[BBLISA] Forgoing internal dns?

Wed May 29 02:48:43 EDT 2013

On Wed, May 29, 2013 at 1:51 AM, John Miller <johnmill at brandeis.edu> wrote:
> Hi everyone,
>
> I've been meaning to bring this up at the previous meetings, but haven't.
> Brandeis is looking to move all authoritative DNS out to a cloud provider
> (Route 53's currently the leading candidate).  We definitely should be doing
> this on some level--an external provider can give better latency and uptime
> than we could ever dream of providing ourselves.
>
> However, a problem arises: we still have tons of internal services--Active
> Directory, financial aid, management servers, print servers, file servers,
> (I could go on)--that live directly in our main domain.  The terms
> "external" and "internal" don't exactly apply in our case--everything's a
> bit of both.
>
> Without hosting some sort of authoritative services within our network, we'd
> have to rely on our caching nameservers to answer queries during network
> downtime.  Do you know of anyone who's attempted this on such a large scale
> ("my home Comcast connection" isn't exactly what I had in mind)?
>
> It seems to me that the cost of major failure would outweigh any small
> amount of time I'd spend setting up some local authoritative DNS servers.
> Also worth noting would be that our current ~100M/month query volume would
> severely restrict us, cost-wise, in choosing a cloud DNS provider.
>
> Thoughts?  Anyone think this is possible?  Clearly I have serious doubts, or
> I wouldn't still be chewing on this at nearly 2 am.

I'm not exactly sure what your situation/what you are trying to
accomplish; but even
given that; this strikes me as a bad idea.  Some thoughts:

1. Are those 100M/month queries coming from local or remote clients?
If they are mostly local, do you really want to push that traffic over
your WAN rather
then your on-campus LAN?   If only for latency if not bandwith
concerns.  (Based on the
size of the entry returned for www.brandeis.edu, I calculate around
500 Mbytes a day which
probably isn't a big deal; but you should check my figures.)

2. What's your churn on DNS entries?   A quick look makes me think
that Amazon's Route
53 is designed for high traffic on a a moderate number of entires.
Not the 1000s? of entries
you might have for all of the devices on campus.   How easy is it
going to be to integrate what
ever you use on campus to create entries to feed entries to Amazon?

3. You already mentioned concerns about caching nameservers when your
WAN link is down.
I agree with this concern.

4. Have you analyzed your DNS traffic to see if changing your TTLs
could reduce the number
of requests to a more manageable level?

5. Have you thought about doing to a "hidden master" or "hidden
secondary" DNS setup. i.e.
Requests from off campus would go to a DNS provider, while on-campus
machines would talk
to the local servers.

Good Luck,
Bill Bogstad