Best DNS practices for telecom

Currently, many Russian providers pay very little attention to DNS servers. Nevertheless, it is a very important component of Internet access services.
Telematics and infrastructure services, as well as their bosses dedicated.

Following the listed rules can help you minimize your DNS complaints to users:

• Never use firewalls with session state monitoring on DNS servers.
  Iptables and other firewalls significantly reduce the performance of busy DNS servers.
  If for organizational reasons it is necessary to filter traffic, then it is better to do this on ordinary non-statefull firewalls on network equipment. For example, using regular ACLs on Cisco hardware routers starting at 7600 (6500) series, built on ASIC and FPGA.
• The cache size must be less than or equal to 512MB. Larger values ​​do not lead to any significant increase in the efficiency of caching, but increase the requirements for RAM bandwidth and the efficiency of CPU caches. When using a 512MB cache, it is desirable to have a total RAM of at least 2048MB.
• The average load on the central processor of the DNS server should not exceed 30%. Fulfilling this rule will make it easier to survive DDOS and virus attacks.
• Always use settings that restrict access to cache DNS servers only for your clients. Do not allow them to use all Internet users. This can lead to the use of your DNS servers for DNS Amplification Attacks, an uncontrolled load and increases the chances of intruders to poison your cache.
• Always separate authoritative and caching DNS servers. This is true for organizations of any size.
• It is desirable to operate DNS servers on the equipment allocated for them. For caching DNS servers, the most important parameter is the power of the CPU. For authoritative DNS servers, memory bandwidth is somewhat more important. At low loads on DNS servers, their use on virtualization systems is allowed. At the same time, they necessarily need to guarantee resources on the processor, memory and network.
• For DNS servers it is better to use maximum frequency processors. One powerful dual-core or four-core processor is better than two smaller processors. The fact is that modern software doesn’t scale well into many cores of processors. Moreover, it is better to use the "single-threaded" implementation (or assembly) of DNS software.
• Use 64-bit operating systems on modern hardware. For new systems, you should use servers built x86-64. Systems built on SPARC processors are much less suitable for DNS server tasks.
• For DNS servers, it is desirable to use Gigabit network interfaces so that the network does not become a bottleneck.
• If it is necessary to distribute the load on several DNS servers, it is recommended to do this through IP ANYCAST or with the help of load balancers with shutdown of session state.
• Use proven solutions. Test new versions before using them in a production environment. Try to make one change at a time, no more. For example, updating the software version, update it first on only one of the servers.
• Do not get carried away too much tuning the network stack of the operating system. As a rule, all modern UNIX and UNIX-like systems have optimal settings. If there are any problems of operation, then it is necessary to carry out as deep as possible diagnostics, before nightmares of the operating system with huge buffers, etc.
• Before using DNSSEC, it is necessary to thoroughly test both the software and the load on the equipment. In addition to this, you should carefully consider the procedures associated with the DNSEC, since any error may be invisible and at the same time be fatal when DNSSEC caching DNS servers will reject records from your zones as incorrectly signed.
• Do not be lazy to configure monitoring your DNS servers. This allows you to avoid problems before users notice them. After all, DNS problems are perceived by users as network problems. It does not matter to them that you have a super-modern, high-speed, low-latency network, protected from failures, if they slowly open the Internet page due to a poorly functioning DNS server.
• Keep the overall design of your DNS solution as simple as possible. This will make it easier for you to diagnose problems.