DNS Platforms: A Study in Capacity and Scalability

01Jul10

(click image to enlarge)

Capacity and scalability are necessary in managing DNSSEC and D/DoS. Capacity, necessary for maintaining operations during D/DoS attacks, is also necessary for increased traffic due to DNSSEC deployment. Scalability is highly important, as DNSSEC is deployed not only will greater traffic levels will be encountered, greater demand will be placed on the DNS platform.

In the interest of understanding both capacity and scalability CommunityDNS conducted tests to assess the readiness of the two main DNS server platforms, BIND and NSD and how they would handle the added workload imposed on standard server hardware as well as expose any limitations. To be fair the same tests were conducted on CommunityDNS’ platform.  Details of the study may be found here [PDF].

Tests applied to the BIND, NSD and CommunityDNS platforms consisted of high volumes of queries being applied to the three different DNS platforms, using four zone sizes in both unsigned and signed environments. The zone sizes represented were:

It should be noted that neither BIND nor NSD could handle the zone file of 57,873,014 names. It should also be noted that as testing began CommunityDNS’ platform had excess capacity whilst peaking at queries per second. The testing infrastructure was changed, moving to a complete GB platform in switches and routers and moved to CAT-6 cabling. Tests were rerun using the new network infrastructure, achieving greater results.

Capacity Processing: Results of the testing revealed:

(click image to enlarge)

Scalability: Examining scalability revealed that for zone file sizes from 7,691 to 19,405,229, scalability for unsigned zones were 2.4% degradation for CommunityDNS, -7.2% degradation for BIND and 12.1% degradation for NSD. When examining scalability for the same zone sizes in a signed environment there was a 3.6% degradation for CommunityDNS, 34.6% degradation for BIND and a 30.9% degradation for NSD.

(click image to enlarge)

(click image to enlarge)

So when looking at operational stability of DNS platforms during D/DoS attacks or with the migration to signed zones, both capacity and scalability are important to ensure operational resilience.  Further details of the study may be found by clicking here.



%d bloggers like this: