Recommended idle timeout setting for DNS (UDP)?

This thread was timely as a couple of us are exploring the various options for a high-volume deployment. Really, it pretty much boils down to these, each with its own advantages and disadvantages:

 

 

1) In-line, 'stateful' UDP. This is the normal way many folks setup DNS LB, taking defaults on the fast l4 profiles. The downside is that if you get hammered with traffic (valid or otherwise) it may not play nice with the connection table. This deployment is probably the most common. You can create custom profiles to lower the timeout values, but it's essentially normal 'ol BigIP.

 

2) "Stateless" UDP, discussed above. Better characteristics with the connection table, fairly well suited for mid-high volume deployments.

 

3) 'Stateless' npath. Probably best for ultra, ultra high volumes.

 

4) Datagram LB (stateful - uses the connection table). The LTM will send multiple queries from the same IP:src port combo to different systems per datagram. Helps distribute DNS load across a farm in a sane way.

 

5) Advanced iRule switching, protection, etc. Doing a quick search of the iRules Wiki for "DNS" is enough to keep many of us busy for a while!

 

 

If anyone else out there has variations or additions to this list please point them out.

 

 

One other note: the 'stateful' designs can also run you up against ephemeral port exhaustion so keep an eye on that if you decide to use this deployment option. Obviously the problem is really easy to fix via a snat pool with multiple addresses, but it's better to know about it up front than run into dropped queries in production...I've run into this issue two times now with large-ish DNS setups that are using SNAT automap. As a best practice, I'd go straight in with a pool of SNAT addresses.

 

 

Jeremiah: please update us when you arrive at some resting place with this deployment. It'll be really useful for all of us to see how you set it up to meet your requirements.

 

 

-Matt