Re: Bind9 weighted load balancing
[ Classification Level: GENERAL BUSINESS ] Duplicate RRs are suppressed, as per the standards. RFC 2181, Section 5: Each DNS Resource Record (RR) has a label, class, type, and data. It is meaningless for two records to ever have label, class, type and data all equal - servers should suppress such duplicates if encountered That being said, a DNS-based load-balancer can probably do what you're looking for. - Kevin On Fri, Apr 30, 2021 at 3:44 PM Alperen Yılmaz wrote: > Hello everyone, > > There is a round robin resolving mechanism in bind9 where the server > chooses different records to resolve for each request, but is there a way > to assign weights so that the server resolves with different probabilities? > > All I could find about the topic was this old mail from the archive: > https://lists.isc.org/pipermail/bind-users/2007-April/066194.html > It says you can put duplicate records for increasing the weight, however > it also says that bind9 does not seem to support this. > > hostIN A 1.2.3.4 > IN A 1.2.3.4 > IN A 1.2.3.4 > IN A 1.2.3.5 > > > Thank you, > Alperen Yılmaz > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind9 weighted load balancing
Hello everyone, There is a round robin resolving mechanism in bind9 where the server chooses different records to resolve for each request, but is there a way to assign weights so that the server resolves with different probabilities? All I could find about the topic was this old mail from the archive: https://lists.isc.org/pipermail/bind-users/2007-April/066194.html It says you can put duplicate records for increasing the weight, however it also says that bind9 does not seem to support this. hostIN A 1.2.3.4 IN A 1.2.3.4 IN A 1.2.3.4 IN A 1.2.3.5 Thank you, Alperen Yılmaz ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND setup for GSLB (Global Service Load Balancing)
Am 12.09.2019 um 17:39 schrieb Roberto Carna: Hi people, is it possible to setup BIND in order to implement GSLB (Global Service Load Balancing) between two sites ? I need a near Active-Active scenario between two datacenters in different locations, and I want to do this with an open source solution. If you want to change DNS responses depending on the status of a web server, you can use PDNS Authoritative >= 4.2 with LUA-Records. https://doc.powerdns.com/authoritative/lua-records/index.html regards Klaus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND setup for GSLB (Global Service Load Balancing)
Thanks to all, you have helped me a lot. Now it's time to think about a suitable solution for us. Regards !!! El vie., 13 sept. 2019 a las 8:40, LeBlanc, Daniel James (< daniel.lebl...@bellaliant.ca>) escribió: > Hi Roberto. > > > > I am not aware of any inherent capability within ISC BIND to accomplish > this. However, the following ideas come to mind (and each has a custom > element to it): > > > > - Is it possible to create DNS record (NAPTR?) for which a > dynamic response is provided that accomplishes this objective? > > - The nsupdate command line tool could be used to dynamically > add/remove DNS records as required, but an external script/daemon would > need to be created to drive the changes. > > > > Thanks. > > > > *Daniel J. LeBlanc, P.Eng., MBA, DTME | Senior Network Architect | Bell > Canada* > > > > > > *From:* bind-users [mailto:bind-users-boun...@lists.isc.org] *On Behalf > Of *Blason R > *Sent:* September-12-19 10:22 PM > *To:* Roberto Carna > *Cc:* bind-users > *Subject:* [EXT]Re: BIND setup for GSLB (Global Service Load Balancing) > > > > Well there are other cheaper Solutions are available like from Array > network or peplink they can offer DNS sub domain delegation of GSLB. > > > > But I really doubt if any such OSS can do the similar job. > > > > On Thu, 12 Sep 2019, 21:10 Roberto Carna, > wrote: > > Hi people, is it possible to setup BIND in order to implement GSLB (Global > Service Load Balancing) between two sites ? > > > > I need a near Active-Active scenario between two datacenters in > different locations, and I want to do this with an open source solution. > > > > Thanks a lot ! > > > > Roberto > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND setup for GSLB (Global Service Load Balancing)
Hi Roberto. I am not aware of any inherent capability within ISC BIND to accomplish this. However, the following ideas come to mind (and each has a custom element to it): - Is it possible to create DNS record (NAPTR?) for which a dynamic response is provided that accomplishes this objective? - The nsupdate command line tool could be used to dynamically add/remove DNS records as required, but an external script/daemon would need to be created to drive the changes. Thanks. Daniel J. LeBlanc, P.Eng., MBA, DTME | Senior Network Architect | Bell Canada From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Blason R Sent: September-12-19 10:22 PM To: Roberto Carna Cc: bind-users Subject: [EXT]Re: BIND setup for GSLB (Global Service Load Balancing) Well there are other cheaper Solutions are available like from Array network or peplink they can offer DNS sub domain delegation of GSLB. But I really doubt if any such OSS can do the similar job. On Thu, 12 Sep 2019, 21:10 Roberto Carna, mailto:robertocarn...@gmail.com>> wrote: Hi people, is it possible to setup BIND in order to implement GSLB (Global Service Load Balancing) between two sites ? I need a near Active-Active scenario between two datacenters in different locations, and I want to do this with an open source solution. Thanks a lot ! Roberto ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND setup for GSLB (Global Service Load Balancing)
Well there are other cheaper Solutions are available like from Array network or peplink they can offer DNS sub domain delegation of GSLB. But I really doubt if any such OSS can do the similar job. On Thu, 12 Sep 2019, 21:10 Roberto Carna, wrote: > Hi people, is it possible to setup BIND in order to implement GSLB (Global > Service Load Balancing) between two sites ? > > I need a near Active-Active scenario between two datacenters in > different locations, and I want to do this with an open source solution. > > Thanks a lot ! > > Roberto > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND setup for GSLB (Global Service Load Balancing)
I think this question may be better suited to the dns ops list... https://lists.dns-oarc.net/mailman/listinfo/dns-operations There are solutions out there, but not bind specific. The question is not clear to me. Were it not for the specific mention of gslb, I would say bind does this out of the box with round robin... There are other DNS servers that have languages to eval requests and return more specific answers based on outcomes of tests, which sounds more gslb'ish. On Thu, Sep 12, 2019, 16:54 John W. Blue wrote: > Roberto, > > I don’t think an F5 type open source solution exists that will give you > active updates to DNS. > > If you not need to update DNS based upon outages and just looking for DNS > to work in general then anycast comes to mind. > > John > > > On Sep 12, 2019, at 11:40 AM, Roberto Carna > wrote: > > > > Hi people, is it possible to setup BIND in order to implement GSLB > (Global Service Load Balancing) between two sites ? > > > > I need a near Active-Active scenario between two datacenters in > different locations, and I want to do this with an open source solution. > > > > Thanks a lot ! > > > > Roberto > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND setup for GSLB (Global Service Load Balancing)
Roberto, I don’t think an F5 type open source solution exists that will give you active updates to DNS. If you not need to update DNS based upon outages and just looking for DNS to work in general then anycast comes to mind. John > On Sep 12, 2019, at 11:40 AM, Roberto Carna wrote: > > Hi people, is it possible to setup BIND in order to implement GSLB (Global > Service Load Balancing) between two sites ? > > I need a near Active-Active scenario between two datacenters in different > locations, and I want to do this with an open source solution. > > Thanks a lot ! > > Roberto > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND setup for GSLB (Global Service Load Balancing)
Hi people, is it possible to setup BIND in order to implement GSLB (Global Service Load Balancing) between two sites ? I need a near Active-Active scenario between two datacenters in different locations, and I want to do this with an open source solution. Thanks a lot ! Roberto ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS load balancing: UDP or TCP ?
On 2/20/19 10:22 AM, Alan Clegg wrote: > On 2/20/19 7:55 AM, Roberto Carna wrote: > >> DNS clients send a UDP query to a DNS server, if no response is received >> until some seconds, then they try with UDP. >> You tell me this is not true, just clients try with UDP is the response >> is truncated. > > Tony is correct, the first paragraph above IS NOT TRUE. Assuming that the first paragraph above was re-written to the way it was in the original post which was (something along the lines of): > DNS clients send a UDP query to a DNS server, if no response is > received until some seconds, then they try with TCP. I really don't like this pair of threads (this one and the one with no subject line). Answers have been given. The people here are WAY smart. Test and verify! AlanC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS load balancing: UDP or TCP ?
On 2/20/19 7:55 AM, Roberto Carna wrote: > DNS clients send a UDP query to a DNS server, if no response is received > until some seconds, then they try with UDP. > You tell me this is not true, just clients try with UDP is the response > is truncated. Tony is correct, the first paragraph above IS NOT TRUE. Truncation is a situation in which the server responding to a client provides a message that won't fit in the specified packet size that the specification (and possibly the client, but I won't get into that here) has set for the response, thus providing a response that does not contain the entire response and sets the header bit TC=1. This has nothing to do with TCP vs. UDP in the initial query. There is no fallback from UDP to TCP when the initial UDP query times out. Please read up on `dnsdist` and give it a try. Thanks! AlanC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS load balancing: UDP or TCP ?
Roberto Carna wrote: Can you confirm thgis is true in 100% of clients??? On 20.02.19 14:11, Tony Finch wrote: It's true of clients that follow the spec. I would like to add that the spec mentions there mey be clients that use only TCP. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS load balancing: UDP or TCP ?
Roberto Carna wrote: > > Can you confirm thgis is true in 100% of clients??? It's true of clients that follow the spec. Tony. -- f.anthony.n.finchhttp://dotat.at/ Rattray Head to Berwick upon Tweed: South or southwest 4 or 5, occasionally 6 at first. Slight or moderate, occasionally rough at first in northeast. Occasional rain or drizzle at first. Good, occasionally moderate at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS load balancing: UDP or TCP ?
Dear Tony, thanks for your response. I've read something I don't know if it's true or not: DNC clients send a UDP query to a DNS server, if no response is received until some seconds, then they try with UDP. You tell me this is not true, just clients try with UDP is the response is truncated. Can you confirm thgis is true in 100% of clients??? Thanks again, regards !! El mar., 19 feb. 2019 a las 13:24, Tony Finch () escribió: > Roberto Carna wrote: > > > Dear, I have to balance two DNS servers for a special reason. > > https://www.powerdns.com/dnsdist.html > > > The DNS clients are a mix of Windows, Cisco and Linux machines, so I > > think they ask for a FQDN using UDP and after that -if there is no > > response-, they ask the same FQDN using TCP, and so the load balancing > > will be succesful. > > No, fallback to TCP relies on receiving a truncated UDP response. You > never want a DNS client to be waiting around for a response that will > not arrive. > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ > Rockall, Malin: Southeast veering southwest 6 to gale 8, occasionally 5 > later. > Rough or very rough. Rain. Moderate or poor. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS load balancing: UDP or TCP ?
On 19-Feb-2019 20:00 CET, wrote: > Agree with Tony on TCP not going to be tried. Have you looked at using > anycast? It is not true load balancing but it allows you to stand up > multiple DNS servers that “shares” a single IP address. or just use a software load-balancer which has been designed to deal specifically with DNS, i.e. dnsdist - as mentioned by Tony already :) -- Nico > On Wed, Feb 20, 2019 at 12:25 AM Tony Finch wrote: > > > Roberto Carna wrote: > > > > > Dear, I have to balance two DNS servers for a special reason. > > > > https://www.powerdns.com/dnsdist.html > > > > > The DNS clients are a mix of Windows, Cisco and Linux machines, so I > > > think they ask for a FQDN using UDP and after that -if there is no > > > response-, they ask the same FQDN using TCP, and so the load balancing > > > will be succesful. > > > > No, fallback to TCP relies on receiving a truncated UDP response. You > > never want a DNS client to be waiting around for a response that will > > not arrive. > > > > Tony. > > -- > > f.anthony.n.finchhttp://dotat.at/ > > Rockall, Malin: Southeast veering southwest 6 to gale 8, occasionally 5 > > later. > > Rough or very rough. Rain. Moderate or poor. > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS load balancing: UDP or TCP ?
If you go with Anycast via BGP, make sure your network infrastructure has "multipath" enabled, otherwise the traffic will be skewed to one node or the other. https://tools.ietf.org/id/draft-lapukhov-bgp-ecmp-considerations-01.html is one source which summarizes some of the literature and standards on the subject. - Kevin On Tue, Feb 19, 2019 at 2:01 PM Josh Kuo wrote: > Agree with Tony on TCP not going to be tried. Have you looked at using > anycast? It is not true load balancing but it allows you to stand up > multiple DNS servers that “shares” a single IP address. > > On Wed, Feb 20, 2019 at 12:25 AM Tony Finch wrote: > >> Roberto Carna wrote: >> >> > Dear, I have to balance two DNS servers for a special reason. >> >> https://www.powerdns.com/dnsdist.html >> >> > The DNS clients are a mix of Windows, Cisco and Linux machines, so I >> > think they ask for a FQDN using UDP and after that -if there is no >> > response-, they ask the same FQDN using TCP, and so the load balancing >> > will be succesful. >> >> No, fallback to TCP relies on receiving a truncated UDP response. You >> never want a DNS client to be waiting around for a response that will >> not arrive. >> >> Tony. >> -- >> f.anthony.n.finchhttp://dotat.at/ >> Rockall, Malin: Southeast veering southwest 6 to gale 8, occasionally 5 >> later. >> Rough or very rough. Rain. Moderate or poor. >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS load balancing: UDP or TCP ?
Agree with Tony on TCP not going to be tried. Have you looked at using anycast? It is not true load balancing but it allows you to stand up multiple DNS servers that “shares” a single IP address. On Wed, Feb 20, 2019 at 12:25 AM Tony Finch wrote: > Roberto Carna wrote: > > > Dear, I have to balance two DNS servers for a special reason. > > https://www.powerdns.com/dnsdist.html > > > The DNS clients are a mix of Windows, Cisco and Linux machines, so I > > think they ask for a FQDN using UDP and after that -if there is no > > response-, they ask the same FQDN using TCP, and so the load balancing > > will be succesful. > > No, fallback to TCP relies on receiving a truncated UDP response. You > never want a DNS client to be waiting around for a response that will > not arrive. > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ > Rockall, Malin: Southeast veering southwest 6 to gale 8, occasionally 5 > later. > Rough or very rough. Rain. Moderate or poor. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS load balancing: UDP or TCP ?
Roberto Carna wrote: > Dear, I have to balance two DNS servers for a special reason. https://www.powerdns.com/dnsdist.html > The DNS clients are a mix of Windows, Cisco and Linux machines, so I > think they ask for a FQDN using UDP and after that -if there is no > response-, they ask the same FQDN using TCP, and so the load balancing > will be succesful. No, fallback to TCP relies on receiving a truncated UDP response. You never want a DNS client to be waiting around for a response that will not arrive. Tony. -- f.anthony.n.finchhttp://dotat.at/ Rockall, Malin: Southeast veering southwest 6 to gale 8, occasionally 5 later. Rough or very rough. Rain. Moderate or poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS load balancing: UDP or TCP ?
Dear, I have to balance two DNS servers for a special reason. I need your comments please: 1) If I use HAProxy for DNS load balancing, this software only works with TCP protocol (not UDP). The DNS clients are a mix of Windows, Cisco and Linux machines, so I think they ask for a FQDN using UDP and after that -if there is no response-, they ask the same FQDN using TCP, and so the load balancing will be succesful. 2) Or do you recommend the use of a UDP load balancing method, maybe for faster responses??? In this case what UDP load balancer can I try ??? Thanking in advance. Robert ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: load balancing
On 18.09.18 14:39, SIMON BABY wrote: I am looking DNS RR distribution. (DNS Round Robin Load distribution). Round robin DNS is often used to load balance requests between a number of Web servers <https://en.wikipedia.org/wiki/Web_server>. For example, a company has one domain name and three identical copies of the same web site residing on three servers with three different IP addresses. When one user accesses the home page it will be sent to the first IP address. The second user who accesses the home page will be sent to the next IP address, and the third user will be sent to the third IP address. In each case, once the IP address is given out, it goes to the end of the list. The fourth user, therefore, will be sent to the first IP address, and so forth. This is standard and supoprted DNS feature. However, it's not designed to do failover switching. Each browser may (and apparently will - correct me if I'm wrong) access random of those IP addresses for each request and since web pages are usually assembled of tens of objects, each one may be fetched from different IP. Long time ago (>15 years) we have tried using this for failover with bad results (half of the web page not read). If you want failover, I recommend L3 switch like linux ipvs or similar. On Tue, Sep 18, 2018 at 4:01 PM SIMON BABY wrote: Are we support load balancing with latest DNSSEC ? I have a DNSSEC application with unbound library. Do i have to add any extra configuration to support Load Balancing? On Tue, Sep 18, 2018 at 1:22 PM Warren Kumari wrote: Your question is sufficiently light on detail that it cannot be realistically answered. What sort of load balancing? 1: Traditional SLB - you hand out one IP address, and have a load balancer widget which shares this to multiple backends? 2: Global SLB - you hand out different IP addresses to different clients? 3: Round Robin - you hand out different IP addresses, but randomly / in a order, not tied to specific clients? 4: Anycast - you hand out the same IP address, but this lives on multiple sites, and routing takes care of getting people to the closest site? 5: Multiple nameservers? Something else? The term "load balance" is very vague / can be applied to multiple things - for all of the above except #2, this should just work without any changes. GSLB *may* require more work, but may not. # 5 is sufficiently undefined that it cannot really be answered :-) What *exactly* is the question / scenario you are asking? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Holmes, what kind of school did you study to be a detective? - Elementary, Watson. -- Daffy Duck & Porky Pig ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: load balancing
On 09/18/2018 04:12 PM, SIMON BABY wrote: Are we support this with our current release? BIND has supported round robin DNS for a long time. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: load balancing
Thanks Warren. Are we support this with our current release? Rgds Simon On Tue, Sep 18, 2018 at 3:04 PM Leroy Tennison wrote: > Before selecting round robin consider the drawbacks - a DNS server being > down, DNS server inconsistency, an application expecting some kind of > stateful interaction. Finding root cause with DNS round robin can be > challenging. I'm not saying don't use it, your situation may be able to > mitigate/eliminate issues. just do so fully aware of the implications. > -- > *From:* bind-users on behalf of SIMON > BABY > *Sent:* Tuesday, September 18, 2018 4:39 PM > *To:* Warren Kumari > *Cc:* bind-users@lists.isc.org > *Subject:* [EXTERNAL] Re: load balancing > > Thanks Warren. > I am looking DNS RR distribution. (DNS Round Robin Load distribution). > > Round robin DNS is often used to load balance requests between a number of Web > servers <https://en.wikipedia.org/wiki/Web_server>. For example, a > company has one domain name and three identical copies of the same web site > residing on three servers with three different IP addresses. When one user > accesses the home page it will be sent to the first IP address. The second > user who accesses the home page will be sent to the next IP address, and > the third user will be sent to the third IP address. In each case, once the > IP address is given out, it goes to the end of the list. The fourth user, > therefore, will be sent to the first IP address, and so forth. > > Rgds > Simon > > > Harriscomputer > > Join us at the 2018 Momentum User Conference! > Register here <http://www.cvent.com/d/wgqknh> > > > *Leroy Tennison *Network Information/Cyber Security Specialist > E: le...@datavoiceint.com > > > 2220 Bush Dr > McKinney, Texas > 75070 > www.datavoiceint.com <http://www..com> > > TThis message has been sent on behalf of a company that is part of the > Harris Operating Group of Constellation Software Inc. These companies are > listed here <http://subscribe.harriscomputer.com/>. > > If you prefer not to be contacted by Harris Operating Group please notify > us <http://subscribe.harriscomputer.com/>. > > > > This message is intended exclusively for the individual or entity to which > it is addressed. This communication may contain information that is > proprietary, privileged or confidential or otherwise legally exempt from > disclosure. If you are not the named addressee, you are not authorized to > read, print, retain, copy or disseminate this message or any part of it. If > you have received this message in error, please notify the sender > immediately by e-mail and delete all copies of the message. > > > On Tue, Sep 18, 2018 at 1:22 PM Warren Kumari wrote: > >> >> >> On Tue, Sep 18, 2018 at 4:01 PM SIMON BABY wrote: >> >>> Hi, >>> >>> Are we support load balancing with latest DNSSEC ? I have a DNSSEC >>> application with unbound library. Do i have to add any extra configuration >>> to support Load Balancing? >>> >> >> Your question is sufficiently light on detail that it cannot be >> realistically answered. >> >> What sort of load balancing? >> 1: Traditional SLB - you hand out one IP address, and have a load >> balancer widget which shares this to multiple backends? >> 2: Global SLB - you hand out different IP addresses to different clients? >> 3: Round Robin - you hand out different IP addresses, but randomly / in a >> order, not tied to specific clients? >> 4: Anycast - you hand out the same IP address, but this lives on multiple >> sites, and routing takes care of getting people to the closest site? >> 5: Multiple nameservers? Something else? >> >> The term "load balance" is very vague / can be applied to multiple things >> - for all of the above except #2, this should just work without any >> changes. GSLB *may* require more work, but may not. # 5 is sufficiently >> undefined that it cannot really be answered :-) >> >> What *exactly* is the question / scenario you are asking? >> W >> >> >> >> >>> >>> Rgds >>> Simon >>> ___ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe from this list >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >>> >> >> >> -- >> I don't think the execution is relevant when it was obviously a bad idea >> in the first place. >> This is like putting rabid weasels in your pants, and later expressing >> regret at having chosen those particular rabid weasels and that pair of >> pants. >>---maf >> > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: load balancing
Before selecting round robin consider the drawbacks - a DNS server being down, DNS server inconsistency, an application expecting some kind of stateful interaction. Finding root cause with DNS round robin can be challenging. I'm not saying don't use it, your situation may be able to mitigate/eliminate issues. just do so fully aware of the implications. From: bind-users on behalf of SIMON BABY Sent: Tuesday, September 18, 2018 4:39 PM To: Warren Kumari Cc: bind-users@lists.isc.org Subject: [EXTERNAL] Re: load balancing Thanks Warren. I am looking DNS RR distribution. (DNS Round Robin Load distribution). Round robin DNS is often used to load balance requests between a number of Web servers. For example, a company has one domain name and three identical copies of the same web site residing on three servers with three different IP addresses. When one user accesses the home page it will be sent to the first IP address. The second user who accesses the home page will be sent to the next IP address, and the third user will be sent to the third IP address. In each case, once the IP address is given out, it goes to the end of the list. The fourth user, therefore, will be sent to the first IP address, and so forth. Rgds Simon Harriscomputer Join us at the 2018 Momentum User Conference! Register here Leroy Tennison Network Information/Cyber Security Specialist E: le...@datavoiceint.com 2220 Bush Dr McKinney, Texas 75070 www.datavoiceint.com TThis message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. These companies are listed here. If you prefer not to be contacted by Harris Operating Group please notify us. This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. On Tue, Sep 18, 2018 at 1:22 PM Warren Kumari <war...@kumari.net> wrote: On Tue, Sep 18, 2018 at 4:01 PM SIMON BABY <simonkb...@gmail.com> wrote: Hi, Are we support load balancing with latest DNSSEC ? I have a DNSSEC application with unbound library. Do i have to add any extra configuration to support Load Balancing? Your question is sufficiently light on detail that it cannot be realistically answered. What sort of load balancing? 1: Traditional SLB - you hand out one IP address, and have a load balancer widget which shares this to multiple backends? 2: Global SLB - you hand out different IP addresses to different clients? 3: Round Robin - you hand out different IP addresses, but randomly / in a order, not tied to specific clients? 4: Anycast - you hand out the same IP address, but this lives on multiple sites, and routing takes care of getting people to the closest site? 5: Multiple nameservers? Something else? The term "load balance" is very vague / can be applied to multiple things - for all of the above except #2, this should just work without any changes. GSLB *may* require more work, but may not. # 5 is sufficiently undefined that it cannot really be answered :-) What *exactly* is the question / scenario you are asking? W Rgds Simon ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: load balancing
Thanks Warren. I am looking DNS RR distribution. (DNS Round Robin Load distribution). Round robin DNS is often used to load balance requests between a number of Web servers <https://en.wikipedia.org/wiki/Web_server>. For example, a company has one domain name and three identical copies of the same web site residing on three servers with three different IP addresses. When one user accesses the home page it will be sent to the first IP address. The second user who accesses the home page will be sent to the next IP address, and the third user will be sent to the third IP address. In each case, once the IP address is given out, it goes to the end of the list. The fourth user, therefore, will be sent to the first IP address, and so forth. Rgds Simon On Tue, Sep 18, 2018 at 1:22 PM Warren Kumari wrote: > > > On Tue, Sep 18, 2018 at 4:01 PM SIMON BABY wrote: > >> Hi, >> >> Are we support load balancing with latest DNSSEC ? I have a DNSSEC >> application with unbound library. Do i have to add any extra configuration >> to support Load Balancing? >> > > Your question is sufficiently light on detail that it cannot be > realistically answered. > > What sort of load balancing? > 1: Traditional SLB - you hand out one IP address, and have a load balancer > widget which shares this to multiple backends? > 2: Global SLB - you hand out different IP addresses to different clients? > 3: Round Robin - you hand out different IP addresses, but randomly / in a > order, not tied to specific clients? > 4: Anycast - you hand out the same IP address, but this lives on multiple > sites, and routing takes care of getting people to the closest site? > 5: Multiple nameservers? Something else? > > The term "load balance" is very vague / can be applied to multiple things > - for all of the above except #2, this should just work without any > changes. GSLB *may* require more work, but may not. # 5 is sufficiently > undefined that it cannot really be answered :-) > > What *exactly* is the question / scenario you are asking? > W > > > > >> >> Rgds >> Simon >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > > > -- > I don't think the execution is relevant when it was obviously a bad idea > in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair of > pants. >---maf > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: load balancing
On Tue, Sep 18, 2018 at 4:01 PM SIMON BABY wrote: > Hi, > > Are we support load balancing with latest DNSSEC ? I have a DNSSEC > application with unbound library. Do i have to add any extra configuration > to support Load Balancing? > Your question is sufficiently light on detail that it cannot be realistically answered. What sort of load balancing? 1: Traditional SLB - you hand out one IP address, and have a load balancer widget which shares this to multiple backends? 2: Global SLB - you hand out different IP addresses to different clients? 3: Round Robin - you hand out different IP addresses, but randomly / in a order, not tied to specific clients? 4: Anycast - you hand out the same IP address, but this lives on multiple sites, and routing takes care of getting people to the closest site? 5: Multiple nameservers? Something else? The term "load balance" is very vague / can be applied to multiple things - for all of the above except #2, this should just work without any changes. GSLB *may* require more work, but may not. # 5 is sufficiently undefined that it cannot really be answered :-) What *exactly* is the question / scenario you are asking? W > > Rgds > Simon > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
load balancing
Hi, Are we support load balancing with latest DNSSEC ? I have a DNSSEC application with unbound library. Do i have to add any extra configuration to support Load Balancing? Rgds Simon ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: global server load balancing with the domain name
On 14/04/17 22:40, McDonald, Daniel (Dan) wrote: That works fine for test.example.com. But when I go to production, I need to do it for example.com As others have noted, you can't delegate a single record from the apex. tl;dr - vendor specific, as your GSLB vendor. There are multiple solutions to this problem and most of them are (sadly) vendor-specific and certainly not anything to do with bind. You will probably want to speak to your GSLB vendor. Briefly, you'll probably get told some combination of: 1. Replace your authoritative servers with our GSLB entirely, we'll magically rewrite the apex query when we receive it. 2. Put our GSLB servers in front of your authoritatives as a kind of reverse proxy, we'll magically blah 3. Don't use the zone apex, or have it be a simple/stateless redirect to www.example.com (often a branding/comms no-no) 4. Stick all the SLB IPs at the zone apex statically (or dynamically via e.g. script, DDNS, etc.) 5. Use an authoritative server which will magically do this for you e.g. it supports a pseudo-record like ANAME or similar. Probably the only thing relevant to bind is option #4 (which we actually do). You could write a script that update the zone apex A/ records on a short schedule e.g. once a minute to keep it approximately "in sync" with the GSLB. Depending on what GSLB policies you're doing you might be able to replicate some of them (e.g. geo IP replies). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: global server load balancing with the domain name
On Apr 14, 2017, at 2:40 PM, McDonald, Daniel (Dan) <dan.mcdon...@austinenergy.com> wrote: > > Setting up global server load balancing seems easy enough – just add ns > records pointing at the load balancer and away you go: > > example.com. 38400INSOAns20.example.net. > dan\.mcdonald.example.com. 2017011107 10800 3600 604800 3600 > example.com. 38400INNS ns1.example.com. > example.com. 38400INNS ns2.example.com. > test.example.com. 900 INNS > gslb1.example.com. > test.example.com. 900 INNS > gslb2.example.com. > > That works fine for test.example.com. But when I go to production, I need to > do it for example.com and www.example.com. How do I delegate just the A > record and not the SOA, TXT, MX, SPF, and NS records, nor any of the other > entries in the zone. As I recall, I can’t just delegate , as an example, > www.example.com, then use a CNAME for example.com. You can't do this for example.com. Obviously, www.example.com is not a problem. Your GSLB device should have a work-around for the zone apex (example.com itself), such as a simple webserver (right on each GSLB, perhaps) that takes those web requests and redirects them to www.example.com. Then in your main zone (not on the GSLB), you would have a record set pointing that zone apex to each of those web servers. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: global server load balancing with the domain name
On Apr 14, 2017, at 2:40 PM, McDonald, Daniel (Dan) <dan.mcdon...@austinenergy.com> wrote: > Setting up global server load balancing seems easy enough – just add ns > records pointing at the load balancer and away you go: > > example.com. 38400INSOAns20.example.net. > dan\.mcdonald.example.com. 2017011107 10800 3600 604800 3600 > example.com. 38400INNS ns1.example.com. > example.com. 38400INNS ns2.example.com. > test.example.com. 900 INNS > gslb1.example.com. > test.example.com. 900 INNS > gslb2.example.com. Are your load-balancers providing different DNS replies to different clients? Most organizations don't need to place the nameservers themselves behind a LB. > That works fine for test.example.com. But when I go to production, I need to > do it for example.com and www.example.com. How do I delegate just the A > record and not the SOA, TXT, MX, SPF, and NS records, nor any of the other > entries in the zone. As I recall, I can’t just delegate , as an example, > www.example.com, then use a CNAME for example.com. You can't delegate individual records-- you delegate zones. If you had multiple DCs available, you might use a CNAME to point www.example.com to www.dc1.example.com, www.dc2.example.com, etc based upon whatever criteria seems reasonable, such as availability, client geolocation data, etc. For web traffic, it is common to set a session cookie or similar for session affinity to keep requests going to the same DC once a given client has landed there. You might want to have a chat with someone from Akamai, Level3, or one of the other CDN players. Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
global server load balancing with the domain name
Setting up global server load balancing seems easy enough – just add ns records pointing at the load balancer and away you go: example.com. 38400INSOAns20.example.net. dan\.mcdonald.example.com. 2017011107 10800 3600 604800 3600 example.com. 38400INNS ns1.example.com. example.com. 38400INNS ns2.example.com. test.example.com. 900 INNS gslb1.example.com. test.example.com. 900 INNS gslb2.example.com. That works fine for test.example.com. But when I go to production, I need to do it for example.com and www.example.com<http://www.example.com>. How do I delegate just the A record and not the SOA, TXT, MX, SPF, and NS records, nor any of the other entries in the zone. As I recall, I can’t just delegate , as an example, www.example.com<http://www.example.com>, then use a CNAME for example.com. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Can I have Inbound load balancing achieved with below settings
From a networking perspective though (in a multi-homed environment)... this really should be handled by using IGRP and AS numbers. In a situation where the link is bouncing, there may be sporadic packets getting though the link. IE the DNS gets back 1.1.1.1 but on the next packet its down again. Using an AS number and IGRP you don't need to have different DNS servers providing different IP addresses for the same server. You simply provide the same IP address out of both links and the routers (in determining best rout) choose which router to take, via ISP 1 or ISP 2 which serves up the same information. This is also important for applications like Apache when handling session information as a cookie at 1.1.1.1 is different than a cookie at 2.2.2.2 (if security is enforced properly). The bellow configuration can also make SSL difficult, a lot of application layer stuff can go wrong when the link starts bouncing or is intermittent which IGRP and ASN can handle transparently. IMHO trying to solve this via DNS is really complicating the issue far greater than it needs to be. Date: Wed, 13 Nov 2013 10:46:23 +0530 Subject: Can I have Inbound load balancing achieved with below settings From: manish...@gmail.com To: bind-users@lists.isc.org Hey Fellas, I am thinking on this perspective need some help on this. Please guide me if I am wrong or let me know if I can achieve the stuff 1. I have a firewall with TWO ISP links, lets assume ISP1 and ISP2. And then I have internal webserver www.foobar.com with IP 192.168.1.10 2. I have natted 192.168.1.10 with ISP1 and ISP2 Public IP addresses 1.1.1.1 [ISP1] == 192.168.1.10 Port 802.2.2.2 [ISP2] == 192.168.1.10 Port 80 3. NS server for foobar.com is on Internet lets assume ns.xyz.com. Added a sub-domain www.foobar.com 4. Now this sub-domain with www.foobar.com is on BIND server and kept it in my network say IP 192.168.1.20 which is again natted with Public IP addresses for ISP1 [1.1.1.10] and ISP2 [2.2.2.20] 5. So, if both the links are up, client coming on either of the link would get both the IP addresses6.Assume if ISP1 goes down, client coming on ISP1 would never be able to reach; hence as per DNS protocol will try for another link and come on ISP2 and then probably get an IP address of Link 2 i.e. 2.2.2.2. 7. I am sure in this case he would get both the IP addresses even if he is coming from other link; that's what puzzles me or wondering if I can return only IP of ISP2 in case of IPS1 is down? That way I achieve HA or loadbalance? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
Phil Mayers wrote the following on 11/14/2013 2:39 AM: On 13/11/13 22:21, Carl Byington wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 2013-11-13 at 16:49 -0500, Barry Margolin wrote: It means that users will have to wait for an arbitrary number of timeouts before the browser can give them an error message. Well, the browser *could* of course give a message like I have tried $N out of $M possible ip addresses with no success - do you want to abandon this? at any time while trying that collection of ip addresses. The other approach is to try them all in parallel, sort of like ipv4 and ipv6 parallel connection attempts in http://tools.ietf.org/html/rfc6555 Parallel is bad - they *should* be stagged by $RTT*$FACTOR, otherwise you just flood the link with SYN SYN/ACK packets, all but one of which are wasted, and may have consumed bandwidth, buffer space, NAT and firewall session resources, to name but a few. I think there are better solutions than publishing an enormous list of A/ records, personally, and I think it's good that browser manufacturers aren't blasting out 6 SYNs every time someone types www.google.com... On a related note, I have seen recent Comtrend DSL modems (w/ integrated router and DNS cache) send out parallel DNS requests to both of the configured DNS servers. The debug log on the modem indicates that the modem throws away latter responses. I agree that staggered might be a softer approach that is less resource intensive and will likely achieve the same (or perhaps better) result if all services are working. In the case of degraded service, the more aggressive parallel client will likely be faster. As a server and network admin, I guess we have to anticipate and prepare for clients that might be considered borderline abusive. --Blake ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
In article mailman.1686.1384528769.20661.bind-us...@lists.isc.org, Blake Hudson bl...@ispn.net wrote: Phil Mayers wrote the following on 11/14/2013 2:39 AM: I think there are better solutions than publishing an enormous list of A/ records, personally, and I think it's good that browser manufacturers aren't blasting out 6 SYNs every time someone types www.google.com... On a related note, I have seen recent Comtrend DSL modems (w/ integrated router and DNS cache) send out parallel DNS requests to both of the configured DNS servers. The debug log on the modem indicates that the modem throws away latter responses. Novell's LAN Workplace for DOS client used to issue simultaneous DNS requests to all configured resolvers. IIRC all meant a maximum of 3. You could add more servers to its resolv.conf equivalent (RESOLV.CFG?) but it ignored all but the first three. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
On 13/11/13 22:21, Carl Byington wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 2013-11-13 at 16:49 -0500, Barry Margolin wrote: It means that users will have to wait for an arbitrary number of timeouts before the browser can give them an error message. Well, the browser *could* of course give a message like I have tried $N out of $M possible ip addresses with no success - do you want to abandon this? at any time while trying that collection of ip addresses. The other approach is to try them all in parallel, sort of like ipv4 and ipv6 parallel connection attempts in http://tools.ietf.org/html/rfc6555 Parallel is bad - they *should* be stagged by $RTT*$FACTOR, otherwise you just flood the link with SYN SYN/ACK packets, all but one of which are wasted, and may have consumed bandwidth, buffer space, NAT and firewall session resources, to name but a few. I think there are better solutions than publishing an enormous list of A/ records, personally, and I think it's good that browser manufacturers aren't blasting out 6 SYNs every time someone types www.google.com... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
On 2013-11-13 00:16, Manish Rane wrote: ... 6.Assume if ISP1 goes down, client coming on ISP1 would never be able to reach; hence as per DNS protocol will try for another link and come on ISP2 and then probably get an IP address of Link 2 i.e. 2.2.2.2. ... I'm not sure about your DNS setup, because I didn't understand how you described it. But that doesn't matter. Even if you 100% properly did what you intended to do, it breaks down at step 6. The DNS protocol definitions only go as far as saying what your BIND DNS server will return. Importantly (for this answer), it does NOT say (a) what a remote user's caching/resolving name server will actually do with your responses, or (b) what the actual application will do with your responses. If the application is an SMTP server or another DNS server then, yes, BY THE DEFINITION OF THAT PROTOCOL, it will try again for another server. If the application is a Web browser - which is likely, given that you mention port 80, presumably TCP - then it will only look at one of the two IP addresses [for almost all currently available Web browsers]. If it gets a bad one, it will return the user an error. Because that is how THAT protocol is defined. Most protocols are not defined to re-try different servers. What you are trying to do is what the F5 BigIP GTM does - only return the IP address for a known-working site. There's a reason that F5 can sell those boxes - they work where doing this in pure DNS does not. Joe Yao ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
In message aa8b9ac38f81c0220a198ff58ebca...@tux.org, Joseph S D Yao writes: On 2013-11-13 00:16, Manish Rane wrote: ... 6.Assume if ISP1 goes down, client coming on ISP1 would never be able to reach; hence as per DNS protocol will try for another link and come on ISP2 and then probably get an IP address of Link 2 i.e. 2.2.2.2. ... I'm not sure about your DNS setup, because I didn't understand how you described it. But that doesn't matter. Even if you 100% properly did what you intended to do, it breaks down at step 6. The DNS protocol definitions only go as far as saying what your BIND DNS server will return. Importantly (for this answer), it does NOT say (a) what a remote user's caching/resolving name server will actually do with your responses, or (b) what the actual application will do with your responses. If the application is an SMTP server or another DNS server then, yes, BY THE DEFINITION OF THAT PROTOCOL, it will try again for another server. RFC 1123 (October 1989) applies to all applications on all hosts. Note SHOULD and until. 2.3 Applications on Multihomed hosts When the remote host is multihomed, the name-to-address translation will return a list of alternative IP addresses. As specified in Section 6.1.3.4, this list should be in order of decreasing preference. Application protocol implementations SHOULD be prepared to try multiple addresses from the list until success is obtained. More specific requirements for SMTP are given in Section 5.3.4. When the local host is multihomed, a UDP-based request/response application SHOULD send the response with an IP source address that is the same as the specific destination address of the UDP request datagram. The specific destination address is defined in the IP Addressing section of the companion RFC [INTRO:1]. Similarly, a server application that opens multiple TCP connections to the same client SHOULD use the same local IP address for all. If the application is a Web browser - which is likely, given that you mention port 80, presumably TCP - then it will only look at one of the two IP addresses [for almost all currently available Web browsers]. If it gets a bad one, it will return the user an error. Because that is how THAT protocol is defined. Most protocols are not defined to re-try different servers. No, there is no such requirement. The browsers are just BROKEN if they don't try all the offered addresses. All browsers we were written after RFC 1123 was published. What you are trying to do is what the F5 BigIP GTM does - only return the IP address for a known-working site. There's a reason that F5 can sell those boxes - they work where doing this in pure DNS does not. Joe Yao ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 2013-11-13 at 16:49 -0500, Barry Margolin wrote: It means that users will have to wait for an arbitrary number of timeouts before the browser can give them an error message. Well, the browser *could* of course give a message like I have tried $N out of $M possible ip addresses with no success - do you want to abandon this? at any time while trying that collection of ip addresses. The other approach is to try them all in parallel, sort of like ipv4 and ipv6 parallel connection attempts in http://tools.ietf.org/html/rfc6555 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlKD+2MACgkQL6j7milTFsHZGQCfTvrWBpL/0qqESlTbUSZoo2Fo EG4An3GdHZty3kVTJvG/Wjns1grYC+RP =Ns3q -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
In message barmar-68ebd7.16491213112...@news.eternal-september.org, Barry Mar golin writes: In article mailman.1658.1384379072.20661.bind-us...@lists.isc.org, Mark Andrews ma...@isc.org wrote: No, there is no such requirement. The browsers are just BROKEN if they don't try all the offered addresses. All browsers we were written after RFC 1123 was published. That attitude should probably be moderated when interactive applications are involved. It means that users will have to wait for an arbitrary number of timeouts before the browser can give them an error message. And there is no requirement to wait 30 seconds for the next connection attempt. If in the 80's if it took more than 1 or 2 seconds to connect you could assume it wasn't going to succeed and be right 99.99% of the time. With happy eyeballs the second and subsequent connection attempts start in less than a second (~100-200ms) after the previous one and you abandon redundant successful connections. While happy eyeballs was looking at IPv4/IPv6 that is only a special case of multi-homed servers. The requirement is stated as a SHOULD, not a MUST. This gives latitude to the application designer to trade off reliability and usability. So rather than doing staggered parallel connects which would have given them reliability and usability they decided to throw away reliability. Non blocking connects have existed since before the first web browser was written. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
On 2013-11-13 16:44, Mark Andrews wrote: ... RFC 1123 (October 1989) applies to all applications on all hosts. Note SHOULD and until. ... Mark, I've always read SHOULD here as more of a plaintive hope than anything else. People have certainly felt free to ignore it. Yes, that makes their software broken if you are reading SHOULD as almost a MUST. Joe Yao ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
In message 661ca5ab225cad04bdcc3831c6964...@tux.org, Joseph S D Yao writes: On 2013-11-13 16:44, Mark Andrews wrote: ... RFC 1123 (October 1989) applies to all applications on all hosts. Note SHOULD and until. ... Mark, I've always read SHOULD here as more of a plaintive hope than anything else. People have certainly felt free to ignore it. Yes, that makes their software broken if you are reading SHOULD as almost a MUST. Which is how it is defined in the RFC. *SHOULD This word or the adjective RECOMMENDED means that there may exist valid reasons in particular circumstances to ignore this item, but the full implications should be understood and the case carefully weighed before choosing a different course. We have MAY for the plaintive hope case. *MAY This word or the adjective OPTIONAL means that this item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because it enhances the product, for example; another vendor may omit the same item. I just wish vendors were required to publish the analysis that lead them to not follow a SHOULD. I'd love to hear NETGEAR's analysis of why their DNS proxy doesn't talk TCP in the router I have here at home and see if it passes the laugh test. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Can I have Inbound load balancing achieved with below settings
Hey Fellas, I am thinking on this perspective need some help on this. Please guide me if I am wrong or let me know if I can achieve the stuff 1. I have a firewall with TWO ISP links, lets assume ISP1 and ISP2. And then I have internal webserver www.foobar.com with IP 192.168.1.10 2. I have natted 192.168.1.10 with ISP1 and ISP2 Public IP addresses 1.1.1.1 [ISP1] == 192.168.1.10 Port 80 2.2.2.2 [ISP2] == 192.168.1.10 Port 80 3. NS server for foobar.com is on Internet lets assume ns.xyz.com. Added a sub-domain www.foobar.com 4. Now this sub-domain with www.foobar.com is on BIND server and kept it in my network say IP 192.168.1.20 which is again natted with Public IP addresses for ISP1 [1.1.1.10] and ISP2 [2.2.2.20] 5. So, if both the links are up, client coming on either of the link would get both the IP addresses 6.Assume if ISP1 goes down, client coming on ISP1 would never be able to reach; hence as per DNS protocol will try for another link and come on ISP2 and then probably get an IP address of Link 2 i.e. 2.2.2.2. 7. I am sure in this case he would get both the IP addresses even if he is coming from other link; that's what puzzles me or wondering if I can return only IP of ISP2 in case of IPS1 is down? That way I achieve HA or loadbalance? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Just wondering if BIND can do GLB -Global Load Balancing Stuff?
I once maintained two F5-BIGIP-GTM boxes a coupe of years ago, at that time they called as F5 3DNS. GTM does have a BIND installed, but that means nothing. Its GSLB DNS module is not BIND, but a customized module in Linux kernel. Among with this module there are some scheduler methods to balance the requests, for example, based on the locations or QoS or something others. This kernel module intercepts DNS request IMO, if a record should have to be balanced by GTM, the kernel module will response it based on the chosen scheduler. Otherwise records will responsed by BIND. 于 2012-12-12 21:23, Manish Rane 写道: Can BIND work as a Global Load Balancer? Or I am keen to know about constructing GTM kindaa stuff which can monitor the health of devices and route away traffic from failed ones by putting lower TTL value? I believe F5 3DNS does the same thing? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Just wondering if BIND can do GLB -Global Load Balancing Stuff?
Hi Folks, Can BIND work as a Global Load Balancer? Or I am keen to know about constructing GTM kindaa stuff which can monitor the health of devices and route away traffic from failed ones by putting lower TTL value? I believe F5 3DNS does the same thing? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Just wondering if BIND can do GLB -Global Load Balancing Stuff?
BIND does a sort of round robin to load balance among the IPs for a specific host; however, it does not monitor any health or routes and doesn't have the same capabilities as a GTM to choose what IP to answer for a name.I've worked with F5 GTM to monitor and route traffic based on health, status, load, originator, time-of-day, etc. It depends on the model and modules you get that determine what can be done.The implementation you use will be different than ours and should be based on testing what works best. The F5 technicians we work with are very helpful.On 12/12/12, Manish Ranemanish...@gmail.com wrote:Hi Folks,Can BIND work as a Global Load Balancer? Or I am keen to know about constructing GTM kindaa stuff which can monitor the health of devices and route away traffic from failed ones by putting lower TTL value? I believe F5 3DNS does the same thing?___Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this listbind-users mailing listbind-users@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Just wondering if BIND can do GLB -Global Load Balancing Stuff?
I understand BIND by default can not work like GLB but wondering if there are any patches available or any other Open source software community is aware of who can perform such thing. On Wed, Dec 12, 2012 at 8:45 PM, cindyjohns...@verizon.net wrote: BIND does a sort of round robin to load balance among the IPs for a specific host; however, it does not monitor any health or routes and doesn't have the same capabilities as a GTM to choose what IP to answer for a name. I've worked with F5 GTM to monitor and route traffic based on health, status, load, originator, time-of-day, etc. It depends on the model and modules you get that determine what can be done. The implementation you use will be different than ours and should be based on testing what works best. The F5 technicians we work with are very helpful. On 12/12/12, Manish Ranemanish...@gmail.com wrote: Hi Folks, Can BIND work as a Global Load Balancer? Or I am keen to know about constructing GTM kindaa stuff which can monitor the health of devices and route away traffic from failed ones by putting lower TTL value? I believe F5 3DNS does the same thing? -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Just wondering if BIND can do GLB -Global Load Balancing Stuff?
On Dec 12, 2012, at 10:28 AM, Manish Rane manish...@gmail.com wrote: I understand BIND by default can not work like GLB but wondering if there are any patches available or any other Open source software community is aware of who can perform such thing. This isn't really something that BIND does well natively, but you can beat it into submission if you care enough. Depending on what your application is it may be chapter to simply just buy a commercial product for this -- I'm guessing you've already gotten a bunch of replied from folk offering to sell you such a widget… By using dynamic updates and a small script to do the health check you can fairly easily cobble something together to do this. A long time back I write something that talks to Nagios and added A records when servers were up and pulled them out when the server went down. Worked fairly well, but ended up being more trouble than it was worth... If you also want geo type stuff: http://geo.bitnames.com/ http://oilq.org/fr/node/2725 http://backreference.org/2010/02/01/geolocation-aware-dns-with-bind/ W On Wed, Dec 12, 2012 at 8:45 PM, cindyjohns...@verizon.net wrote: BIND does a sort of round robin to load balance among the IPs for a specific host; however, it does not monitor any health or routes and doesn't have the same capabilities as a GTM to choose what IP to answer for a name. I've worked with F5 GTM to monitor and route traffic based on health, status, load, originator, time-of-day, etc. It depends on the model and modules you get that determine what can be done. The implementation you use will be different than ours and should be based on testing what works best. The F5 technicians we work with are very helpful. On 12/12/12, Manish Ranemanish...@gmail.com wrote: Hi Folks, Can BIND work as a Global Load Balancer? Or I am keen to know about constructing GTM kindaa stuff which can monitor the health of devices and route away traffic from failed ones by putting lower TTL value? I believe F5 3DNS does the same thing? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- The duke had a mind that ticked like a clock and, like a clock, it regularly went cuckoo. -- (Terry Pratchett, Wyrd Sisters) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Just wondering if BIND can do GLB -Global Load Balancing Stuff?
A long time ago I used a perl script called lbnamed that acted as a DNS server and would monitor hosts and change the returned results based on aliveness and load. See http://www.stanford.edu/~riepel/lbnamed/ Mike Mitchell From: bind-users-bounces+mike.mitchell=sas@lists.isc.org [bind-users-bounces+mike.mitchell=sas@lists.isc.org] on behalf of Manish Rane [manish...@gmail.com] Sent: Wednesday, December 12, 2012 10:28 AM To: cindyjohns...@verizon.net; bind-users@lists.isc.org Subject: Re: Just wondering if BIND can do GLB -Global Load Balancing Stuff? I understand BIND by default can not work like GLB but wondering if there are any patches available or any other Open source software community is aware of who can perform such thing. On Wed, Dec 12, 2012 at 8:45 PM, cindyjohns...@verizon.netmailto:cindyjohns...@verizon.net wrote: BIND does a sort of round robin to load balance among the IPs for a specific host; however, it does not monitor any health or routes and doesn't have the same capabilities as a GTM to choose what IP to answer for a name. I've worked with F5 GTM to monitor and route traffic based on health, status, load, originator, time-of-day, etc. It depends on the model and modules you get that determine what can be done. The implementation you use will be different than ours and should be based on testing what works best. The F5 technicians we work with are very helpful. On 12/12/12, Manish Ranemanish...@gmail.commailto:manish...@gmail.com wrote: Hi Folks, Can BIND work as a Global Load Balancer? Or I am keen to know about constructing GTM kindaa stuff which can monitor the health of devices and route away traffic from failed ones by putting lower TTL value? I believe F5 3DNS does the same thing? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transparent DNS load-balancing with a Cisco ACE
Thanks, Phil. This makes perfect sense--unlike TCP, there's nothing inherent in UDP to make sure that packets come back from the right IP. Thank you also for explaining this in terms of the socket APIs. This is something I've only barely touched on--time for me to play around a bit and write some code. I'd also just been doing an rndc stop/start to update the listening sockets--just what's bundled into the initscript. I'll keep reconfig in mind--might come in handy. Aside: realized that I didn't reply to the list last time--doing so now. John On 10/25/2012 11:53 AM, Phil Mayers wrote: On 25/10/12 15:54, John Miller wrote: Is BIND associating each request with a particular socket, then? It would certainly make sense if that were the case. This was something I didn't fully realize. Yes. Something else I didn't fully realize was that by default, BIND binds to _each_ of the available IP addresses on the system--_not_ to 0.0.0.0, as happens with other network daemons (e.g. sshd). It does this because the cross-platform AF_INET socket APIs are limited. Binding a socket to each separate IP and replying from the same socket is the simplest cross-platform way to guarantee that UDP replies come from the right IP. AF_INET6 has a newer API which solves this, and if you lsof -i :53 you'll see that bind only opens one socket for IPv6/UDP (unless you are on a system which doesn't implement RFC 3493/3542, in which case it falls back to one socket per IPv6 address). TCP-based daemons can ignore this, because the TCP stack takes care of it. Note that bind doesn't detect new IPs immediately - you need to do rndc reconfig or wait for the timer (interface-interval in the options block). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transparent DNS load-balancing with a Cisco ACE
In message cal5w20bysrz5o21eievdgybbg2hum7ydqzfio3cxxo5jzce...@mail.gmail.com , jagan padhi writes: Hi, Is it possible to configure BIND for IPV4 and IPV6 in the same server? Regards, Jagan Yes. listen-on-v6 { any; }; By default it use both IPv4 and IPv6 when recursing. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transparent DNS load-balancing with a Cisco ACE
On 10/19/2012 07:25 PM, John Miller wrote: Here's a question, however: how does one get probes working for a transparent LB setup? If an rserver listens for connections on all interfaces, then probes work fine, but return traffic from the uses the machine's default IP (not the VIP that was originally queried) for the source address of the return traffic. I'm not sure I understand this. If a DNS request comes in on a particular IP, bind should reply from that IP, always. If it doesn't, something is going seriously wrong. What have people done to get probes working with transparent LB? Are any of you using NAT to handle your dns traffic? Not tying up NAT tables seems like the way to go, but lack of probes is a deal-breaker on this end. We didn't have to do anything special, and I'm not sure why you have either. Our probes are just: probe tcp TCP_53_RECDNS ip address public ip port 53 interval 10 serverfarm host INTERNAL-DNS transparent predictor leastconns probe TCP_53_RECDNS rserver private IP 53 inservice The ACE uses ARP to discover the destination MAC of the private IP, but sends an IP packet to that MAC with a destination of the public IP. The DNS reply comes back from that, and all is well. I get the feeling I'm not understanding what isn't working for you; can you describe the failure in more detail? What server OS are you running, and can you describe the network config? Cheers, Phil ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
transparent DNS load-balancing with a Cisco ACE
Hello everyone, Perhaps a Cisco list is a better destination for this, but I've seen a similar post here in the past couple of months, so posting here as well. I'm trying to get our Cisco ACE set up appropriately to handle DNS traffic. So far, I've gotten it working using NAT (each rserver has a public and a private IP) and using transparent load-balancing (ACE talks directly to the public IP), aka direct server return. Here's a question, however: how does one get probes working for a transparent LB setup? If an rserver listens for connections on all interfaces, then probes work fine, but return traffic from the uses the machine's default IP (not the VIP that was originally queried) for the source address of the return traffic. What have people done to get probes working with transparent LB? Are any of you using NAT to handle your dns traffic? Not tying up NAT tables seems like the way to go, but lack of probes is a deal-breaker on this end. -- John Miller Systems Engineer Brandeis University johnm...@brandeis.edu ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transparent DNS load-balancing with a Cisco ACE
Hi-- On Oct 19, 2012, at 11:25 AM, John Miller wrote: Hello everyone, Perhaps a Cisco list is a better destination for this, but I've seen a similar post here in the past couple of months, so posting here as well. I'm trying to get our Cisco ACE set up appropriately to handle DNS traffic. So far, I've gotten it working using NAT (each rserver has a public and a private IP) and using transparent load-balancing (ACE talks directly to the public IP), aka direct server return. IMO, the only boxes which should have IPs in both public and private netblocks should be your firewall/NAT routing boxes. Here's a question, however: how does one get probes working for a transparent LB setup? If an rserver listens for connections on all interfaces, then probes work fine, but return traffic from the uses the machine's default IP (not the VIP that was originally queried) for the source address of the return traffic. That's the default routing behavior for most platforms. Some of them might support some form of policy-based routing via ipfw fwd / route-to or similar with other firewall mechanisms which would let the probes get returned from some other source address if you want them to do so. What have people done to get probes working with transparent LB? Are any of you using NAT to handle your dns traffic? Not tying up NAT tables seems like the way to go, but lack of probes is a deal-breaker on this end. The locals around here have the luxury of a /8 netblock, so they can setup the reals behind a LB using publicly routable IPs and never need to NAT upon DNS traffic. Folks with more limited # of routable IPs might well use LB to reals on an unrouteable private network range behind NAT, but in which case they wouldn't configure those boxes with public IPs. Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transparent DNS load-balancing with a Cisco ACE
IMO, the only boxes which should have IPs in both public and private netblocks should be your firewall/NAT routing boxes. That's how we usually have our servers set up--the load balancer gets the public IPs, the servers get the private IPs, and we use NAT to translate between the two. Here's a question, however: how does one get probes working for a transparent LB setup? If an rserver listens for connections on all interfaces, then probes work fine, but return traffic from the uses the machine's default IP (not the VIP that was originally queried) for the source address of the return traffic. That's the default routing behavior for most platforms. Some of them might support some form of policy-based routing via ipfw fwd / route-to or similar with other firewall mechanisms which would let the probes get returned from some other source address if you want them to do so. Good to know--you'd definitely expect traffic to come back on the main interface. I've considered setting up some iptables rules to make this happen, but if I can avoid it, so much the better. Sounds like this is what I need to do, however, if I want both probes and regular requests to work. What have people done to get probes working with transparent LB? Are any of you using NAT to handle your dns traffic? Not tying up NAT tables seems like the way to go, but lack of probes is a deal-breaker on this end. The locals around here have the luxury of a /8 netblock, so they can setup the reals behind a LB using publicly routable IPs and never need to NAT upon DNS traffic. Folks with more limited # of routable IPs might well use LB to reals on an unrouteable private network range behind NAT, but in which case they wouldn't configure those boxes with public IPs. We're on a /16, so we have plenty of public IPs (though not as many as you!) to play with, too. The choice to NAT has historically been more about security than anything else--if something is privately IPed, we've got it on a special VLAN as well. Presumably those reals are still behind a virtual ip address that's also public, right? If that's the case, how do you keep your probes (to the IP behind the LB) working, while still sending back regular DNS traffic (that was originally sent to the virtual IP) with the VIP as a source address? Seems like you get only one or the other unless you tweak iptables/ipfw/etc. I appreciate the help, Chuck! Would you mind PMing me or posting your configs? That might be the most useful. John - Configs: eth0 Link encap:Ethernet HWaddr DE:AD:CA:FE:BE:EF inet addr:129.64.x.11 Bcast:129.64.x.255 Mask:255.255.255.0 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING NOARP MTU:16436 Metric:1 lo:1 Link encap:Local Loopback inet addr:129.64.x.53 (VIP) Mask:255.255.255.255 UP LOOPBACK RUNNING NOARP MTU:16436 Metric:1 Here's my ACE config (IP addrs deliberately munged): access-list anyone line 10 extended permit ip any any probe dns brandeis.edu-dns description Query dns servers for brandeis.edu/A interval 5 passdetect interval 10 domain brandeis.edu expect address 129.64.99.138 rserver host dns1 description dev-level recursive DNS server; running BIND9 in the xen-ha-environment. ip address 129.64.x.11 inservice rserver host dns2 description dev-level recursive DNS server; running PowerDNS in the xen-ha-environment. ip address 129.64.x.12 inservice rserver host dns3 description dev-level recursive DNS server; running BIND9 in the XenServer environment. ip address 129.64.x.13 inservice rserver host dns4 description dev-level recursive DNS server; running PowerDNS in the XenServer environment. ip address 129.64.x.14 inservice serverfarm host dns-recursive description Dev-level recursive DNS servers--both BIND and PowerDNS transparent probe brandeis.edu-dns rserver dns1 inservice rserver dns2 inservice rserver dns3 inservice rserver dns4 inservice class-map match-all VIP 2 match virtual-address 129.64.x.53 udp eq domain policy-map type loadbalance first-match L7SLBPOLICY class class-default serverfarm dns-recursive policy-map multi-match L4SLBPOLICY class VIP loadbalance vip inservice loadbalance policy L7SLBPOLICY loadbalance vip icmp-reply active interface vlan 100 ip address 129.64.x.100 255.255.255.0 peer ip address 129.64.x.101 255.255.255.0 no normalization access-group input anyone service-policy input L4SLBPOLICY no shutdown ip route 0.0.0.0 0.0.0.0 129.64.x.1 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transparent DNS load-balancing with a Cisco ACE
On 10/19/12 1:25 PM, John Miller johnm...@brandeis.edu wrote: Hello everyone, Perhaps a Cisco list is a better destination for this, but I've seen a similar post here in the past couple of months, so posting here as well. I'm trying to get our Cisco ACE set up appropriately to handle DNS traffic. So far, I've gotten it working using NAT (each rserver has a public and a private IP) and using transparent load-balancing (ACE talks directly to the public IP), aka direct server return. I've not bothered with nat - just place rservers with unique addresses behind the ACE, let them use the ACE as their default gateway, and then publish a vip. The rservers use their real address for zone transfers with the master, while clients only talk with the vip address. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transparent DNS load-balancing with a Cisco ACE
Hi-- On Oct 19, 2012, at 1:04 PM, John Miller wrote: IMO, the only boxes which should have IPs in both public and private netblocks should be your firewall/NAT routing boxes. That's how we usually have our servers set up--the load balancer gets the public IPs, the servers get the private IPs, and we use NAT to translate between the two. OK. Here's a question, however: how does one get probes working for a transparent LB setup? If an rserver listens for connections on all interfaces, then probes work fine, but return traffic from the uses the machine's default IP (not the VIP that was originally queried) for the source address of the return traffic. That's the default routing behavior for most platforms. Some of them might support some form of policy-based routing via ipfw fwd / route-to or similar with other firewall mechanisms which would let the probes get returned from some other source address if you want them to do so. Good to know--you'd definitely expect traffic to come back on the main interface. I've considered setting up some iptables rules to make this happen, but if I can avoid it, so much the better. Sounds like this is what I need to do, however, if I want both probes and regular requests to work. Perhaps I misunderstand, but if the internal boxes only have one IP, how can they not be using the right source address when replying to liveness probes from your LB or some other monitor? Do you probe on an external IP and have something else doing NAT besides the LB itself? Or do you setup a second IP on your reals which is what the LB sends traffic to? (That's kinda what your lo:1 entry of 129.64.x.53 looked like.) What have people done to get probes working with transparent LB? Are any of you using NAT to handle your dns traffic? Not tying up NAT tables seems like the way to go, but lack of probes is a deal-breaker on this end. The locals around here have the luxury of a /8 netblock, so they can setup the reals behind a LB using publicly routable IPs and never need to NAT upon DNS traffic. Folks with more limited # of routable IPs might well use LB to reals on an unrouteable private network range behind NAT, but in which case they wouldn't configure those boxes with public IPs. We're on a /16, so we have plenty of public IPs (though not as many as you!) to play with, too. The choice to NAT has historically been more about security than anything else--if something is privately IPed, we've got it on a special VLAN as well. OK. I've seen too many examples of traffic leaking between VLANs to completely trust their isolation, but good security ought to involve many layers which don't have to each be perfect to still provide worthwhile benefits. Presumably those reals are still behind a virtual ip address that's also public, right? Yes, presumably. :) If that's the case, how do you keep your probes (to the IP behind the LB) working, while still sending back regular DNS traffic (that was originally sent to the virtual IP) with the VIP as a source address? Seems like you get only one or the other unless you tweak iptables/ipfw/etc. There are two types of probes that I'm familiar with. One involves liveness probes between the LB itself to the reals, which is done so that the LB can decide which of the reals are available and should be getting traffic. For these, the reals are replying using their own IPs. The other type of probe is to the VIP; the LB forwards traffic to the reals, gets a reply, and then proxies or rewrites these responses and returns them to the origin of the probe using the IP of the VIP. Or you can short-cut replies going back via the LB using DSR (Direct Service Return), or whatever your LB vendor calls that functionality... All of your normal clients would only be talking to the VIP, and would only see traffic coming from the VIP's IP. I appreciate the help, Chuck! Would you mind PMing me or posting your configs? That might be the most useful. Pretend that some folks nearby are using Citrix Netscaler MPX boxes rather than Cisco hardware, so this might not be too useful to your case; an example config for a webserver would look something like: add serviceGroup SomeService-svg HTTP -maxClient 0 -maxReq 0 -cip ENABLED x-user-addr -usip NO -useproxyport YES -cltTimeout 120 -svrTimeout 300 -CKA YES -TCPB YES -CMP NO add lb vserver LB-SomeService-80 HTTP 1.2.3.4 80 -persistenceType NONE -cltTimeout 120 bind lb vserver LB-SomeService-80 SomeService-svg bind serviceGroup SomeService-svg rserver1 8080 bind serviceGroup SomeService-svg rserver2 8080 bind serviceGroup SomeService-svg rserver3 8080 bind serviceGroup SomeService-svg rserver4 8080 [ This is a generic example for a webserver, or for similar things which use HTTP to communicate. Another group handles DNS, so I don't have a generic example for that handy. And yeah, NDA issues prevent me from being as
Re: transparent DNS load-balancing with a Cisco ACE
-Original Message- From: Chuck Swiger cswi...@mac.com Date: Friday, October 19, 2012 5:09 PM To: John Miller johnm...@brandeis.edu Cc: DNS BIND bind-us...@isc.org Subject: Re: transparent DNS load-balancing with a Cisco ACE We're on a /16, so we have plenty of public IPs (though not as many as you!) to play with, too. The choice to NAT has historically been more about security than anything else--if something is privately IPed, we've got it on a special VLAN as well. OK. I've seen too many examples of traffic leaking between VLANs to completely trust their isolation, but good security ought to involve many layers which don't have to each be perfect to still provide worthwhile benefits. NAT is not a security mechanism :-) If that's the case, how do you keep your probes (to the IP behind the LB) working, while still sending back regular DNS traffic (that was originally sent to the virtual IP) with the VIP as a source address? Seems like you get only one or the other unless you tweak iptables/ipfw/etc. There are two types of probes that I'm familiar with. One involves liveness probes between the LB itself to the reals, which is done so that the LB can decide which of the reals are available and should be getting traffic. For these, the reals are replying using their own IPs. The other type of probe is to the VIP; the LB forwards traffic to the reals, gets a reply, and then proxies or rewrites these responses and returns them to the origin of the probe using the IP of the VIP. Or you can short-cut replies going back via the LB using DSR (Direct Service Return), or whatever your LB vendor calls that functionality... All of your normal clients would only be talking to the VIP, and would only see traffic coming from the VIP's IP. Hmm, I must have got lucky or this is being over-thought... I use ACE with Linux/BIND reals and DSR. No problems with traffic or probes. I would avoid NAT for DNS. It's certainly possible, though NDAs avoid copy/paste. :-( Ugly URLs suck almost as much as NDAs: http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Co nfiguration_Examples_--_Server_Load-Balancing_Configuration_Examples#Exampl e_of_a_UDP_Probe_Load-Balancing_Configuration Better: https://lists.isc.org/pipermail/bind-users/2012-March/087105.html While you're at it, test your fixups... :-) https://www.dns-oarc.net/oarc/services/replysizetest/ Good luck! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Cisco ACE config for internal DNS load balancing
Anyone have any suggestions/best practices/config examples for DNS load balancing for internal use on CISCO ACE blades? I've got the standard example working, but wondered about keepalive frequency, timeouts, fragments, etc. Anyone got any examples they use that they could share? Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cisco ACE config for internal DNS load balancing
On 09/03/12 16:23, Matthew Huff wrote: Anyone have any suggestions/best practices/config examples for DNS load balancing for internal use on CISCO ACE blades? I’ve got the standard example working, but wondered about keepalive frequency, timeouts, fragments, etc… Anyone got any examples they use that they could share? We do transparent LB; the servers all have the service VIP as a /32 on their loopback interface. The packet flow is: Req: client - ace - dns server Rsp: dns server - client This has the advantage that the DNS servers don't have to sit behind the ACE. We then use this config: probe tcp TCP_53_RECDNS ip address the service VIP port 53 interval 10 serverfarm host INTERNAL-DNS transparent predictor leastconns probe TCP_53_RECDNS rserver RSERVER1 53 inservice rserver RSERVER2 53 inservice rserver RSERVER3 53 inservice rserver RSERVER4 53 inservice class-map match-any VIP_RECURSIVE-DNS 2 match virtual-address the service VIP udp eq domain 3 match virtual-address the service VIP tcp eq domain policy-map type loadbalance first-match SLB_INTERNAL-DNS class class-default serverfarm INTERNAL-DNS policy-map multi-match VIPS_VLANXX class VIP_RECURSIVE-DNS loadbalance vip inservice loadbalance policy SLB_INTERNAL-DNS loadbalance vip icmp-reply loadbalance vip advertise We didn't fiddle with the keepalive, probes, or anything else. It's been very well behaved in this config. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cisco ACE config for internal DNS load balancing
On 3/9/12 8:39 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 09/03/12 16:23, Matthew Huff wrote: Anyone have any suggestions/best practices/config examples for DNS load balancing for internal use on CISCO ACE blades? I¹ve got the standard example working, but wondered about keepalive frequency, timeouts, fragments, etc Anyone got any examples they use that they could share? We do transparent LB; the servers all have the service VIP as a /32 on their loopback interface. The packet flow is: Req: client - ace - dns server Rsp: dns server - client This has the advantage that the DNS servers don't have to sit behind the ACE. +1 -- Some times called DSR or Direct Server Return, I consider it the only way to configure sites/services of any significant size. -- All his life he has looked away... to the horizon, to the sky, to the future. Never his mind on where he was, on what he was doing. -- Yoda ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: load-balancing in DNS using two A records
On 12/20/2011 1:22 PM, Matus UHLAR - fantomas wrote: On 20.12.11 19:37, Martin T wrote: I have seen setups where one domain name has two address records. First IP address is in the ISP-A network and the other one is in the ISP-B network. In case I execute host www.domainname.com, I always get two IP addresses as a reply and they always appear by turns. Am I correct, that setup like this provides redundancy as well as load-balancing? Kind of. It's much better to have real load-balancing and vailover by multiple links or L3 load balancers. Is there some common method in BIND to give out IP addresses by turns? Last but not least, how do application layer(for example www, ssh) handle such setup? bind usually gives all possible addresses for a name in random order. You can affect this a bit by using sortlist statement, where you can tell BIND which address to prefer for which client (and, intermediate server may re-sort according to its knowledge) Just be aware, Wintel clients often choose addresses out-of-received-sequence according to their notion of subnet prioritization (older OSes) and/or RFC 3484 logic (newer ones), thus effectively overriding any sortlisting you do on the BIND side. - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: load-balancing in DNS using two A records
In message 2011122018.ga3...@fantomas.sk, Matus UHLAR - fantomas writes: Long time ago when we were trying to have multiple web servers for redundancy and balancing, we have found that multiple IP's is not a good solution (parts of web pages didn't load). We selected L3 switches then... On 21.12.11 09:26, Mark Andrews wrote: Which is really the result of badly designed clients. Clients are getting better with address affinity and fast failover on unreachable servers. It's been long time ago (~10 years). And even if they did failover, 30s (tcp connection timeout) delays are very ugly when loading a web page. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: load-balancing in DNS using two A records
In message 20111221083337.gb5...@fantomas.sk, Matus UHLAR - fantomas writes: In message 2011122018.ga3...@fantomas.sk, Matus UHLAR - fantomas write s: Long time ago when we were trying to have multiple web servers for redundancy and balancing, we have found that multiple IP's is not a good solution (parts of web pages didn't load). We selected L3 switches then... On 21.12.11 09:26, Mark Andrews wrote: Which is really the result of badly designed clients. Clients are getting better with address affinity and fast failover on unreachable servers. It's been long time ago (~10 years). And even if they did failover, 30s (tcp connection timeout) delays are very ugly when loading a web page. Indeed. 150-250ms [1] is a more realistic timeout for starting a second connection attempt. You use the connection which completes first and close the others if they complete. Mark [1] http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-07 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: load-balancing in DNS using two A records
In article mailman.581.1324405362.68562.bind-us...@lists.isc.org, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 20.12.11 19:37, Martin T wrote: I have seen setups where one domain name has two address records. First IP address is in the ISP-A network and the other one is in the ISP-B network. In case I execute host www.domainname.com, I always get two IP addresses as a reply and they always appear by turns. Am I correct, that setup like this provides redundancy as well as load-balancing? Kind of. It's much better to have real load-balancing and vailover by multiple links or L3 load balancers. If you're really cheapskate and have a little scripting expertise you can do what we did before we went to hardware load balancing. Give your systems names with short TTLs in a dynamic zone. Have a watchdog process monitor the systems and remove any that don't respond. It's not generally fast enough to help individual clients but it can help the overall availability of a system. It's victim to browsers ignoring TTLs, of course, though I've never been able to verify such browser behaviour myself. Sam ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
load-balancing in DNS using two A records
I have seen setups where one domain name has two address records. First IP address is in the ISP-A network and the other one is in the ISP-B network. In case I execute host www.domainname.com, I always get two IP addresses as a reply and they always appear by turns. Am I correct, that setup like this provides redundancy as well as load-balancing? Is there some common method in BIND to give out IP addresses by turns? Last but not least, how do application layer(for example www, ssh) handle such setup? regards, martin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: load-balancing in DNS using two A records
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/20/2011 12:37 PM, Martin T wrote: I have seen setups where one domain name has two address records. First IP address is in the ISP-A network and the other one is in the ISP-B network. In case I execute host www.domainname.com, I always get two IP addresses as a reply and they always appear by turns. Am I correct, that setup like this provides redundancy as well as load-balancing? Is there some common method in BIND to give out IP addresses by turns? Last but not least, how do application layer(for example www, ssh) handle such setup? The only thing involved is having two A records for the same name. It's not truly load-balancing, but it can do the trick in some circumstances. All applications I've seen ask for and use one IP address. Therefore, SSH will be sometimes connecting to one server and sometimes another. Generally with SSH you care what you're connecting to and will also have individual records for each host to use for that purpose. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7wyb8ACgkQmb+gadEcsb6BMQCePx4LhLGh3b0XOxv4L5ZjA6bn cMMAoNGPW8t9gkqzsD9pUPQuQITaFips =jL/1 -END PGP SIGNATURE- attachment: novosirj.vcf___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: load-balancing in DNS using two A records
On 20.12.11 19:37, Martin T wrote: I have seen setups where one domain name has two address records. First IP address is in the ISP-A network and the other one is in the ISP-B network. In case I execute host www.domainname.com, I always get two IP addresses as a reply and they always appear by turns. Am I correct, that setup like this provides redundancy as well as load-balancing? Kind of. It's much better to have real load-balancing and vailover by multiple links or L3 load balancers. Is there some common method in BIND to give out IP addresses by turns? Last but not least, how do application layer(for example www, ssh) handle such setup? bind usually gives all possible addresses for a name in random order. You can affect this a bit by using sortlist statement, where you can tell BIND which address to prefer for which client (and, intermediate server may re-sort according to its knowledge) When one of those ip fails, you can expect half of your connections to such host fail, and it's up to the client how to handle this situation. Long time ago when we were trying to have multiple web servers for redundancy and balancing, we have found that multiple IP's is not a good solution (parts of web pages didn't load). We selected L3 switches then... Different situation is when you have multiple providers and want to use multiple uplinks with different IPs for the same servers. While this can work with some NAT playing, it should be better to ger your provider-independent address space (if possible) and use separate uplinks. That gives you much better line saturation. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: load-balancing in DNS using two A records
In message 2011122018.ga3...@fantomas.sk, Matus UHLAR - fantomas writes: On 20.12.11 19:37, Martin T wrote: I have seen setups where one domain name has two address records. First IP address is in the ISP-A network and the other one is in the ISP-B network. In case I execute host www.domainname.com, I always get two IP addresses as a reply and they always appear by turns. Am I correct, that setup like this provides redundancy as well as load-balancing? Kind of. It's much better to have real load-balancing and vailover by multiple links or L3 load balancers. Is there some common method in BIND to give out IP addresses by turns? Last but not least, how do application layer(for example www, ssh) handle such setup? bind usually gives all possible addresses for a name in random order. You can affect this a bit by using sortlist statement, where you can tell BIND which address to prefer for which client (and, intermediate server may re-sort according to its knowledge) When one of those ip fails, you can expect half of your connections to such host fail, and it's up to the client how to handle this situation. Long time ago when we were trying to have multiple web servers for redundancy and balancing, we have found that multiple IP's is not a good solution (parts of web pages didn't load). We selected L3 switches then... Which is really the result of badly designed clients. Clients are getting better with address affinity and fast failover on unreachable servers. Different situation is when you have multiple providers and want to use multiple uplinks with different IPs for the same servers. While this can work with some NAT playing, it should be better to ger your provider-independent address space (if possible) and use separate uplinks. That gives you much better line saturation. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
On 31/05/11 09:28, Matus UHLAR - fantomas wrote: This problem could be avoided by providing the same data, but differently sorted, correct? On 31.05.11 12:27, Phil Mayers wrote: Not really. Client side sorting may take place (e.g. to comply with RFC 3484 policies in calls to getaddrinfo) and destroy any server-side sorting. On 01/06/11 08:11, Matus UHLAR - fantomas wrote: by this problem I mean the DNSSEC. Providing all the data just differently sorted would cause them to be DNSSEC compliant, wouldn't it? On 01.06.11 10:55, Phil Mayers wrote: Yes, but the client would then re-sort the data, so it wouldn't achieve the original purpose. Sorting the data server side gives you essentially no control over which record the client will pick if they are calling getaddrinfo, as is likely. Aha, I've got it. However data sorting at client's side should not affect much clients, only where - the client has sorting set up - the sorting client prefers one of IP's used in RRset. We have set that up to prefer IPs from our network over foreign. As Mark has already pointed out, the approach is not intrinsically DNSSEC-hostile. It's perfectly legitimate to serve different data with different, valid, signatures. This is what happens with signature regen and key rollover. In this case, it would just be a permanent case of rollover - one KSK, one ZSK per dns server and different copies of the zone. With sorting, they need only one copy of each zone. I withhold judgement on whether it's a good approach in general. I suspect it's just GSLB-lite personally. Correct -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
On 31/05/11 09:28, Matus UHLAR - fantomas wrote: This problem could be avoided by providing the same data, but differently sorted, correct? On 31.05.11 12:27, Phil Mayers wrote: Not really. Client side sorting may take place (e.g. to comply with RFC 3484 policies in calls to getaddrinfo) and destroy any server-side sorting. by this problem I mean the DNSSEC. Providing all the data just differently sorted would cause them to be DNSSEC compliant, wouldn't it? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
On 5/31/2011 7:39 AM, Mark Andrews wrote: It is still a bad idea. Fixing the clients so they work well with multi-homed servers not only works today with mostly IPv4 servers but also works well with dual stack server and IPv6 only servers. You don't have to have artifially low TTLs on the DNS responses. You get sub-second failover on new connections. Easy there fellow We run with a 15m TTL and we get no complaints from customers. Sure I am sure someone somewhere does get an error but they are not enough for people to email us and call us... Prior to DNS racing we use to get that a lot of calls.. we had to do the fail over and balacing by telling them type in mail2.mailme.hk.com We do get more traffic on one ISP than the other as it has better peering, lower latency pipes, even though the circuit to them is slower on our side... Though I can tell when they are having problems as traffic volumes move to the other circuit automatically. If you really want to perform races then connect() races will reflect actual client topology not resolver topology. Yes the flaw has been pointed out, if the DNS resolvers are not on the same ISP/AS number the user will not be sent to the optimal path DNS Race doesn't work in a dual stack environment as it is dependent on the record type and transport matching. As for Chrome. It was a example of a application which does work well with multi-homed servers. Either someone sits down and re-write the archaic code in the resolver library client in kernels and builds most of the intelligence in bind OR all applications have to be re-written... Or you can use DNS Racing.. My idea is good as I can do the changes on my side for the people that are not running duals stacks etc, they will expierence the same problems as I need to polish up on bind and find out about the RR sorting. so that CHrome etc works better. Thank you all for your feed back and criticism Maren. Mark ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
On 01/06/11 08:11, Matus UHLAR - fantomas wrote: On 31/05/11 09:28, Matus UHLAR - fantomas wrote: This problem could be avoided by providing the same data, but differently sorted, correct? On 31.05.11 12:27, Phil Mayers wrote: Not really. Client side sorting may take place (e.g. to comply with RFC 3484 policies in calls to getaddrinfo) and destroy any server-side sorting. by this problem I mean the DNSSEC. Providing all the data just differently sorted would cause them to be DNSSEC compliant, wouldn't it? Yes, but the client would then re-sort the data, so it wouldn't achieve the original purpose. Sorting the data server side gives you essentially no control over which record the client will pick if they are calling getaddrinfo, as is likely. As Mark has already pointed out, the approach is not intrinsically DNSSEC-hostile. It's perfectly legitimate to serve different data with different, valid, signatures. This is what happens with signature regen and key rollover. In this case, it would just be a permanent case of rollover - one KSK, one ZSK per dns server and different copies of the zone. I withhold judgement on whether it's a good approach in general. I suspect it's just GSLB-lite personally. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
In message 4de43e3e.2040...@chrysler.com, Kevin Darcy writes: Normally I'd defer to your vastly greater knowledge and experience in DNSSEC, but here in the U.S. we have a saying I'm from Missouri, which is a roundabout way of expressing show me (Show Me being the unofficial slogan of the state of Missouri). Maybe it *should* work, but when it comes to nifty technical hacks, until co-existence is actually demonstrated, I still think there might be a gotcha somewhere... On 31.05.11 11:33, Mark Andrews wrote: This happens all the time whenever a signed zone content changes. You have different servers returning different answers for the same query all of which can be validated as secure. DNSSEC requires that the data and signature pass through the system as a atomic unit. DNSSEC aware servers and resolvers keep this data together. If you don't things break. DNS Race just keeps the answers permanently out of sync instead of the temporary condition that happens with normal updates. This problem could be avoided by providing the same data, but differently sorted, correct? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
On 31/05/11 09:28, Matus UHLAR - fantomas wrote: This problem could be avoided by providing the same data, but differently sorted, correct? Not really. Client side sorting may take place (e.g. to comply with RFC 3484 policies in calls to getaddrinfo) and destroy any server-side sorting. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
On 30.05.11 05:12, Maren S. Leizaola wrote: DNS-Racing is a method of load balancing access to servers which are multi homed and provides lowest latency access to users and network resilience to ISP/routing failure. like, RRset sorting? **What does it do?* It permits a server which is connected to two ISPs to use the optimal ISP when transferring data to a user regardless of TCP/UDP protocol. When a user does a DNS look up it will select the IP address of the server to which is closest. If one of the two ISPs is down or there is a routing problem the user will only be offered the IP address of the server it has access to. It also means that traffic will have the lowest latency. DNS Racing can be done with 2 or more providers and permits to scale network bandwidth horizontally by adding more providers. In theory up to 14 different ISPs/IPs could be used to do the delivery. IT is a poor man’s replacement for BGP multihoming and IP anycast. For those that want a full explanation and an implementation guide. http://blog.hk.com/index.php?/archives/84-DNS-Racing.-Multi-ISP-load-balancing-with-failover-using-DNS..html Hey it is Free and you can implement it using BIND. So, any server will return the IP that is closer to the _server_, not to the _client_. It relies on BIND RTT-measring feature that has undergone some changes in the past and ocasionally tries the far (topologically) server to see if it's still far, in which case the client will get the worse result... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: DNS Racing -Multi ISP load balancing with failover using DNS.
Hello, I am reading this mailing as a digest so sorry for the late replies. Firstly we have been using this method for over 4 years and I've yet not had one person tell me that they can connect to our servers using POP3, SMPT, IMAP or WEB. 1. Mark, Regarding Chrome, my last big crawl of the internet from Hong Kong the average DNS resolution was 450ms average... so 300ms would give you what result. Not sure I don't care. I am talking for IP connectivity not some application decigin which RR it shoud use as many applications are dumb and you can't ask the remote end to change anything. FYI, I will never use Chrome and nor will many people due to privacy issues. It is banned in companies in Asia. 2. Mark there are no modification to any packets at the DNS resolver level nor sure why there would have be. We have yet not implemented DNS SEC so I don't know if this breaks anything. First packet wins both can be signed. Now if you have something set on paranoid mode which checks the consistency of the DNS servers it would fail... that is an extreme minority and have YET to see a complaint. Matus, I like your reply. You are right that the wining IP would be the one that is closes to the Resolving server than to the client.. I know that not everyone is using a DNS resolver on the same network/AS number that they are on. This could be the biggest flaw. Say you use Google FreeDNS and it will give as a reply what ever google can access the fastest. However if you are using a DNS resolver within your AS number you will benefit from DNS Racing. Well pointed out. All that this does is breaks the best bath and access guarantee that DNS Racing provides In reality if you don't implement DNS racing you would get the same result. No it does not rely on BIND RTT feature, we are talking about pure latency DNS replies race to the resolver, the one that gets there first is the winner. This is not something that I just dream up yesterday we have been using it for years without problems which is why I feel it is safe to document in and recommend it. Regards, Maren. On 3:59 AM, Mark Andrews wrote: And if people used happy-eyeballs[1] or similar[2] in the applications this would not be needed. Chrome already does this with their latest browser. It uses a 300ms timer to switch to the next address. Happy-eyeballs was primarially written to deal with broken 6to4 links but the techniques are applicable to any multi-homed service be it IPv4 only, IPv6 only or a mixture of IPv4 and IPv6. Mark [1] http://tools.ietf.org/html/draft-wing-v6ops-happy-eyeballs-ipv6-01 [2] https://www.isc.org/community/blog/201101/how-to-connect-to-a-multi-homed-server-over-tcp In message4de2c00b.6090...@isc.org, Alan Clegg writes: This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===2705591056810672531== Content-Type: multipart/signed; micalg=pgp-sha1; protocol=application/pgp-signature; boundary=enig46D823F06B8505CC93187062 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --enig46D823F06B8505CC93187062 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 5/29/2011 5:12 PM, Maren S. Leizaola wrote: IT is a poor man=92s replacement for BGP multihoming and IP anycast. Hey it is Free and you can implement it using BIND. And you've just broken DNSSEC. AlanC --enig46D823F06B8505CC93187062 Content-Type: application/pgp-signature; name=signature.asc Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename=signature.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) iEYEARECAAYFAk3iwA0ACgkQcKpYUrUDCYdMXwCgmIsTehj06i1fsZtJmCaPEHIi JqcAoJPhcXKDf/QgPK06MkkYt2N9gZPB =nLtA -END PGP SIGNATURE- --enig46D823F06B8505CC93187062-- --===2705591056810672531== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --===2705591056810672531==-- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
It is still a bad idea. Fixing the clients so they work well with multi-homed servers not only works today with mostly IPv4 servers but also works well with dual stack server and IPv6 only servers. You don't have to have artifially low TTLs on the DNS responses. You get sub-second failover on new connections. If you really want to perform races then connect() races will reflect actual client topology not resolver topology. DNS Race doesn't work in a dual stack environment as it is dependent on the record type and transport matching. As for Chrome. It was a example of a application which does work well with multi-homed servers. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
In message 4de42bef.3050...@chrysler.com, Kevin Darcy writes: Get back to us when you prove that this co-exists with DNSSEC; otherwise it's a non-starter. While you're at it, some data proving that this actually enhances performance or availability would be nice too. On further examination it will work w/ DNSSEC. As for availability it will decrease it as there is no way the client can do the failover for itself as it no longer has the necessary data. As for performance, your milage may vary, as they say in car commercials. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
Normally I'd defer to your vastly greater knowledge and experience in DNSSEC, but here in the U.S. we have a saying I'm from Missouri, which is a roundabout way of expressing show me (Show Me being the unofficial slogan of the state of Missouri). Maybe it *should* work, but when it comes to nifty technical hacks, until co-existence is actually demonstrated, I still think there might be a gotcha somewhere... - Kevin P.S. Don't even get me started on car commercials. I've seen a few that never even made it to the public eye :-) On 5/30/2011 8:18 PM, Mark Andrews wrote: In message4de42bef.3050...@chrysler.com, Kevin Darcy writes: Get back to us when you prove that this co-exists with DNSSEC; otherwise it's a non-starter. While you're at it, some data proving that this actually enhances performance or availability would be nice too. On further examination it will work w/ DNSSEC. As for availability it will decrease it as there is no way the client can do the failover for itself as it no longer has the necessary data. As for performance, your milage may vary, as they say in car commercials. Mark ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
In message 4de43e3e.2040...@chrysler.com, Kevin Darcy writes: Normally I'd defer to your vastly greater knowledge and experience in DNSSEC, but here in the U.S. we have a saying I'm from Missouri, which is a roundabout way of expressing show me (Show Me being the unofficial slogan of the state of Missouri). Maybe it *should* work, but when it comes to nifty technical hacks, until co-existence is actually demonstrated, I still think there might be a gotcha somewhere... This happens all the time whenever a signed zone content changes. You have different servers returning different answers for the same query all of which can be validated as secure. DNSSEC requires that the data and signature pass through the system as a atomic unit. DNSSEC aware servers and resolvers keep this data together. If you don't things break. DNS Race just keeps the answers permanently out of sync instead of the temporary condition that happens with normal updates. Mark - Kevin P.S. Don't even get me started on car commercials. I've seen a few that never even made it to the public eye :-) -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS Racing -Multi ISP load balancing with failover using DNS.
DNS-Racing is a method of load balancing access to servers which are multi homed and provides lowest latency access to users and network resilience to ISP/routing failure. * **What does it do?* It permits a server which is connected to two ISPs to use the optimal ISP when transferring data to a user regardless of TCP/UDP protocol. When a user does a DNS look up it will select the IP address of the server to which is closest. If one of the two ISPs is down or there is a routing problem the user will only be offered the IP address of the server it has access to. It also means that traffic will have the lowest latency. DNS Racing can be done with 2 or more providers and permits to scale network bandwidth horizontally by adding more providers. In theory up to 14 different ISPs/IPs could be used to do the delivery. IT is a poor man’s replacement for BGP multihoming and IP anycast. For those that want a full explanation and an implementation guide. http://blog.hk.com/index.php?/archives/84-DNS-Racing.-Multi-ISP-load-balancing-with-failover-using-DNS..html Hey it is Free and you can implement it using BIND. Regards, Maren. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
On 5/29/2011 5:12 PM, Maren S. Leizaola wrote: IT is a poor man’s replacement for BGP multihoming and IP anycast. Hey it is Free and you can implement it using BIND. And you've just broken DNSSEC. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
And if people used happy-eyeballs[1] or similar[2] in the applications this would not be needed. Chrome already does this with their latest browser. It uses a 300ms timer to switch to the next address. Happy-eyeballs was primarially written to deal with broken 6to4 links but the techniques are applicable to any multi-homed service be it IPv4 only, IPv6 only or a mixture of IPv4 and IPv6. Mark [1] http://tools.ietf.org/html/draft-wing-v6ops-happy-eyeballs-ipv6-01 [2] https://www.isc.org/community/blog/201101/how-to-connect-to-a-multi-homed-server-over-tcp In message 4de2c00b.6090...@isc.org, Alan Clegg writes: This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===2705591056810672531== Content-Type: multipart/signed; micalg=pgp-sha1; protocol=application/pgp-signature; boundary=enig46D823F06B8505CC93187062 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --enig46D823F06B8505CC93187062 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 5/29/2011 5:12 PM, Maren S. Leizaola wrote: IT is a poor man=92s replacement for BGP multihoming and IP anycast. Hey it is Free and you can implement it using BIND. And you've just broken DNSSEC. AlanC --enig46D823F06B8505CC93187062 Content-Type: application/pgp-signature; name=signature.asc Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename=signature.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) iEYEARECAAYFAk3iwA0ACgkQcKpYUrUDCYdMXwCgmIsTehj06i1fsZtJmCaPEHIi JqcAoJPhcXKDf/QgPK06MkkYt2N9gZPB =nLtA -END PGP SIGNATURE- --enig46D823F06B8505CC93187062-- --===2705591056810672531== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --===2705591056810672531==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
Warren Kumari -- Please excuse typing, etc -- This was sent from a device with a tiny keyboard. On May 29, 2011, at 5:52 PM, Alan Clegg acl...@isc.org wrote: On 5/29/2011 5:12 PM, Maren S. Leizaola wrote: IT is a poor man’s replacement for BGP multihoming and IP anycast. Hey it is Free and you can implement it using BIND. And you've just broken DNSSEC. Um, how? Surely you can just sign the responses, same as any others? Maybe I'm missing something obvious, but this just looks like normal DNS LB... W AlanC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
In message 2c591af8-860d-45a5-9f3a-3603f3733...@kumari.net, Warren Kumari writes: Um, how? Surely you can just sign the responses, same as any others? Maybe I'm missing something obvious, but this just looks like normal DNS LB... W It depends on who is doing the modification. From the description it looks like this would be being done in the recursive nameserver as it has view into site reachability which won't work with DNSSEC. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
Warren Kumari -- Please excuse typing, etc -- This was sent from a device with a tiny keyboard. On May 29, 2011, at 9:32 PM, Mark Andrews ma...@isc.org wrote: In message 2c591af8-860d-45a5-9f3a-3603f3733...@kumari.net, Warren Kumari writes: Um, how? Surely you can just sign the responses, same as any others? Maybe I'm missing something obvious, but this just looks like normal DNS LB... W It depends on who is doing the modification. From the description it looks like this would be being done in the recursive nameserver as it has view into site reachability which won't work with DNSSEC. Oh, well, yeah, there you go then... Thanks, W Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind 9 - lwresd - lwres_getrrsetbyname, load balancing doesn't work
Hi, I run a bind name sever as lwrsed and use lwres_getrrsetbyname to resolve a domain name, But for some reason I always get a the records in the same order (priority). When I bypass the lwres_getrrsetbyname and use nslookup to resolve a domain name, the daemon returns the records in the order I set by adding rrset-order option to the configuration file. Do you have a clue what could be the problem? Is it possible that the light weight resolver doesn’t support load balancing in lwres mode? Thanks, Nati ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How does load balancing operate on 1 forwarders
A long time ago it used to be in turn, but all current versions of BIND sort the forwarders based on a preference value (SRTT) that's derived from the RTT of previous query/query response interactions, with a 'time since we last tried this server' incorporated so that servers that aren't top of the preference list are periodically re-used. It also means that if a server becomes unavailable, it gets time-penalised and therefore the others of the group will be used instead until the penalty has decreased over time - at which point, if it's back and running once more then it's going to be selected (or not) as before on 'nearness'. You can see the SRTT value of nameservers in the ADB section of the cache dump (from rndc dumpdb). Smaller values are preferred. What version are you using? Jonathan Reed wrote: I have the forwarders statement to fwd queries to a few DNS servers on my LAN. forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; } The bind documentation says that these fwders are queried in turn, but what exactly does that mean? I understand it to mean that they are not round robined and if the answer is found from the first IP then it stops there and returns the query to the client. But assume that .1 goes unreachable. What is the timeout used to query the next forwarder in the list? And is this timeout modifiable? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How does load balancing operate on 1 forwarders
bind 9.6.1-P2. I've dumped it to its file. $ sudo rndc dumpdb $ cat named_dump.db ... ; Unassociated entries ; ; 10.0.0.3 [srtt 610620] [flags 2000] [ttl 1721] ; 10.0.0.2 [srtt 16654] [flags 2000] [ttl 1721] ; 10.0.0.1 [srtt 375289] [flags 2000] [ttl 1721] ... So I can assume that srtt with the lowest value has the best metric? And the ttl of 1721 is the timeout of 1.7 seconds? Am I reading that right? On Mon, Apr 19, 2010 at 4:26 AM, Cathy Almond cat...@isc.org wrote: A long time ago it used to be in turn, but all current versions of BIND sort the forwarders based on a preference value (SRTT) that's derived from the RTT of previous query/query response interactions, with a 'time since we last tried this server' incorporated so that servers that aren't top of the preference list are periodically re-used. It also means that if a server becomes unavailable, it gets time-penalised and therefore the others of the group will be used instead until the penalty has decreased over time - at which point, if it's back and running once more then it's going to be selected (or not) as before on 'nearness'. You can see the SRTT value of nameservers in the ADB section of the cache dump (from rndc dumpdb). Smaller values are preferred. What version are you using? Jonathan Reed wrote: I have the forwarders statement to fwd queries to a few DNS servers on my LAN. forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; } The bind documentation says that these fwders are queried in turn, but what exactly does that mean? I understand it to mean that they are not round robined and if the answer is found from the first IP then it stops there and returns the query to the client. But assume that .1 goes unreachable. What is the timeout used to query the next forwarder in the list? And is this timeout modifiable? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How does load balancing operate on 1 forwarders
In message t2q9876b68c1004190706v21144cb2i9193d71694804...@mail.gmail.com, Jo nathan Reed writes: bind 9.6.1-P2. I've dumped it to its file. $ sudo rndc dumpdb $ cat named_dump.db ... ; Unassociated entries ; ; 10.0.0.3 [srtt 610620] [flags 2000] [ttl 1721] ; 10.0.0.2 [srtt 16654] [flags 2000] [ttl 1721] ; 10.0.0.1 [srtt 375289] [flags 2000] [ttl 1721] ... So I can assume that srtt with the lowest value has the best metric? And the ttl of 1721 is the timeout of 1.7 seconds? Am I reading that right? ttl is the time to live of the adb entry (secs). srtt (smoothed round trip time) is use to select the server (usecs). Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How does load balancing operate on 1 forwarders
I have the forwarders statement to fwd queries to a few DNS servers on my LAN. forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; } The bind documentation says that these fwders are queried in turn, but what exactly does that mean? I understand it to mean that they are not round robined and if the answer is found from the first IP then it stops there and returns the query to the client. But assume that .1 goes unreachable. What is the timeout used to query the next forwarder in the list? And is this timeout modifiable? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users