive list of our users.
Some of the largest access providers of the US, Canada, The Netherlands,
France and Germany are among those using the PowerDNS recursor. This is not
to boast, but the perception exists that the Recursor is still an outside
product, whereas it is actually rather mainstream these days.
> Performance , reliability , commercial support etc?
> I'm thinking about using it on multi-CPU Solaris/Sparc machines handling a
> few thousand queries per second each as a possible replacement for bind9.
Several large shops are running the PowerDNS Recursor on such machines. In
general, the recursor thrives at higher loads, and actually seems to improve
its performance past the 2000qps mark - this makes some kind of sense
because higher qps mean less cache misses, as the TTLs remain the same.
Some graphs which show PowerDNS performance are on http://adsl-xs4all.ds9a.nl/rrd
Scripts to make these graphs come with the recursor.
The PowerDNS recursor, with tinydns/dnscache, implements some important
anti-spoofing tricks detailed in
http://www.ietf.org/internet-drafts/draft-hubert-dns-anti-spoofing-00.txt :
This trick however requires opening up to lots of extra sockets, which in
turn requires Solaris 10 if you desire high performance, as listening to
many sockets using select(2) is not fast enough. It is worth it though -
many domains can otherwise be spoofed within hours.
We know from users that you can achieve over 3000qps on a single 750MHz
Ultrasparc-II, in production.
The PowerDNS Recursor is able to use two cpus to actually double its
performance, and sadly, memory use. We are currently, together with Sun and
one of our users, investigating some issues between Solaris 10 and PowerDNS
where after prolonged operations, the entire query load is assigned to a
single PowerDNS thread, with the other CPU no longer participating.
This may turn out to be a Solaris issue, but it is not sure yet. Sun
(Netherlands) has made a fully loaded T2000 available for our development,
which has allowed us to test scalability issues very well.
> The other option would probably be Nominum[1] caching server.
We hear rumours that its performance is stellar, especially on Solaris, and
we definitely want to get PowerDNS to be just as fast or faster. We know
about some inefficiencies hiding within the PowerDNS recursor that should
allow us to speed up the daemon by a factor of two.
However, inherently, we will remain at a handicap versus nameservers that do
not implement source port randomisation (which appears to include bind 8,
bind 9 and CNS). We like to think the added security makes up for that.
We offer commercial support with direct and private access to developers,
more information about this will appear soonish on our new homepage. Feel
free to contact pdns.bd at powerdns.com for more details.
As other people have said in this thread, it is not a bad idea to have some
diversity in your network. Our smartest customers run some of their servers
on other software, just in case. There have been (very broken) domains that
our recursor can't resolve, which BIND can, for example, and vice versa.
Bert
--
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
More information about the dns-operations
mailing list