I love PowerDNS, it’s so flexible through the multiple backends that you can do pretty much whatever you want with it. When we had a nightmare weekend at 123-reg several years ago, I designed and built the next generation of the DNS infrastructureÂ on PowerDNS because it would connect straight into our main DNS databases and we could easily change schema etc without having issues.
However,Â because of this flexibility sometimes PowerDNS has some performance issues. When designing the second generation of high-performance DNSÂ serversÂ for the HostEurope group I tested a number of other opensource servers. The highest performing by far was nsd however it used a lot of memory andÂ wasn’t able to give us the flexibility that we required.
Looking at PowerDNS it had a number of scaling issues – up to 4 or 6 cores it was fine but after that it just couldn’t scale any further. So, working with a number of tools such as valgrind and perf I identified a number of scaling issues with the distributor code and created a series of patches which were rolled in to PowerDNS Authoritative 3.3 and 3.4 and enableÂ PowerDNS to scale easily to 32 or 64 cores. I also came across a Linux kernel issue with locking (actually anÂ improvement in the packet handling code) which meant thatÂ the boxes couldn’t handle more than about 250k PPS before the thread contention on the socket lock hit a limit. Fortunately with Linux 3.9 the patches that the Google guys had produced a few years ago finally got incorporated and so the SO_REUSEPORT patch was also added to PowerDNS.
Finally, I found a very high performance key/value database (lmdb) which is very reliable and fast (sqlite was limited to about 3 or 4 cores, BDB always corrupts itself, KoyotoDB is nice butÂ updates cause a lot of contention and I’m not sure if it’s being actively developed any more). And the result is a high performance backend for PowerDNS (lmdbbackend) which can scale to over 1m QPS/server with instant updates and low response times. The best way to avoid an embarrassing DNS DDOS is to have enough capacity to respond to allÂ queries that are thrown at the server, after that you can try to filter the big hitters. Unfortunately many anti-DDOS appliances that we tested turned out to fail quite badly on UDP-based attacks, or attacks at > 1m PPS so it’s often best to not put them in front of infrastructure that may sustain such an attack.
If you want professional consulting and assistance with setting up a high-performance resilient DNS infrastructure please contact me through my consultancy companyÂ dns-consultants.com