Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Setting up your own Geolocated DNS services
New on LowEndTalk? Please Register and read our Community Rules.

Setting up your own Geolocated DNS services

JonchunJonchun Member, Provider

I didn't want to hijack the other DNS thread, so I figured I'd start a new one. Does anyone have any experience on setting up DNS servers that return different IPs based on a user's location? Yes, I know it's possible with BIND and views/ACLs, but I was wondering if there was a better solution or anyone with experience with this type of setup.

Thanks :)

Thanked by 1FrankZ
«1

Comments

  • ru_tldru_tld Member, Provider
    edited February 2015

    Hello

    I recommend to check PowerDNS and its geo backend.
    Also check edns-subnet-processing option that will help with public recursors like google 8.8.8.8

    (1) https://raw.githubusercontent.com/PowerDNS/pdns/master/modules/geobackend/README

    (2) https://www.ietf.org/archive/id/draft-vandergaast-edns-client-subnet-02.txt

    (3) https://groups.google.com/forum/#!topic/public-dns-announce/67oxFjSLeUM

    Thanked by 3Jonchun aglodek Blanoz
  • PowerDNS+1

    I didn't implement that in my system but I know someone did that.

  • I do geo dns with Bind views, and MaxMind IP db. It seems to work good. I had to make a little panel so I could see and update the different views for each domain all at the same time or it is a PITA to keep everything straight.

    Thanked by 1aglodek
  • aglodekaglodek Member
    edited February 2015

    @FrankZ said: I do geo dns with Bind views, and MaxMind IP db. It seems to work good. I had to make a little panel so I could see and update the different views for each domain all at the same time or it is a PITA to keep everything straight.

    Working on exactly the same setup myself. Nice to have it on good authority it "seems to work good" ;) Have a couple of questions for you:

    • do you use a DB backend or does your web panel work with BIND's native flat files?

    • how many domains do you host on this?

    • how many different views/regions do you have set up?

    • how much RAM does it consume, assuming only the NS (say, secondary NS?), with no panel or anything else running on the box?

  • If you don't need to update zones very often, don't need database backends, and want something that actually works reliably with edns-client-subnet, have a look at gdnsd. It has integrated failover checks (http, ping) and the geo part of it works as you expect.

    Thanked by 3aglodek FrankZ geekalot
  • FrankZFrankZ Member
    edited February 2015

    Hi @aglodek
    I use the Bind's native flat files to just try to keep it simple.
    I am running 28 domains on this system.
    I am running four views/regions (Europe, North America, Central & South America, and Other which handles Asia/Oceania) I run front end NGINX caching reverse proxies in France (Europe), Dallas (NA), LAX (Asia,other), and Mexico (C&S A) that the zone/views point to and sync three backend apache servers behind them.
    I need at least 256MB to run the DNS servers correctly. This is the only service running on them and the panel is on a separate admin vps and updates each DNS server directly, as I found that it was better to have 3 master DNS servers updated from the admin panel then a master and slaves.

    To clarify "seems to be working good" this is my site monitor output of an example website.

    @aglodek my focus is Europe, US/Canada and Central/South America and I have set up that way.

    EDIT: I have one setup with BUYVM's anycast and one setup without.

    Thanked by 2aglodek geekalot
  • GeoDNS with BIND with ACLs is probably the simplest thing to implementing (there is sooo much documentation on bind out there) http://phix.me/geodns/

    But its probably the worst it terms of scale or performance.

    Using the geodns C patch for bind will will work far nicer but then its harder to maintain without working with packages and dealing with compiling source

    Also another note about BIND, it does not support eDNS (http://www.afasterinternet.com/ietfdraft.htm)

    I have not used pDNS so I can not comment

    How ever my all time favorit for this task is gDNSd (http://gdnsd.org/)

    It is built to do purely geoDNS and failover. You can give it all your servers and their Long/Lats and it will figure the closest and even do failover if any of them dont respond for example. Used and maintained by Wikimedia and its Ops staff.

  • @vld said: If you don't need to update zones very often, don't need database backends, and want something that actually works reliably with edns-client-subnet, have a look at gdnsd. It has integrated failover checks (http, ping) and the geo part of it works as you expect.

    At first glance, very interesting and seems exactly what the doctor ordered, thanks! :)

  • FrankZFrankZ Member
    edited February 2015

    @adamBB and @vld gDNSd would probably be better for the task but does not support DNSSEC :( I will set up a gDNSd set and add it to the comparisons I have going. Thank you for the insight.

    Regarding eDNS

       With the edns-client-subnet option, the network address of the client
       that initiated the resolution becomes visible to all servers involved
       in the resolution process.  Additionally, it will be visible from any
       network traversed by the DNS packets.  
    

    We see you ....

  • aglodekaglodek Member
    edited February 2015

    @FrankZ said: I run front end NGINX caching reverse proxies in France (Europe), Dallas (NA), LAX (Asia,other), and Mexico (C&S A) that the zone/views point to and sync three backend apache servers behind them.

    What? If you point the zones to the backends, how do you route traffic to the frontends? And what do you need 3 backends for? I should think 2 backends + 8 (4x2) frontends would be a more redundant setup...?

    I need at least 256MB to run the DNS servers correctly.

    Running only 28 domains? Wow! Unless those are very active domains, seems BIND is not exactly an optimal solution here (which was to be expected, BTW, hence my interest in BIND is only educational, with my real target being NSD3).

    This is the only service running on them and the panel is on a separate admin vps and updates each DNS server directly, as I found that it was better to have 3 master DNS servers updated from the admin panel then a master and slaves.

    Okay, why exactly are 3 masters better?

    EDIT: I have one setup with BUYVM's anycast and one setup without.

    BuyVM's anycast is next on my list, too, hence my question concerning RAM needs ;)

  • FrankZFrankZ Member
    edited February 2015
    What? If you point the zones to the backends, how do you route traffic to the frontends? And what do you need 3 backends for? I should think 2 backends + 8 (4x2) frontends would be a more redundant setup...?
    

    I point the DNS zone/views to the closest DDOS protected front end nginx server that get their information from the back end apache server closest to it, the second closest is the failover. The client sees the front end server only. The back ends only talk to the front ends. I wanted three back ends in sync to have a back end close enough and so daily backups are not required. (I still do weekly backups.) There are redundant front ends that get activated/deactivated in DNS based on the monitoring scripts on the admin vps. I expected that the BuyVM anycast/failover option would make for a better front end solution, but that is not working out as well as hoped. (not a put down of BuyVM in any way)

         
    Running only 28 domains? Wow! Unless those are very active domains, seems BIND is not exactly an optimal solution here :(
    

    I expect that the 150-160MB of RAM that gets used is mostly the Maxmind IP data, not zone/views data. I run 5-30 sub domains in each zone. I am running 64 bit Centos and you could probably reduce RAM usage 20-25MB by going 32 bit.

     Okay, why exactly are 3 masters better?
    

    Because I was having problems getting them to sync all views correctly, the slaves would update some views in a zone but not others, even though they had changed. When I made the admin panel it was just as simple to update all DNS servers at the same time and avoid any issues.

    BuyVM's anycast is next on my list, too, hence my question concerning RAM needs ;)
    

    My BuyVMs anycast results for today.
    (removed)
    EDIT: Graph relects DNS lookup times (DIG).

    I am going to set up the gDNSd and compare results. I can send you that info in a few days if you wish. Please understand that I am not married to this idea, just looking for reasonable results (< 100ms) and the simplest solution to automate maintenance wise, given my skill set which is normally directed at making tacos for tourist in Mexico..

    @Jonchun - any of this good for you too :)

    Thanked by 2aglodek geekalot
  • JonchunJonchun Member, Provider
    edited February 2015

    @FrankZ

    yeap! I'm looking into it all. I'm basically trying to see if it's viable to setup a shared hosting service that will automatically mirror to servers all around the world. DNS is obviously doable as you've showed us how, but I'm wondering if there are things that would auto-break (e.g. databases) if I'm not syncing in real time.

  • FranciscoFrancisco Top Provider

    Routing is going to be a little funny on anycast with Europe getting favored in many routes. This is due to some changes we're making and (finger crossed) will be announcing soon :D

    Francisco

    Thanked by 1FrankZ
  • aglodekaglodek Member
    edited February 2015

    @FrankZ said: I point the DNS zone/views to the closest DDOS protected front end nginx server that get their information from the back end apache server closest to it, the second closest is the failover. The client sees the front end server only.

    Okay, seems I misunderstood your earlier post. This is exactly the setup I'm working on, except I'm adding Varnish on the frontends.

    I expected that the BuyVM anycast/failover option would make for a better front end solution, but that is not working out as well as hoped. (not a put down of BuyVM in any way)

    To be clear: you are referring here to anycast frontends (nginx RP's), not anycast nameservers - right?

    I expect that the 150-160MB of RAM that gets used is mostly the Maxmind IP data, not zone/views data.

    Okay, that's what I thought. Sounds reasonable and no way around it, I guess.

    Because I was having problems getting them to sync all views correctly, the slaves would update some views in a zone but not others, even though they had changed.

    Interesting. This is valuable heads up, thanks!

    I am going to set up the gDNSd and compare results. I can send you that info in a few days if you wish.

    Yes, please do. This will be a two way street once I have my setup going...

    Please understand that I am not married to this idea, just looking for reasonable results (< 100ms) and the simplest solution to automate maintenance wise, given my skill set which is normally directed at making tacos for tourist in Mexico.

    Hahaha... same here on all counts (not married to anything, except my wife; KISS and automated; similar skill set issues, but learning at a pretty good clip ;)

  • FrankZFrankZ Member
    edited February 2015

    aglodek said: To be clear: you are referring here to anycast frontends (nginx RP's), not anycast nameservers - right?

    Correct.

    @Jonchun - A HA GeoCasted webhost at lowend pricing would probably go over very well.
    @Francisco - I love you guys and all the voodoo that you do ;D

  • aglodekaglodek Member
    edited February 2015

    @Jonchun said: yeap! I'm looking into it all. I'm basically trying to see if it's viable to setup a shared hosting service that will automatically mirror to servers all around the world. DNS is obviously doable as you've showed us how, but I'm wondering if there are things that would auto-break (e.g. databases) if I'm not syncing in real time.

    Interesting idea. You might want to consider using reverse proxy frontends (e.g. Varnish) to handle the syncing off a central backend (webserver+DB). A bit of PITA to set up initially, but that's one time and KISS vis a vis multiple webservers and DB's. Just my 3 cents and standing ready to be corrected, of course ;)

  • JonchunJonchun Member, Provider

    @aglodek said:
    Interesting idea. You might want to consider using reverse proxy frontends (e.g. Varnish) to handle the syncing off a central backend (webserver+DB). A bit of PITA to set up initially, but that's one time and KISS vis a vis multiple webservers and DB's. Just my 3 cents and standing ready to be corrected, of course ;)

    The issue with that in my opinion is what would be the difference between your suggestion and just a regular CDN? In fact, wouldn't that method be (slower) to load because fewer POP?

  • @aglodek - I have set up gdnsd on a debian 7 32 bit vps and have the GeoIP working for one domain and three regions. It does seem faster then bind as the response time for the query is the same as the ping time to the server, and it is using a lot less RAM. Currently 36MB used. The zone files are going to be less complex then bind/views and the config file maybe a little more complex.

    I'll finish setting this up, tune it up as best as I can, and graph it for a day then post it here.

    Thanked by 1aglodek
  • aglodekaglodek Member
    edited February 2015

    @Jonchun said: The issue with that in my opinion is what would be the difference between your suggestion and just a regular CDN? In fact, wouldn't that method be (slower) to load because fewer POP?

    Call me a control freak, I won't object, but having your own infrastructure beats having to depend on third parties' services and support hands down. In this particular case, the upside is much better control over what will be cached and for how long. Depending on the websites and apps hosted, this may be of critical importance. Naturally, this upside has to be measured and the feasibility evaluated against the unavoidable downside: costs in terms of both money and time. Plus taking under consideration existing, third party solutions.

    Thanked by 1FrankZ
  • WilliamWilliam Member, Provider

    Honestly way too much work to set up anycast - Even with the BuyVM AaS. I rather use an established provider like CF for reliability.

    Thanked by 1k0nsl
  • @William said: Honestly way too much work to set up anycast - Even with the BuyVM AaS.

    Why? Correct me if I'm wrong, but it was my understanding that Francisco has done the hard part already, hasn't he?

  • WilliamWilliam Member, Provider

    You still need to keep Servers secured/up, the DBs in Sync, have a panel for the records, do DNSSEC and alike... a "managed" service provider like Rage4/CF removes much of that "liability". BuyVM AaS has no Asia/AP location as well.

    Thanked by 1vimalware
  • @William said: You still need to keep Servers secured/up, the DBs in Sync, have a panel for the records, do DNSSEC and alike... a "managed" service provider like Rage4/CF removes much of that "liability". BuyVM AaS has no Asia/AP location as well.

    Point taken. However, only that last part about BuyVM is in any way related to anycast. And what DBs (plural)? As for Rage4 and CF control panels, they are the main reason behind my foray into this area (read: need my own panel).

  • ru_tldru_tld Member, Provider

    @William said:
    You still need to keep Servers secured/up, the DBs in Sync, have a panel for the records

    I can recommend DNSmanager panel https://www.ispsystem.com/software/dnsmanager
    It flawlessly integrates with PowerDNS (or Bind) and it is very possible to integrate it with WHMCS but you will need some PHP skills for that.
    Server sync is simple as mysql replication.

    I don't think that needed efforts are very high, but they are reasonable if you want to provide DNS as a service.

    Thanked by 2aglodek geekalot
  • @aglodek - If you can do without DNSSEC forget bind/views. @adamBB and @vld appear to be on the money with gdnsd. It plays real nice with google resolvers, is faster, is easier to set up, and uses a lot less resources. It also seem s that you can change the IPs for the front ends once in the main config file instead of in each zone which should be a big time saver for a guy with a lot of domains on the same servers/front ends.
    @William , aglodek has 1000 domains to deal with.

    Thanked by 2geekalot aglodek
  • JonchunJonchun Member, Provider

    @FrankZ said:
    aglodek - If you can do without DNSSEC forget bind/views. adamBB and vld appear to be on the money with gdnsd. It plays real nice with google resolvers, is faster, is easier to set up, and uses a lot less resources. It also seem s that you can change the IPs for the front ends once in the main config file instead of in each zone which should be a big time saver for a guy with a lot of domains on the same servers/front ends.
    William , aglodek has 1000 domains to deal with.

    Looks like it :) Time to get started...

  • @Jonchun - Just to get you started in the right direction ...

    apt-get upgrade
    echo 'deb http://ftp.de.debian.org/debian jessie main' >> /etc/apt/sources.list
    apt-get update
    apt-get install gdnsd
    
    wget -N http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
    gunzip GeoLiteCity.dat.gz
    mv GeoLiteCity.dat /etc/gdnsd/geoip/
    wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
    gunzip GeoLiteCityv6.dat.gz
    mv GeoLiteCityv6.dat /etc/gdnsd/geoip/
    
    Thanked by 2aglodek geekalot
  • JonchunJonchun Member, Provider

    @FrankZ said:
    Jonchun - Just to get you started in the right direction ...

    > apt-get upgrade
    > echo 'deb http://ftp.de.debian.org/debian jessie main' >> /etc/apt/sources.list
    > apt-get update
    > apt-get install gdnsd
    > 
    > wget -N http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
    > gunzip GeoLiteCity.dat.gz
    > mv GeoLiteCity.dat /etc/gdnsd/geoip/
    > wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
    > gunzip GeoLiteCityv6.dat.gz
    > mv GeoLiteCityv6.dat /etc/gdnsd/geoip/
    > 

    Thanks! I know it comes down to preference normally, but out of curiosity have you ever tried this on rhel systems? (i haven't looked into this at all so I have no idea if the packages are available or not)

  • @Jonchun - I prefer Centos also, but I did not find a repo, and did not want to compile from source just to take a look at it. If you find a Centos 6 repo please let me know.

  • vldvld Member
    edited February 2015

    FrankZ said: @Jonchun - Just to get you started in the right direction ...

    Use the new GeoLite2, it's faster and one file.
    http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz

    Jonchun said: Thanks! I know it comes down to preference normally, but out of curiosity have you ever tried this on rhel systems? (i haven't looked into this at all so I have no idea if the packages are available or not)

    gdnsd is really easy to compile. Get the latest from https://github.com/gdnsd/gdnsd/releases/ and follow the INSTALL instructions.

    PS: wget https://github.com/maxmind/libmaxminddb/releases/download/1.0.4/libmaxminddb-1.0.4.tar.gz && tar zxvf libmaxminddb-1.0.4.tar.gz && rm libmaxminddb-1.0.4.tar.gz && cd libmaxminddb-1.0.4 && ./configure && make && make install; ldconfig

Sign In or Register to comment.