Community discussions

MUM Europe 2020
 
bhesterberg
newbie
Topic Author
Posts: 34
Joined: Wed Jul 06, 2016 8:27 pm
Location: Gifford, IL
Contact:

DNS at each site?

Wed Jan 18, 2017 4:52 am

I work for a WISP that's going from bridged to routed. We have a couple routers in the outside sites already. I'm wondering though, should I make each router a DNS server or pass it through to the core router? The way I have the two outside sites now, they pass DNS requests all the way back to the core router. I think it'd cut down on traffic and be more efficient if I have each router acting as a DNS server. I'm a little worried about resources though, and if they can handle it. I know my 3011's can do it, but I also have 2 RB850GX2's at the end sites(with few customers) and I'm worried they won't be able to handle the load under...say, 20 customers. So any input you may have would be greatly appreciated!!

Thanks in advance!
 
User avatar
pukkita
Trainer
Trainer
Posts: 3002
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: DNS at each site?

Wed Jan 18, 2017 4:46 pm

DNS is one of the areas that has the biggest impact on perceived network responsiveness, specially while browsing.

Anything you do to enhance DNS resolution speed for your customers, will be positive.

I usually enable DNS on every DC/POP router, increasing cache size depending on available memory and customer count. Make these caches to use your main core router main DNS and you'll greatly reduce DNS querys going through your uplink while optimizing internal resources.

Difficult to say for the RB850Gx2, 20 10Mbps customers or 20 100Mbps customers? If the RB850GX2 CPU isn't loaded, then it will perform fine.

Additionaly, since 6.38 previous ROS DNS resolver concurrent query number limitation (100) can be specified by using IP > DNS > max-concurrent-queries)
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
bhesterberg
newbie
Topic Author
Posts: 34
Joined: Wed Jul 06, 2016 8:27 pm
Location: Gifford, IL
Contact:

Re: DNS at each site?

Wed Jan 18, 2017 9:08 pm

DNS is one of the areas that has the biggest impact on perceived network responsiveness, specially while browsing.

Anything you do to enhance DNS resolution speed for your customers, will be positive.

I usually enable DNS on every DC/POP router, increasing cache size depending on available memory and customer count. Make these caches to use your main core router main DNS and you'll greatly reduce DNS querys going through your uplink while optimizing internal resources.

Difficult to say for the RB850Gx2, 20 10Mbps customers or 20 100Mbps customers? If the RB850GX2 CPU isn't loaded, then it will perform fine.

Additionaly, since 6.38 previous ROS DNS resolver concurrent query number limitation (100) can be specified by using IP > DNS > max-concurrent-queries)

Very well put. Thank you for the great response! I'll start doing DNS at each site.
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 939
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: DNS at each site?

Thu Jan 19, 2017 6:01 pm

When doing this, you might even go one step further and redirect all DNS queries to your local routers.
This implies that you don't allow any other DNS servers to be used by your customers any more but will again improve the experienced performance even for users who try to use other DNS servers thany yours.
/ip firewall nat
/ip firewall nat
add action=redirect chain=dstnat dst-port=53 protocol=udp src-address=<your clients IP range>
add action=redirect chain=dstnat dst-port=53 protocol=tcp src-address=<your clients IP range>
-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
bhesterberg
newbie
Topic Author
Posts: 34
Joined: Wed Jul 06, 2016 8:27 pm
Location: Gifford, IL
Contact:

Re: DNS at each site?

Thu Jan 19, 2017 7:28 pm

Very good tidbit of info!
 
Sob
Forum Guru
Forum Guru
Posts: 5171
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS at each site?

Thu Jan 19, 2017 7:37 pm

I strongly suggest to not do this (redirect all queries to your resolver). Your customers may have good reasons for using other resolvers. And even if they don't, ISP should provide internet access and not decide for users what they can a can not use.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
bhesterberg
newbie
Topic Author
Posts: 34
Joined: Wed Jul 06, 2016 8:27 pm
Location: Gifford, IL
Contact:

Re: DNS at each site?

Thu Jan 19, 2017 7:48 pm

I strongly suggest to not do this (redirect all queries to your resolver). Your customers may have good reasons for using other resolvers. And even if they don't, ISP should provide internet access and not decide for users what they can a can not use.
Can you give me a good example of why not to do this?
 
User avatar
che
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Fri Oct 07, 2005 1:04 pm

Re: DNS at each site?

Thu Jan 19, 2017 8:06 pm

Controlled DNS redirection could also be a security upgrade if you set your caching router to use your ISP's and not public DNS servers. I am actually doing this on my home MikroTik for years as one extra security measure.
 
Sob
Forum Guru
Forum Guru
Posts: 5171
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS at each site?

Thu Jan 19, 2017 8:10 pm

Because it means hijacking their traffic. If client wants DNS query delivered to IP address x.x.x.x, then you as ISP should do exactly that.

If you need a "what can it break" example, there's DNS based filtering of various stuff (e.g. OpenDNS) or alternative DNS roots (although that's probably not very popular).

@che: By all means, do it in your home network, do it in your company network, that's ok. But it's not ok for ISP to do it for all customers.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
bhesterberg
newbie
Topic Author
Posts: 34
Joined: Wed Jul 06, 2016 8:27 pm
Location: Gifford, IL
Contact:

Re: DNS at each site?

Thu Jan 19, 2017 9:58 pm

Because it means hijacking their traffic. If client wants DNS query delivered to IP address x.x.x.x, then you as ISP should do exactly that.

If you need a "what can it break" example, there's DNS based filtering of various stuff (e.g. OpenDNS) or alternative DNS roots (although that's probably not very popular).

@che: By all means, do it in your home network, do it in your company network, that's ok. But it's not ok for ISP to do it for all customers.
I think hijacking would be a bit strong of a word. Properly directing might be another way to put it?
This seems like you are expressing personal opinion, which is fine, but if my customers are using my internet service, it seems I have the right to make them use my DNS servers. I'm not stopping any traffic, or fast-tracking any traffic, just making it better for them.
 
User avatar
che
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Fri Oct 07, 2005 1:04 pm

Re: DNS at each site?

Thu Jan 19, 2017 10:10 pm

I would not argue if doing this practice is or is not inheritably wrong. I can just add my personal note that no ISP I've worked at in past twelve years has been doing that, but I know of some that are either redirecting or recording DNS traffic, or both. Just don't be so sure that DNS traffic outside of your own network is not being metered or altered. : )
 
savage
Forum Guru
Forum Guru
Posts: 1220
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Re: DNS at each site?

Thu Jan 19, 2017 11:01 pm

Because it means hijacking their traffic. If client wants DNS query delivered to IP address x.x.x.x, then you as ISP should do exactly that.

If you need a "what can it break" example, there's DNS based filtering of various stuff (e.g. OpenDNS) or alternative DNS roots (although that's probably not very popular).

@che: By all means, do it in your home network, do it in your company network, that's ok. But it's not ok for ISP to do it for all customers.
I think hijacking would be a bit strong of a word. Properly directing might be another way to put it?
This seems like you are expressing personal opinion, which is fine, but if my customers are using my internet service, it seems I have the right to make them use my DNS servers. I'm not stopping any traffic, or fast-tracking any traffic, just making it better for them.
And when a customer for example is debugging a DNS problem relating to some web site he hosts, work he does, etc?

dig +trace <name> for example shows a complete trace of the DNS request, from the root servers, right up to the actual zone. This, will result in an epic failure on your network from the customer's perspective.

Ok, now let's move on. Customer changed a DNS record in some DNS zone he host, and want to test to see if it resolves correctly:

dig -t A <name> @mynameserver - oh wait, he is not seeing the query on his name server, and the old result is still being sent, from your DNS cache. DOH, so it is my DNS that's broken, or is it your cache that's broken? That's now after he spend HOURS trying to debug the problem to find out WHY he is still seeing the old record, even though he is EXPLICITLY query HIS DNS server, where the zone has been updated.

Then there's people wanting to use things like Google DNS / OpenDNS for very good reasons.

Your customers are paying you for INTERNET ACCESS. It's not up to you to dictate HOW that can use that access. This is censorship, and extremely bad practice in the general internet community. I most definitely, would not be using your services if I was your customer and you where doing this.
Regards,
Chris
 
Sob
Forum Guru
Forum Guru
Posts: 5171
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS at each site?

Fri Jan 20, 2017 12:31 am

... if my customers are using my internet service, it seems I have the right to make them use my DNS servers.
Well, if you openly advertise your services as "limited internet access" (no small print! ;)), then no objections from me. This setup does break some things, that's a verifiable fact.
..., just making it better for them.
Do it, optimize your DNS resolvers that you give them by default. But there's no need to go overboard. If they change their settings for some reason, assume they know what they are doing. And if they don't, it's their problem, let them pay for their mistakes. It's not like they will suffer very much, in most cases they will use Google's resolvers or something and will have extra 10ms or so delay when loading new website, no biggie. Is it really worth it trying to "save" them and in process break things for someone else? Surely you know that saying about road to hell...
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
bhesterberg
newbie
Topic Author
Posts: 34
Joined: Wed Jul 06, 2016 8:27 pm
Location: Gifford, IL
Contact:

Re: DNS at each site?

Sat Jan 21, 2017 2:59 am

... if my customers are using my internet service, it seems I have the right to make them use my DNS servers.
Well, if you openly advertise your services as "limited internet access" (no small print! ;)), then no objections from me. This setup does break some things, that's a verifiable fact.
..., just making it better for them.
Do it, optimize your DNS resolvers that you give them by default. But there's no need to go overboard. If they change their settings for some reason, assume they know what they are doing. And if they don't, it's their problem, let them pay for their mistakes. It's not like they will suffer very much, in most cases they will use Google's resolvers or something and will have extra 10ms or so delay when loading new website, no biggie. Is it really worth it trying to "save" them and in process break things for someone else? Surely you know that saying about road to hell...
No one is supposed to be hosting servers on my network without permission. This is typical of most IPS's. And if they were, they'd probably ask me for a public IP, and at that point I'd know they wanted to host something. Then I'd talk to them about it and work it out with them. Also, I'm using google's public DNS as a secondary.
Labeling it "limited internet service" would be not only wrong, but dumb. Who'd buy that? I'm not limiting anything except speeds.
 
Sob
Forum Guru
Forum Guru
Posts: 5171
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS at each site?

Sat Jan 21, 2017 3:55 am

But this is not about hosting anything.

Take the OpenDNS example. They offer (even for free) a DNS-based blocking of adult content (which - and I specifically say it's just my opinion - is pointless like any blocking). For some people it's useful service. How it works is that a user who wants to use it configures their router/PC/tablet/whatever to use not DNS resolvers provided by ISP (= you), but those provided by OpenDNS. And then when someone tries to access websites like www.sex.com, they won't get the real content, but the page you can see below. But if you redirect all DNS queries to your own resolver, this useful (for some) service won't work.
opendns-blocked.png
And about "limited internet service" - and again, I specifically say it's kind of "religious" discussion - "full internet access" means a public address and ability to use it, i.e. host anything. There are some understandable technical difficulties, e.g. there are not enough IPv4 public addresses for anyone, so it's ok to give only IPv6 public addresses to customers. But if you don't allow to host servers, then it's "limited internet service" by definition, there's no way around it.
You do not have the required permissions to view the files attached to this post.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
lordzar
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Sat May 29, 2004 7:47 pm

Re: DNS at each site?

Mon Jan 23, 2017 3:37 am

I strongly suggest to not do this (redirect all queries to your resolver). Your customers may have good reasons for using other resolvers. And even if they don't, ISP should provide internet access and not decide for users what they can a can not use.
Can you give me a good example of why not to do this?

There are commercial services like Cisco OpenDNS, which some of my clients use as their website filter. It would break if I forced them to use our DNS servers.
 
User avatar
pukkita
Trainer
Trainer
Posts: 3002
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: DNS at each site?

Mon Jan 23, 2017 11:47 am

Yes. But you can set up an address list with these (OpenDNS servers) and don't redirect to your DNS cache if dst-address belong to OpenDNS.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
savage
Forum Guru
Forum Guru
Posts: 1220
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Re: DNS at each site?

Mon Jan 23, 2017 12:29 pm

Labeling it "limited internet service" would be not only wrong, but dumb. Who'd buy that? I'm not limiting anything except speeds.
You are limiting access to DNS servers :) You've been given numerous examples of why customers DOES require access to remote DNS servers....

Anyway, not my toss up... </care>
Regards,
Chris

Who is online

Users browsing this forum: Khairil, respoz and 42 guests