Page 3 of 4 FirstFirst 1234 LastLast
Results 51 to 75 of 88
  1. #51
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,007
    Quote Originally Posted by layer0 View Post
    That was misinformation. That's what prompted me to post. That's all. But now it seems that we are closer to an agreement. It exists, but isn't a very good method except in controlled environments.
    I hear ya. I think the misunderstanding there is the definition of "failover", as in there is some mechanism (in reference to RR load balancing) that actively removes a down IP from a pool, and fails over to the next, and excludes the IP from the pool until it is again reachable. It does "move to the next IP" eventually, but only via a connection timeout and natural handling of multiple A resource records, But, that IP is still going to come around again in random order, so it has not actually been "failed", just..."ignored"...for a while...at best.

    I'm recanting even leaning towards browsers, modern or otherwise, automatically trying the next A resource record upon connection failure *without a refresh* and just happening, automatically, within a session without user intervention. Especially this notion that it "remembers" the bad IP and won't try it again. Not finding anything that supports that.
    Sure, they are capable of caching all resource records published for said domain, but...that's about it. I can't re-create it with any browser. If it hits the "bad" IP, it times out on that session, and I have to hit enter, hit refresh, open a new browser...and it sure ain't "remembering" the IP is bad. Unless it has a memory like my old Aunt Ester.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  2. #52
    Quote Originally Posted by layer0 View Post
    We have a bunch of servers that need to download files from an internal machine. That internal machine could be an SPOF (single point of failure) but one way to get around that is DNS failover. We also want load balancing, so we use round robin. In this setup, we can have A records setup pointing to a few different IPs. If we just have a script on the client servers that use wget to download files, it will definitely reattempt and this works correctly every time (I've tested it). What's wrong with this setup? Assuming there is no problem with the added delay of having to retry.
    But, wget is not a client browser used by humans. It is a single purpose tool with many knobs that can be fine tuned for network behaviour. And humans definitely do have a problem with spinning their wheels while network connection attempts timeout.

    Now as far as round-robin is concerned, failover capable dns is not mutually exclusive with round-robin. There is nothing that prevents the use of failover capabilities to remove a known failed endpoint from the set of returned records. This aids the client in achieving a connection on the first try as much as possible.
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com

  3. #53
    Join Date
    Mar 2003
    Posts
    470
    I am sorry for somewhat reviving this thread. I don't think it's that old yet.
    I have read it from start to finish and I agree on the consensus that DNS Round Robin "somewhat" works if you are OK with half of your visitors having some downtime.
    And, you can somewhat "improve" it if you remove the down IP as you detect it so new site visitors will no longer see the dead IP.
    Am I correct in this assumption?

    While I agree that DNS RR is a poor man's failover. The clear winner for production use is using a load balancer like HAProxy.
    Now my question is, what is the minimum setup required for this to work for data center failover?
    For instance, how do you setup 2 VPS located on 2 geographically separated data centers?
    I am correct to assume that you need additional 2 VPS (both installed with HAProxy) to act as load balancer, therefore you actually need 4 VPS (2 HAProxy + 2 Mirrored Server).
    Then you use DNS Failover (like DNS Made Easy wherein your failover between your 2 HAProxy servers)?

  4. #54
    Join Date
    Apr 2000
    Location
    Brisbane, Australia
    Posts
    2,602
    Quote Originally Posted by mbr View Post
    I am sorry for somewhat reviving this thread. I don't think it's that old yet.
    I have read it from start to finish and I agree on the consensus that DNS Round Robin "somewhat" works if you are OK with half of your visitors having some downtime.
    And, you can somewhat "improve" it if you remove the down IP as you detect it so new site visitors will no longer see the dead IP.
    Am I correct in this assumption?

    While I agree that DNS RR is a poor man's failover. The clear winner for production use is using a load balancer like HAProxy.
    Now my question is, what is the minimum setup required for this to work for data center failover?
    For instance, how do you setup 2 VPS located on 2 geographically separated data centers?
    I am correct to assume that you need additional 2 VPS (both installed with HAProxy) to act as load balancer, therefore you actually need 4 VPS (2 HAProxy + 2 Mirrored Server).
    Then you use DNS Failover (like DNS Made Easy wherein your failover between your 2 HAProxy servers)?
    That's basically what I do for centminmod.com except i install haproxy on each web server (backend) as well. So each haproxy server load balancer's each web server backend and serve a dual purpose instead of having dedicated haproxy only servers. Cuts down costs as a poor mans alternative. So for 2x VPS haproxy load balanced each VPS has haproxy on port 80 and apache/nginx or litespeed web server backend on port 89 or something.

    But I only have one active haproxy primary server and use dnsmadeeasy for DNS/IP failover to backup haproxy servers, so if haproxy primary server fails, dnsmadeasy switches to secondary IP for haproxy #2 server, and if haproxy #2 fails, haproxy #3 kicks in and so forth. Dnsmadeeasy allows for up to 5 fail over IP sets. Works very well.

    Note, this isn't round robin at haproxy level as only one haproxy server is active at a time while round robin at haproxy level would have more than one haproxy server active. But it is round robin at web server backend level within haproxy.
    : CentminMod.com Nginx Installer Nginx 1.25, PHP-FPM, MariaDB 10 CentOS (AlmaLinux/Rocky testing)
    : Centmin Mod Latest Beta Nginx HTTP/2 HTTPS & HTTP/3 QUIC HTTPS supports TLS 1.3 via OpenSSL 1.1.1/3.0/3.1 or BoringSSL or QuicTLS OpenSSL
    : Nginx & PHP-FPM Benchmarks: Centmin Mod vs EasyEngine vs Webinoly vs VestaCP vs OneInStack

  5. #55
    Join Date
    Mar 2003
    Posts
    470
    @eva2000 - Thanks. I get the picture.
    I just have one question that I forgot to ask.
    I guess it goes without saying that another server is required for data replication/mirroring?

  6. #56
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,007
    Quote Originally Posted by mbr View Post
    @eva2000 - Thanks. I get the picture.
    I just have one question that I forgot to ask.
    I guess it goes without saying that another server is required for data replication/mirroring?
    You don't necessarily have to have a dedicated server for replication, just pick one...usually the one you consider most stable, and deem it "master".
    All other servers receive data from it, either pushed or pulled.

    On the original question, if the goal is just failover, and one web/app server is sufficient, you can attain the same goal by just using real DNS failover service with low TTLs. I use 90s, works great, has for almost a decade now.

    If you truly need haproxy to spread the load, then you can use either, or, best, a combination of the two. Depending on the customer, I've used a mix of almost everything discussed (I've been setting up custom LB apps for along time, we'll say..), and I prefer to use haproxy/www on the same server, but only as a true backup. I try to not serve www off the same server unless all other nodes are down. For true failover, though, yes, your minimum is 2 servers with DNS failover. If your primary haproxy goes down, then you need a way to direct to something else. But, that won't "do" if one server is incapable of keeping up with your requests -

    If one box can not handle the load of your app, then at least 3 servers are suggested - one dedicated www, two haproxies using the other and dedicated www as the backends, with haproxy using localhost as www should the two backends fail. But, you also need DNS failover (real, not RR) to redirect to the good haproxy should one go down. That way, you still have two servers to handle the load.

    First step should be discerning how many www servers you require at any given time to minimally server your web/apps. That will allow you to plan accordingly...you don't want a plan that ultimately falls back to one haproxy serving www from itself if 3 backends are required to keep up with your traffic, for instance. I wouldn't consider HA to be HA if the failovers worst instance couldn't serve your apps.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  7. #57
    Join Date
    Mar 2003
    Posts
    470
    @mugo - Thank you very helpful.

    When you say "real DNS failover" you mean to use DNS Failover like what DNS Made Easy offers?

  8. #58
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,007
    Quote Originally Posted by mbr View Post
    @mugo - Thank you very helpful.

    When you say "real DNS failover" you mean to use DNS Failover like what DNS Made Easy offers?
    Yes, I've personally used them for years, in a corporate enviro and for my personal HA hosting biz. In 8-9 years, they've had one issue, I don't know of anyone else that can do what they do for the same price point.

    The failover has always worked flawlessly, and you can go 5 IP levels deep with failover, which really helps in disaster planning.

    Your last few failovers can be stand alone servers, etc. With HAProxy, DNS Failover, and spreading sites around geographically (always use separate hosts, too), it can literally take 10-20 simultaneous failures to take you down 100%.
    What happens if DNSME goes down? I also keep secondary DNS elsewhere, just in case....which removes any single point of failure. There are other "worst case" plans for DNS, in case they are nuked for a sustainable time, which we hope to never use, but, I've learned to have the worst scenario plans on hand...just in case.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  9. #59
    Join Date
    Mar 2003
    Posts
    470
    @mugo - I've heard that indeed DNSME experience only one downtime in 8 yrs.
    Now that you mentioned it, how do you actually use a secondary DNS, do you mean you actually have 2 authoritative DNS server?

  10. #60
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,007
    They appear rock solid, from my view...so I love 'em.

    For secondaries, with the domain in question, you need to first, select a service, or setup yourself, a secondary DNS server for that and/or your other domains.

    In DNSME, or whatever DNS you use, you can give the IP to allow xfers to, which is the secondary DNS servers IP. In your secondary, you then tell that server to go to your primary and pull the record for the zone(s) in question. Since you've allowed this at your primary, it pulls the record and serves up the zone.

    Last but not least, make sure to add that secondary DNS server to your domain's DNS servers at the registrar level, or no one will ever go query should your primary be down.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  11. #61
    Join Date
    Mar 2003
    Posts
    470
    @mugo - Thanks.

    On a slightly off-topic... I am all sold with DNSME except for one thing in their TOS: If DNS Made Easy is under a DDoS attack due to a client’s domain(s) then all associated costs with fighting the attack will be passed on to the client.

    This seems quite a bit unfair since the client will never know an attack will happen to them. Is this standard practice in all DNS providers? Why don't they just simply shutdown the account rather than charge. It could potentially cost a client a fortune. This is quite a deal breaker IMO.

    Unless this is standard, it's kinda weird that a DNS service will charge for a DDoS attack.

  12. #62
    Join Date
    Apr 2000
    Location
    Brisbane, Australia
    Posts
    2,602
    Quote Originally Posted by mbr View Post
    @mugo - Thanks.

    On a slightly off-topic... I am all sold with DNSME except for one thing in their TOS: If DNS Made Easy is under a DDoS attack due to a client’s domain(s) then all associated costs with fighting the attack will be passed on to the client.

    This seems quite a bit unfair since the client will never know an attack will happen to them. Is this standard practice in all DNS providers? Why don't they just simply shutdown the account rather than charge. It could potentially cost a client a fortune. This is quite a deal breaker IMO.

    Unless this is standard, it's kinda weird that a DNS service will charge for a DDoS attack.
    hey mbr, i honestly didn't realise that part of their TOS, so concerned I emailed DME support and didn't really like their response although I do understand their point of view.

    Basically, DME's stance and belief is that every domain client who gets DDOS attacked on their DME network knows or suspects they will be DDOS attacked thinking they can get DDOS protection on DME network for $30-60/yr compared to $10,000s per month from DDOS mitigation providers.

    So DME put that clause into their DME TOS so they can recover the costs of DDOS attacks from those clients. They recently had a 200Gbps DDOS attack on their network and they claim that client knew they were getting DDOS attack so moved their domains to DME paying $30/yr. The 200Gbps DDOS attack according to DME would over 35hrs duration cost them $600,000 which they will attempt to recover from the client. If you get DDOS attacked, DME don't want you as a customer basically.

    Basically DME TOS clause is in there to catch those who know they are subject to DDOS attacks. I can understand that. DME says all DNS providers will do the same to recover costs and don't provide free DDOS attack protection on low cost plans (unless your a DDOS protected DNS provider charging alot more $$$) just not so transparent in their TOS like DME has - they've been upfront about it. DME says go and specifically ask other DNS providers they stance on such.

    The only problem I have is their view that all clients getting DDOS attacked know or suspect they will be DDOS attacked. I sure there are a few who didn't know and that's where I am concerned like you.

    It's true most folks won't get DDOS attacked, but the uncertainty of it all is concerning.

    Would love to hear mugo and other readers thoughts on this
    Last edited by eva2000; 04-01-2012 at 08:20 AM.
    : CentminMod.com Nginx Installer Nginx 1.25, PHP-FPM, MariaDB 10 CentOS (AlmaLinux/Rocky testing)
    : Centmin Mod Latest Beta Nginx HTTP/2 HTTPS & HTTP/3 QUIC HTTPS supports TLS 1.3 via OpenSSL 1.1.1/3.0/3.1 or BoringSSL or QuicTLS OpenSSL
    : Nginx & PHP-FPM Benchmarks: Centmin Mod vs EasyEngine vs Webinoly vs VestaCP vs OneInStack

  13. #63
    Join Date
    Mar 2003
    Posts
    470
    @eva2000 - I'd rather manually update my DNS or even setup my own DNS server than potentially be liable for $600,000. That is just insane.

    I guess you can say at least they were upfront about it but it is still a deal breaker for me.

    I also emailed them if they have DDoS protection that we can buy, they did say anything about it.

  14. #64
    Join Date
    Apr 2000
    Location
    Brisbane, Australia
    Posts
    2,602
    Yeah, I'm emailing a bunch of DNS providers just to ask about their stance too. Also asking them about what they posted on their DME twitter account at https://twitter.com/#!/DNSMadeEasy/s...53359534653440 referring to some form of policy for protection ?

    posted on twitter:
    @sharpjs Your blog would not be a target of a DDoS.:-) Open a ticket for more information.We have the policy to protect users like yourself
    : CentminMod.com Nginx Installer Nginx 1.25, PHP-FPM, MariaDB 10 CentOS (AlmaLinux/Rocky testing)
    : Centmin Mod Latest Beta Nginx HTTP/2 HTTPS & HTTP/3 QUIC HTTPS supports TLS 1.3 via OpenSSL 1.1.1/3.0/3.1 or BoringSSL or QuicTLS OpenSSL
    : Nginx & PHP-FPM Benchmarks: Centmin Mod vs EasyEngine vs Webinoly vs VestaCP vs OneInStack

  15. #65
    Join Date
    Mar 2003
    Posts
    470
    @eva2000 - That's interesting kindly update us about the policy about protection when you hear from them.

  16. #66
    Join Date
    Apr 2000
    Location
    Brisbane, Australia
    Posts
    2,602
    just searching around while waiting on DME's reply and found an older thread where it seems it is standard practice that customers pay for cost of DDOS attacks http://www.webhostingtalk.com/showth...78#post6580578

    guess some DNS providers aren't that clear in their TOS
    : CentminMod.com Nginx Installer Nginx 1.25, PHP-FPM, MariaDB 10 CentOS (AlmaLinux/Rocky testing)
    : Centmin Mod Latest Beta Nginx HTTP/2 HTTPS & HTTP/3 QUIC HTTPS supports TLS 1.3 via OpenSSL 1.1.1/3.0/3.1 or BoringSSL or QuicTLS OpenSSL
    : Nginx & PHP-FPM Benchmarks: Centmin Mod vs EasyEngine vs Webinoly vs VestaCP vs OneInStack

  17. #67
    Join Date
    Mar 2003
    Posts
    470
    Well, let's say I'm using "ordinary" DNS services which comes by default with domain registrars like Godaddy, etc.. so does this mean Godaddy will charge customers if our sites are attacked with DDoS?
    Last edited by mbr; 04-02-2012 at 03:02 AM.

  18. #68
    Join Date
    May 2007
    Posts
    2,042
    wow what an interesting thread : haproxy + mugo + DNSME + DDOS + eva's input, hard to beat

  19. #69
    Join Date
    Oct 2007
    Posts
    455
    Guys..... your idea on what happens during a DDoS is confusing to me. DNS Made Easy is actually being upfront and honest. And they are the ONLY company I have ever met that will waive a month or of queries if it is a small DDoS.

    It seems like just because DNS Made Easy is honest and mentions DDoS that you guys think they are doing something crazy. All providers do this.

    UltraDNS will shut you down and charge you.
    Dynect will shut you down and charge you.
    All of your hosting providers will shut you down and charge you.


    Here is what Dyn (Dynect) uses for their DDoS (you can verify with a phone call).
    http://dyn.com/legal/dyn-services-agreement/
    d. Data Preservation.
    i. In the event of a Suspension. In the event of a suspension by Dyn of Your access to any Service for any reason, during the period of suspension: (i) Dyn will not take any action to intentionally erase any of Your data stored on the Services and (ii) any and all service fees will continue to accrue.

  20. #70
    Join Date
    Apr 2000
    Location
    Brisbane, Australia
    Posts
    2,602
    Yeah i understand and agree DME is being honest and have to limit their potential costs, just a wake up call for some of us as customers who also want to limit our potential costs incurred and that we're all exposed to some potential crazy $$$ in terms of costs if we ever get DDOS.

    Guess DDOS protection is looking more and more like travel insurance, without it you're screwed when something goes wrong. But with it, you hope you never have to use it LOL
    : CentminMod.com Nginx Installer Nginx 1.25, PHP-FPM, MariaDB 10 CentOS (AlmaLinux/Rocky testing)
    : Centmin Mod Latest Beta Nginx HTTP/2 HTTPS & HTTP/3 QUIC HTTPS supports TLS 1.3 via OpenSSL 1.1.1/3.0/3.1 or BoringSSL or QuicTLS OpenSSL
    : Nginx & PHP-FPM Benchmarks: Centmin Mod vs EasyEngine vs Webinoly vs VestaCP vs OneInStack

  21. #71
    Join Date
    Mar 2003
    Posts
    470
    I've now email Godaddy regarding their policies.

    On a side note, how come BurstNET can offer DDoS protection on their budget VPS that cost around $5/mo? Or is it a completely different story when it comes to DNS?

  22. #72
    Join Date
    Apr 2000
    Location
    Nevada, US
    Posts
    5,550
    Quote Originally Posted by mbr View Post
    On a side note, how come BurstNET can offer DDoS protection on their budget VPS that cost around $5/mo? Or is it a completely different story when it comes to DNS?
    Because we protect our network as a whole, not each vps individually. We charge extra for customized/individual ddos protections configuration/rules.
    .
    .
    SmartHost™ - Intelligent Hosting! - Multiple Locations - US/EU! - Ultra-Fast NVME SSD VPS!
    http://www.smarthost.net - sales@smarthost.net - Resale/Affiliate Programs
    Cloud Hosting - VPS Hosting - Dedicated Servers - Colocation - Flux Capacitors

  23. #73
    Join Date
    Oct 2007
    Posts
    455
    Quote Originally Posted by mbr View Post
    I've now email Godaddy regarding their policies.

    On a side note, how come BurstNET can offer DDoS protection on their budget VPS that cost around $5/mo? Or is it a completely different story when it comes to DNS?
    If BurstNET is offering DDoS protection for $5 per month then sign me up! I have a client that was getting about 8 Gbps attack to their website. If I could fight that for $5 per month.... I'm in!

    I'm sure DNS Made Easy would have loved to push their 200+ Gbps on them as well for $5 per month. BurstNET might get a lot of business out of this!

    True DDoS protection is not null-routing. You can not null-route a DNS service and stay up.

  24. #74
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,525
    If a company prices a DDoS upgrade low enough, it is possible that enough customers will subscribe to pay for the cost of the mitigation system. The problem is that once you start receiving real, consistent attacks you become a risk and impact the other customers.

  25. #75
    Join Date
    Oct 2007
    Posts
    237
    Sorry to revive this old thread but I'm really interested in this method aka using the webserver and haproxy on the same server, I got really confused on how this works. Can anyone or mugo explain this better?

Page 3 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. VPS and Failover - how does it work?
    By advv in forum VPS Hosting
    Replies: 4
    Last Post: 08-05-2011, 03:29 AM
  2. [Very Urgent] OVH Failover IPs failed to work. Need expert advice/help
    By kohkindachi in forum Systems Management Requests
    Replies: 17
    Last Post: 12-04-2010, 05:15 AM
  3. HAproxy + failover on same nodes as apache?
    By 1EightT in forum Hosting Security and Technology
    Replies: 2
    Last Post: 11-19-2010, 03:54 PM
  4. Seems wikipedia's DNS failover fails to work shortly
    By NelsonT in forum Web Hosting Lounge
    Replies: 0
    Last Post: 03-26-2010, 08:49 PM
  5. haproxy help
    By artificialman in forum Dedicated Server
    Replies: 4
    Last Post: 08-16-2008, 01:28 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •