Should DNS be on same server as webserver?

[Jon Radel]

John Almberg wrote:
> 
> The other day, a FreeBSD 'expert' told me that it is important to have 
> the DNS server for a domain on the same server as the domain's web 
> server. Supposedly, this saves doing tons of DNS look ups over the 
> network. Instead, they are done locally.
> 
> This makes sense to me, but I wonder if the performance difference is 
> really that significant?

In my experience, you're straying well into "it all depends" and "you'll 
have to benchmark your situation and see" territory.

I once walked into a situation where a web server was setup to do a 
reverse lookup on all log entries, and the DNS servers were on the far 
end of an overloaded 56 kbps line.  That was miserable, stupid slow and 
quickly cured by setting up a resolving name server on the web server.

On the other hand, in situations where my name servers have been on the 
same high-quality gigE switch as the web servers, I've never noticed an 
issue, but then I don't run any really high-volume servers.

On the third hand (too many years in front of CRTs), Apache and Bind 
have both had their security issues over the years, and there's 
something to be said for running them on different servers to reduce 
both the "all eggs in one basket" factor and the ease of spreading an 
attack.  (Yes, I'm assuming what you're actually running....)

If you want performance and security, you might consider running your 
authoritative dns servers for your domain on a different server, while 
on your web server you run a light-weight caching dns server reachable 
only on the loopback interface.

-- 

--Jon Radel
jon at radel.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3283 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090713/b0f3ad73/smime.bin