HA DNS, Mail, Storage

[fr33bsd]

Greetings everybody,

I am no freebsd expert. I have linux and freebsd experience.

I would like to setup a HA mail, dns and storage server for SOHO environment. So, there will be just 2 small servers with few spin disks and ethernet nics.

Regarding storage there is HAST and uCARP: https://wiki.freebsd.org/HAST (I assume this howto is working just fine, never tried before).
On production lots of vdev mirrors rule as far as I already read here in the forum. BTW: Thank you for sharing experience
So, storage should be no big deal.

DNS - well, I have already setup a single bind server using freebsd. Do you agree with me that there is no real "HA DNS best practice", because you just simply setup 2 DNS servers and give the IPs of both dns servers to the client, right?

Mail - well, once upon a time, I have setup a MTA with web-ui server on linux. I tried to install squirrelmail, but I failed. So, I used another web-ui based stuff. Anyways, I have already found some usefull links like this one or that one, but regarding HA mail setups I have to admit: I have no idea about that. Actually, I did not find useful information regarding that topic. Is there any concept of running HA MTA?

I would like to ask you about your experience regarding HA MTA, too.

 

[Jose]

Regarding storage there is HAST and uCARP: https://wiki.freebsd.org/HAST (I assume this howto is working just fine, never tried before).

Never heard of this before. I'd be curious to hear about your experience if you implement it.

DNS - well, I have already setup a single bind server using freebsd. Do you agree with me that there is no real "HA DNS best practice", because you just simply setup 2 DNS servers and give the IPs of both dns servers to the client, right?

Not in your case. There's no primary or secondary name server from the client's perspective. I list my secondary name server first in my clients' resolv.conf, for example. At the server, the primary is where updates to the zone files happen. The secondaries receive updated zone files from the primary.

You'd just set up two primaries in your case, since HAST is active-passive, and the storage is shared at the block level. You'd just list the UCARP ip in your clients' resolv.conf.

Mail - well, once upon a time, I have setup a MTA with web-ui server on linux. I tried to install squirrelmail, but I failed. So, I used another web-ui based stuff. Anyways, I have already found some usefull links like this one or that one, but regarding HA mail setups I have to admit: I have no idea about that. Actually, I did not find useful information regarding that topic. Is there any concept of running HA MTA?

Again, doesn't apply in your case because your setup will be active-passive, and you handle replication at the block level. The MTA story is somewhat similar to the DNS story. You can have any number of MTAs accepting mail for your domains. Exactly one of them should actually deliver it to users' inboxes. The others should all forward mail to the MTA that does local delivery.

All of this goes out the window in an active-passive HAST setup. You'd set up two servers to do local delivery, and rely on CARP to make sure only one of them actually gets mail traffic. Obsigna's guide is very good and exhaustive.

I would set up two identical servers to attempt this. The only difference would be the non-CARP IP address of each node.

 

[fr33bsd]

Hi Jose,

thanks a lot for your answer, I took a first look at Obsigna's guide. I look forward to start installing both systems and the mta with web mail. This guy, Dr. Rolf Jansen, has created a very detailed tutorial. I appreciate that!

 

[trooper]

Did you ever get any takeaways from this experience?

 

[SirDice]

DNS - well, I have already setup a single bind server using freebsd. Do you agree with me that there is no real "HA DNS best practice", because you just simply setup 2 DNS servers and give the IPs of both dns servers to the client, right?

Set up the second bind as a slave to the first. Do set up a VIP (CARP) address between them. While you can supply two or more DNS servers for resolving, the second DNS server will only get queried if requests to the first timed out. This causes an annoying, and very noticeable, delay on all your DNS name resolving.

 

[trooper]

SirDice does that system have enough memory cache for the dns? How many queries is it handling and is it recursive or a forwarder?

 

[cy@]

Set up the second bind as a slave to the first. Do set up a VIP (CARP) address between them. While you can supply two or more DNS servers for resolving, the second DNS server will only get queried if requests to the first timed out. This causes an annoying, and very noticeable, delay on all your DNS name resolving.

Typically when setting up DNS, queries should not be sent to the primary. The secondaries (more than one) should handle all the workload. The primary should not be exposed to the Internet. And in a split DNS setup, internal queries should be handled by the internal secondaries. This best practice is how most large datacentres and enterprises configure their DNS.