Jul 24, 2015

5 big name websites who use round-robin DNS and their TTL values

There are many ways to make your websites redundant. The best way to do that is by using multiple websites with a load balancer, or with load balancing built in (Microsoft Load Balancing for instance). I've written about using HAProxy in the past for a cheap alternative to something like a Barracuda 340 Load Balancer.

Another popular method for load balancing is round-robin DNS. If you are unfamiliar with it, Wikipedia describes round-robin DNS as:
...a technique of load distribution, load balancing, or fault-tolerance provisioning multiple, redundant Internet Protocol service hosts, e.g., Web server, FTP servers, by managing the Domain Name System's (DNS) responses to address requests from client computers according to an appropriate statistical model.

In its simplest implementation, Round-robin DNS works by responding to DNS requests not only with a single IP address, but a list of IP addresses of several servers that host identical services. The order in which IP addresses from the list are returned is the basis for the term round robin. With each DNS response, the IP address sequence in the list is permuted. Usually, basic IP clients attempt connections with the first address returned from a DNS query, so that on different connection attempts, clients would receive service from different providers, thus distributing the overall load among servers.
In short, instead of adding one IP address for a website in DNS, you add multiple IP addresses for a website.

There are some that don't like this method for load balancing, and rightfully so. For instance, Bob Plankers from The Lone Sysadmin writes:
On paper, round-robin DNS seems like an easy way to spread the load between multiple servers, but if one of those servers is down some clients will see outages as they are told to connect to the unavailable host. Round-robin DNS only works well with protocols and applications that have robust failover capabilities built in, and frankly, that isn’t too many of them.
He is not wrong there, but there is a way to fix, or mitigate that problem by lowering your TTL value. According to Akadia.com:
We set the TTL low (to 60 seconds) to prevent any intervening caching DNS servers from hanging onto one sort order for too long, which will hopefully help keep the number of requests to each host more or less equal.
Setting the low TTL number also makes it so that if one site is down, it only takes a few seconds or minutes for the client to clear their DNS cache and try another site that might be up.

So now you get the idea, you might be thinking that round-robin DNS still might not be a good solution. Well, there are several big name websites that currently use it, and use it effectively. Here are some of them:
  1. Twitter (TTL 30)
  2. Google (TTL 278)
  3. Reddit (TTL 300)
  4. Yahoo (TTL 382)
  5. Outlook (TTL 300)
As you can see above, all of these guys use a TTL value of 382 (~6 minutes) or less.

If you want real redundancy, I wouldn't recommend relying totally on round-robin DNS though. You should have multiple web servers per site and have load balancing configured there. Using that in conjunction with round-robin DNS should give you considerable redundancy, and I'm sure that is exactly what the above sites are doing.

What do you think about round-robin DNS? Do you use it? Why or why not? Let us know in the comments.

Jul 17, 2015

How to hack VMWare ESXi 4.1 to run Windows 2012 R2

Before we get too far, you are probably asking, "Why not just upgrade to VMWare 5.5" or something right? Well, there could be a number of reasons why someone wouldn't want to upgrade from VMWare 4.1 to 5.5. Maybe they have a budget issue. Who knows? Maybe stop judging!

Anyway, we have the need for Windows 2012 R2 virtual servers in my environment, and we're currently running VMWare 4.1 still, and can't upgrade to the latest and greatest until next year. The problem is that Windows 2012 R2 isn't currently supported in VMWare 4.1. If you are in a similar situation, don't dispare. There is a hack that works to make Windows 2012 R2 run in VMWare 4.1.
  • Create a new VM using the Windows 2008 R2 template but don't power it on
  • Download this bios.440.rom file, then upload it to the same directory where your new VM files are located on the ESXi server.
  • Now edit the vmx file for your new VM using your favorite text editor, and add the following lines to the bottom of the file:
bios440.filename = "bios.440.rom"
mce.enable = TRUE
cpuid.hypervisor.v0 = FALSE
vmGenCounter.enable = FALSE
  • Now power on your VM and you should be able to install like normal!
Here is a screenshot from a test VM I made:

Officially this is unsupported by VMWare, but if you need Windows 2012 now, it will work and it's a lot easier than upgrading your entire environment.

Jul 10, 2015

VoIP calls dropping after two minutes over a Fortigate 100D firewall

A Cisco 7960G IP telephone
A Cisco 7960G IP telephone (Photo credit: Wikipedia)
This past week has seriously made me want to drown my sorrows in alcohol. One of the issues we had was all of a sudden users phone calls would drop after 2:30. We just couldn't figure it out. We called our hosted VoIP provider and they double checked that we had SIP ALG and SIP Session Helper disabled on our Fortigate 100D firewall. That didn't help.

Well, after being on the phone with Fortinet support for about three hours the other day my Systems Administrator and Fortinet tech support found out that it was the timeout setting in our traffic shaper for VoIP!

By default the session-ttl timeout is set for 150 seconds (2:30), which is why out calls were dropping out. We increased that number to 14400 (4 hours) and calls stopped dropping!

To configure that from the command line interface (cli) in FortiOS 5.2 run:
  • config system session-ttl
  • set default 14400
  • end
I hope this helps you out because troubleshooting VoIP issues is enough to make you want to kick a cat, drink nine beers out of a funnel then punch someone in the mouth!

Jul 3, 2015

How to force SSL in Ubuntu 14.04 Apache

English: Logo of the Apache Software Foundation.
 (Photo credit: Wikipedia)
Years ago I wrote about a PHP script you can include in your PHP websites to force SSL. Well, It turns out it's easier, more effective and more secure to make this change using a rewrite rule in your Apache configuration file.

In Ubuntu 14.04, you need to enable the Apache rewrite module by running:
a2enmod rewrite
Next you need to edit your website configuration file located in /etc/apache2/sites-available and add the following under DocumentRoot /var/www/yoursitedirectory:

<Directory /var/www/yoursitedirectory/>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
After that, save your configuration file and restart Apache by running:
service apache2 restart
After that, not matter what page visitors land on they will be redirected to httpS!

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam