[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Is it unwise to run DNS on your web server?

Posted on 2008-11-13
Medium Priority
Last Modified: 2013-11-30
Is it unwise to run DNS on your web server?  
Question by:Wolfgang_D
  • 3
  • 2
  • 2
LVL 29

Expert Comment

ID: 22950273
if this public dns server then i am not seeing any problem

but if your web server and dns server works as domain controller for your network then its not wise

you should always put public web server in DMZ and internal domain controller inside a firewall.
LVL 57

Expert Comment

ID: 22950348
My personal opinion is that you need to take into account a few factors.

What is the "size" of the computer you plan to deploy the website(s) on?
What is th expected traffic (hits as well as volume of data transfered) on the web site?
Is the web site serving up static pages, or dynamic pages?  
Is the web site pulling data from a database?  Is the database on the same computer as the web server?

Some people say that you should not mix server functions on the same computer, but that results in a LOT of very UNDERUTILIZED computers taking up space, using power, and generating heat.  One computer running at 20-25% busy uses less environmental resource than 4-5 computers running at 5% busy each.

Also, you may not  want to have one DNS server, or even one web server.  Depends on the availability requirements for the site.

If you don't want to run DNS and Web in the same OS image, you may want to look at getting two physical computer, and running virtual machines on them.  One on each for web server functions and one for each for DNS functions.

But again it depends on the load you will have with the web server.  Typically DNS servers do not use that much computing resources.

Author Comment

ID: 22952145
Here is some more exact info about our server and websites.  

Our server runs CentOS Linux; has two Intel(R) Xeon(R) CPU E5310 @ 1.60GHz; 2 GB of memory; and a 160 GB hard drive.  

Our web server serves up 55 websites and they use approximately 180-220 Gig of bandwidth per month.  Not sure on the total number of hits but one of our more popular sites got 2841341 hits last month from 72015 unique visitors.  

All of our sites serve up dynamic, database driven, content.  

The proposal was to run the primary and secondary dns off the same server ... which happens to be our web server as well.  

I didn't like the idea that the backup was on the same server as the primary.  That didn't seem logical.  Also I'm not sure if it would slow the server down or expose it to attacks directed at name servers.  

Let me know your thoughts.  :-)
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 22952186
This is not an internal domain controller.  
LVL 57

Accepted Solution

giltjr earned 1000 total points
ID: 22952366
Um, running both DNS's server on the same box.  The purpose of having a second DNS server is for redundancy.  Anybody that proposes that should be shot.

That's like giving you two keys to a door in case one gets lost, but you put both keys on the same ring.

At least one of the DNS servers MUST be on a separate physical box, not a different virtual host on the same box, but a separate physical box.  That gives you redundancy.

I would start with at least one DNS server and have that one be on a separate physical box.

Then I would look at CPU usage on the web server and look at it more granular than monthly.  I would look at 5 or 15 minute intervals for a few days.  If it is low, then go ahead and put the secondary DNS server on the same box.

I would not worry about dns server attacks.  Web servers get attacked way more often than DNS servers and typically dns server does not use that much CPU.  The only time CPU for a DNS server gets high is if you are servering up for a LOT of domains and a lot of hosts, as in hundreds or thousands of domains with thousands of hosts in each domain.

When they fixes the last big dns server bug it caused performance problems on some DNS servers.  DNS servers that were getting 10,000 plus requests a second.   For most DNS servers for a single domain you might get 10 requests a second.  Remember, even if you were getting 5,000 hits a second, there would have only been a few (maybe 100) dns resolution requests.
LVL 29

Expert Comment

ID: 22954993
hi sorry for late reply but giltjr explained in a nice way.
there is not much to say...

if you maintain your dns server then you just have to make sure that the zone is not nontransferable other wise it would create a security problem..other then that you should be fine.

by the way, currently who is responsible for your dns server ??

Author Comment

ID: 22988879
Thanks for all the replies; our DNS server is up and running; doesn't seem to be taxing things any more than usual and DNS management is easier now.  :-)  

I'll keep an eye out for all the things you mentioned.  

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question