While much of what we do here at FastServers.Net is visible to our customer base (We're working on the servers that you lease), we also have some projects that are a little more behind-the scenes and hidden from view.
A few months ago, a scheduled review/maintenance of the FastServers DNS revealed a few shortcomings, and a few..... changes have been made.
For most people, DNS just works. A control panel on the server handles setting up zones for all domains existing on the server, turning each of their servers into its own DNS server, and is scalable to a small degree. However, past a certain point, managing multiple nameservers becomes difficult. Tracking nameserver IPs, NS glue, slave records, and whatnot can start to become overwhelming, and the tools provided by the control panels may not be sufficient to keep a handle on the situation.
FastServers was in a similar situation - however, our maintenance and review showed that we were managing 5 different discrete internal pairs of nameservers (not counting our shared DNS servers, ns5-8.fastservers.net), many on aging hardware platforms, some with questionable hard disk status. Rather than wait for an actual failure to be forced to rush into action to repair, the decision was made to completely revamp and rework how DNS is handled at FastServers. Instead of 5 pairs of nameservers, all acting as both authoritative and recursive answers, the newly designed solution comprises of a pair of authoritative-only servers, and a pair of recursive servers for our clients to use.
The logic behind such a setup is clear, in the environment of the net today - a simple search for "DNS poisoning" and "DNS open resolver DoS amplification" shows the pitfalls of providing both authoritative answers and an open caching service on the same server, and the load that caching can place on a heavily trafficked cache server (such as ours, with most of our clients using our nameservers as their primary resolver) can have a negative impact on its abilities to serve authoritative responses to the world at large.
And thus, new hardware was ordered and deployed, and the newly christened pairs (ns1.fastservers.net/ns2.fastservers.net, dnscache.cf.fastservers.net/dnscache.fmt.fastservers.net) were rapidly deployed and initial access configuration completed to allow them to perform their duties. However, next came the hard part - how to migrate the authoritative domains from the existing 5 pairs of nameservers to this new pair, without any service interruptions.....
In the next article, we will cover the process used while performing the migration, and some interesting shell scripts used to help the process.
Spread the Word: Click below to share this with the rest of the world
