Not a lot of detail on your needs, but you may consider just providing service through one of the very big DNS providers. The expense of building, managing, and supporting your own infrastructure is not insignificant. You may be able to offer add-on services through a big provider that may be difficult to roll your own like security features, safe searches, parental controls, etc. On Thu, Aug 7, 2025 at 9:42 PM John Todd via NANOG <nanog@lists.nanog.org> wrote:
On 7 Aug 2025, at 20:53, brent saner via NANOG wrote:
On Thu, Aug 7, 2025, 20:45 DurgaPrasad - DatasoftComnet via NANOG < nanog@lists.nanog.org> wrote:
Hello all, Do you have any recommendations for recursive DNS servers for a medium sized (20-30k users) ISP. We have used powerdns and unbound but sometimes find the caching times a bit on upper side. Any suggestions between these two or anything new? Also need points on how much we tune the settings pros and cons if any.
Thank you /DP
< https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SUTKDISS...
It's surprising that you didn't get the performance you hoped for out of PowerDNS. You already tried the suggestions in their tuning guide[0], I'm assuming?
You may also want to load in entire zones to the hot cache[1].
And there's always horizontal scaling; sometimes you just plain hit limits on vertical scale.
I haven't tried it yet, but dnsdist[2] should let you do this. (Or keepalived and/or HAproxy, or... etc. Any loadbalancer that can handle raw TCP and UDP.) Dnsdist in particular seems explicitly targeted towards a large set of untrusted clients with additional optional "safeguarding/consumer protection" features. Quad9 uses it in some fashion, if I recall correctly.
[0] https://doc.powerdns.com/recursor/performance.html [1] https://docs.powerdns.com/recursor/lua-config/ztc.html [2] https://www.dnsdist.org/index.html
You beat me to it - dnsdist is an exceptionally robust solution for front-ending recursive (or authoritative) servers. Quad9 is indeed using it for all our recursive systems, and we split traffic on the "back-end" between PowerDNS recursor and Unbound. It (dnsdist) has a "packet cache" feature which handles much of the load once warmed, and it answers on DOT/DOH as well as providing for a very rich set of tooling that allows management of unwanted behaviors. The combination of dnsdist plus a good recursive resolver should easily be able to handle 30k users on a single modest chassis with ease, though of course it there are very good reasons to have several systems similarly configured in fail-over models using ECMP or your favorite routing protocol. Hot caches work better - try not to spread load too much.) At this point, I can't imagine running a recursive system that is open to anything other than a tiny number of users without ensuring that dnsdist is in front of it -! it's exa ctly the right thing and has been sandblasted by a lot of trial-and-error to make it fast and reliable with lots of features for ISP environments.
If a decent-sized system doesn't seem fast, there may be some other underlying issue that is at the root of a perceived speed issue. There is useful data that can be pulled out of dnsdist with prometheus-style outputs - I would suggest instrumenting things and seeing where the problems are.
Now, the original question of "points on how much we tune the settings" - that is a much longer discussion, but honestly you can get to 80% goodput without too much fiddling.
JT _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/J4WSKWYC...