Hi David, There is really nothing wrong with DNS but rather with implementations that are using it. To be exact the operating system and the browser.
As you said in your mail there are couple of different approaches for the problem. The first one is to use front end which will divert to real servers. This can be done automaticly by using script which will poll real servers for availability. However the problem is single point of failure at the front end. The other option is to rely on DNS. If you have multiple DNS entries on your DNS server the DNS server will do round robin (at least BIND) between these ip-addresses so if one of two is down you will lose 50% of requests. To be exact it will return list of all addresses and change the order based on round robin. By using Dynamic DNS you have option to remove entries that are behind the failing line. So you will just have to poll the line and in the case of failure you will tell DNS server to remove entries related. And of course to put these entries back when the line is active again. Another option which crossed my mind just a minute ago is to use multiple DNS servers for same domain. And by placing these servers on the same connection as web-servers and defining only addresses which are behind this line you would come into configuration which would disable DNS resolving for addresses behind failed line. However I consider this major a major kludge and as such should not be used. BR, Harri > -----Original Message----- > From: ext David Burton [mailto:[EMAIL PROTECTED]] > Sent: 18 January, 2002 11:50 > To: [EMAIL PROTECTED] > Cc: Kotakoski Harri (EXT-Novosys/Copenhagen) > Subject: Re: Two ISP's > > > [EMAIL PROTECTED] (Kotakoski Harri > EXT-Novosys/Copenhagen) wrote: > > > Hello, > > > > > From: ext garentsen [mailto:[EMAIL PROTECTED]] > > > I've got two ISP's providing me with 10 Mbit and 3 Mbit internet > > > access at home. I would like to set up my Linux (or any other OS) > > > firewall to distribute my load evenly between theese two. > > > > As Paul said this is mainly routing issue. > > > > There are two possible solutions: > > > > First one (which is the 'correct' one) is to use BGP > peering with ISP's. > > You probably don't have possibility to do this because > ISP's are pretty > > picky with organizations they are peering with. And you > should also have > > Autonomous System ID and be prepared to pay for this arrangement. > . . . > > Other possibility is to use NAT for outbound connections (NATting to > > different address spaces) and dynamic DNS for inbound > (actually it does > > not have to be dynamic). If someone likes to know how this > really works > > I'm prepared to write something about it. > > > > This requires system capable of handling this and only > implementation I > > am aware of is Stonegate firewall. I think that Rainfinity > and Radware > > also have some stuff related to issue. > > > > rgds, > > Harri > > Here at Burton Systems Softwaer, we do something like your "other > possibility." It was harder to set it up than I expected, and it > still is not perfect, so I'd be interested in reading your advice > for Emil, Harri. > > Our Linux NAT/firewall/server is multi-homed, using a DSL line with > a static IP, plus a cablemodem line with a "slightly dynamic" IP that > last changed about 5 months ago. > > I wanted two connections mainly for redundancy, not for load sharing. > These "consumer quality" wideband connections are fast and cheap, > but they are also unreliable. > > Our DSL is Directv (formerly Telocity). The cablemodem is Time-Warner > Roadrunner. I like Directv because they give us a static IP, and > their customer service is usually better, and they are a little bit > cheaper, too. But most of the time the cablemodem connection is > slightly faster than the DSL connection. > > Both lines stay up for long periods of time, but occasionally they go > down for long periods of time, too. My Roadrunner service was once > down for 6.5 days! It would have been down even longer if I'd not > screamed bloody murder at every Time-Warner person I could track down. > My DSL service has never been down anywhere near that long, but a > friend's once went down for more than a week! > > Also, every month or two the crummy DSL modem/gateway box "loses > synch" (their tech support's term) and has to be power-cycled to > recover. I keep threatening to plug it into an X-10 module, so that > I can make get it to recover automatically. The cablmodem doesn't > have that problem, but when the power goes out, the DSL line stays > up and the cablemodem line immediately goes down (T-W apparently > doesn't use any battery backup at all). > > We can't tolerate week-long outages! So I figured that the way > to have reliable Internet connectivity is to have two completely > independent connections. The cablemodem comes into the front of > the building on coax, and the DSL comes in the back on a phone > line. The Linux NAT/router has three NICs: one for the DSL > gateway, one for the cablemodem, and one for the LAN. > > Handling the outgoing connections is pretty straightforward. I > have a little script that tests the lines every couple of minutes, > and tries to "ping out" over each of the two lines. If the current > default route is down, but the other one is up, it changes the > routing table to make the other line be the default. (I haven't > bothered to try to load share for better performance.) > > Also, the script watches for changes in IP on the dynamic DNS > line, and if that happens it updates the Dynamic DNS entry for > www2.burtonsys.com at our DNS service, www.zoneedit.com, by > doing a magic "wget" incantation. (BTW, I highly recommend > zoneedit.com.) > > Also, whenever a line goes up or down, or when the dynamic IP > changes for the cablemodem, the script logs the event. > > Right now I'm using only the DSL line for incoming mailserver > traffic, but I'm going to change it to use the cablemodem line > as a secondary mail server. Since DNS permits listing multiple > mail servers, that should work just fine. > > The toughest thing is handling incoming Web (or FTP) access. > > Unfortunately (and inexplicably, to me) there's no provision > in DNS records for a "backup" IP to be associated with a domain > name, and browsers don't know how to look up two or more IPs > for a name and then try each until one is found that works. > I have no idea why this capability exists for mail exchangers > but not for web servers and ftp servers. :-( > > So... what to do? > > I first looked at using BGP and telling the world about the two > routes to my box. Ha, silly me! The chances of talking either > outfit into letting me mess with BGP routing are precisely zero. > They wouldn't know how, even if I could find someone there who > understood the question, and they wouldn't do it if they knew how. > > T-W/RR support is particularly hidious. At Time-Warner, they make > it VERY clear that they don't care AT ALL about you and your problems. > > On one occasion when my Roadrunner connection was down, and had > been down for many hours, I finally waited through the Time-Warner/ > Roadrunner hold queue and got a support person on the phone. > He said he didn't have any other reported problems in my area, > and he advised me to wait and try it again tomorrow, and call > them back again if it was still down. I asked him to please > investigate the problem and have someone call *ME* back when they > got it fixed or knew more. He replied, "we don't do call-backs." > > At least he wasn't overtly rude, unlike some of his coworkers. > > The Directv/Telocity folks are only slightly better. They aren't > rude, but their financial woes seem to have cut into their support > staff. > > So I gave up on BGP and went to "plan B." You can see the result > at our web address: http://www.burtonsys.com/ > > Www.burtonsys.com is hosted at a cheap ($5/month for 1 MB) but > very reliable ISP called netmar.com. At Netmar, we have just a > skeleton web site, with a "redirection page" that lets visitors > choose between www1.burtonsys.com and www2.burtonsys.com, which > correspond to our DSL and cablemodem lines, respectively. > > Plus, if you wait a bit or click the "status" link, a cgi script > at Netmar runs and pings our two lines from the Netmar server, to > determine for website visitors which server is "up." (Wait a bit > longer, and it'll redirect you to a working server.) > > Another approach, which might be better, would be to use the > "failover" service at www.zoneedit.com. According to their web > site, if your main web connection goes down, they will detect > it and adjust your DNS record accordingly, within a few minutes. > Visitors to your site would see only a short outage -- probably > under 10 minutes -- and they would not have to go through the > strange "redirection page" that we use. I've not tried this > approach, but it sounds good, and it is certainly simpler, and > I've been very pleased with everything else at zoneedit.com. > > Do you have a better idea, Harri? > > -Dave Burton <[EMAIL PROTECTED]> > Burton Systems Software: http://www.burtonsys.com/ > PO Box 4157, Cary, NC 27519-4157 USA > Makers of TLIB Version Control 5.53 for > Win-NT/2K/XP/9x/ME/3.1x, DOS & OS/2. > (and command-line version also runs under Linux's WINE > Windows Emulator) > Tel: 1-919-481-0149 Alternate tel: 1-919-481-6658 > Fax: 1-919-481-3787 Alternate fax: 1-919-481-4886 > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
