RE: Can I have Inbound load balancing achieved with below settings
>From a networking perspective though (in a multi-homed environment)... this >really should be handled by using IGRP and AS numbers. In a situation where >the link is bouncing, there may be sporadic packets getting though the link. >IE the DNS gets back 1.1.1.1 but on the next packet its down again. Using an AS number and IGRP you don't need to have different DNS servers providing different IP addresses for the same server. You simply provide the same IP address out of both links and the routers (in determining best rout) choose which router to take, via ISP 1 or ISP 2 which serves up the same information. This is also important for applications like Apache when handling session information as a cookie at 1.1.1.1 is different than a cookie at 2.2.2.2 (if security is enforced properly). The bellow configuration can also make SSL difficult, a lot of application layer stuff can go wrong when the link starts bouncing or is intermittent which IGRP and ASN can handle transparently. IMHO trying to solve this via DNS is really complicating the issue far greater than it needs to be. Date: Wed, 13 Nov 2013 10:46:23 +0530 Subject: Can I have Inbound load balancing achieved with below settings From: manish...@gmail.com To: bind-users@lists.isc.org Hey Fellas, I am thinking on this perspective need some help on this. Please guide me if I am wrong or let me know if I can achieve the stuff 1. I have a firewall with TWO ISP links, lets assume ISP1 and ISP2. And then I have internal webserver www.foobar.com with IP 192.168.1.10 2. I have natted 192.168.1.10 with ISP1 and ISP2 Public IP addresses 1.1.1.1 [ISP1] ==> 192.168.1.10 Port 802.2.2.2 [ISP2] ==> 192.168.1.10 Port 80 3. NS server for foobar.com is on Internet lets assume ns.xyz.com. Added a sub-domain www.foobar.com 4. Now this sub-domain with www.foobar.com is on BIND server and kept it in my network say IP 192.168.1.20 which is again natted with Public IP addresses for ISP1 [1.1.1.10] and ISP2 [2.2.2.20] 5. So, if both the links are up, client coming on either of the link would get both the IP addresses6.Assume if ISP1 goes down, client coming on ISP1 would never be able to reach; hence as per DNS protocol will try for another link and come on ISP2 and then probably get an IP address of Link 2 i.e. 2.2.2.2. 7. I am sure in this case he would get both the IP addresses even if he is coming from other link; that's what puzzles me or wondering if I can return only IP of ISP2 in case of IPS1 is down? That way I achieve HA or loadbalance? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
In article , Blake Hudson wrote: > Phil Mayers wrote the following on 11/14/2013 2:39 AM: > > I think there are better solutions than publishing an enormous list of > > A/ records, personally, and I think it's good that browser > > manufacturers aren't blasting out 6 SYNs every time someone types > > www.google.com... > On a related note, I have seen recent Comtrend DSL modems (w/ integrated > router and DNS cache) send out parallel DNS requests to both of the > configured DNS servers. The debug log on the modem indicates that the > modem throws away latter responses. Novell's LAN Workplace for DOS client used to issue simultaneous DNS requests to all configured resolvers. IIRC "all" meant a maximum of 3. You could add more servers to its resolv.conf equivalent (RESOLV.CFG?) but it ignored all but the first three. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
Phil Mayers wrote the following on 11/14/2013 2:39 AM: On 13/11/13 22:21, Carl Byington wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 2013-11-13 at 16:49 -0500, Barry Margolin wrote: It means that users will have to wait for an arbitrary number of timeouts before the browser can give them an error message. Well, the browser *could* of course give a message like "I have tried $N out of $M possible ip addresses with no success - do you want to abandon this?" at any time while trying that collection of ip addresses. The other approach is to try them all in parallel, sort of like ipv4 and ipv6 parallel connection attempts in http://tools.ietf.org/html/rfc6555 Parallel is bad - they *should* be stagged by $RTT*$FACTOR, otherwise you just flood the link with SYN & SYN/ACK packets, all but one of which are wasted, and may have consumed bandwidth, buffer space, NAT and firewall session resources, to name but a few. I think there are better solutions than publishing an enormous list of A/ records, personally, and I think it's good that browser manufacturers aren't blasting out 6 SYNs every time someone types www.google.com... On a related note, I have seen recent Comtrend DSL modems (w/ integrated router and DNS cache) send out parallel DNS requests to both of the configured DNS servers. The debug log on the modem indicates that the modem throws away latter responses. I agree that staggered might be a softer approach that is less resource intensive and will likely achieve the same (or perhaps better) result if all services are working. In the case of degraded service, the more aggressive parallel client will likely be faster. As a server and network admin, I guess we have to anticipate and prepare for clients that might be considered borderline abusive. --Blake ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
On 13/11/13 22:21, Carl Byington wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 2013-11-13 at 16:49 -0500, Barry Margolin wrote: It means that users will have to wait for an arbitrary number of timeouts before the browser can give them an error message. Well, the browser *could* of course give a message like "I have tried $N out of $M possible ip addresses with no success - do you want to abandon this?" at any time while trying that collection of ip addresses. The other approach is to try them all in parallel, sort of like ipv4 and ipv6 parallel connection attempts in http://tools.ietf.org/html/rfc6555 Parallel is bad - they *should* be stagged by $RTT*$FACTOR, otherwise you just flood the link with SYN & SYN/ACK packets, all but one of which are wasted, and may have consumed bandwidth, buffer space, NAT and firewall session resources, to name but a few. I think there are better solutions than publishing an enormous list of A/ records, personally, and I think it's good that browser manufacturers aren't blasting out 6 SYNs every time someone types www.google.com... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
In message <661ca5ab225cad04bdcc3831c6964...@tux.org>, Joseph S D Yao writes: > On 2013-11-13 16:44, Mark Andrews wrote: > ... > > RFC 1123 (October 1989) applies to all applications on all hosts. > > Note "SHOULD" and "until". > ... > > > Mark, I've always read "SHOULD" here as more of a plaintive hope than > anything else. People have certainly felt free to ignore it. Yes, that > makes their software "broken" if you are reading "SHOULD" as almost a > "MUST". Which is how it is defined in the RFC. *"SHOULD" This word or the adjective "RECOMMENDED" means that there may exist valid reasons in particular circumstances to ignore this item, but the full implications should be understood and the case carefully weighed before choosing a different course. We have "MAY" for the plaintive hope case. *"MAY" This word or the adjective "OPTIONAL" means that this item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because it enhances the product, for example; another vendor may omit the same item. I just wish vendors were required to publish the analysis that lead them to not follow a SHOULD. I'd love to hear NETGEAR's analysis of why their DNS proxy doesn't talk TCP in the router I have here at home and see if it passes the laugh test. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
On 2013-11-13 16:44, Mark Andrews wrote: ... RFC 1123 (October 1989) applies to all applications on all hosts. Note "SHOULD" and "until". ... Mark, I've always read "SHOULD" here as more of a plaintive hope than anything else. People have certainly felt free to ignore it. Yes, that makes their software "broken" if you are reading "SHOULD" as almost a "MUST". Joe Yao ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
In message , Barry Mar golin writes: > In article , > Mark Andrews wrote: > > > No, there is no such requirement. The browsers are just BROKEN if > > they don't try all the offered addresses. All browsers we were > > written after RFC 1123 was published. > > That attitude should probably be moderated when interactive applications > are involved. It means that users will have to wait for an arbitrary > number of timeouts before the browser can give them an error message. And there is no requirement to wait 30 seconds for the next connection attempt. If in the 80's if it took more than 1 or 2 seconds to connect you could assume it wasn't going to succeed and be right 99.99% of the time. With happy eyeballs the second and subsequent connection attempts start in less than a second (~100-200ms) after the previous one and you abandon redundant successful connections. While happy eyeballs was looking at IPv4/IPv6 that is only a special case of multi-homed servers. > The requirement is stated as a SHOULD, not a MUST. This gives latitude > to the application designer to trade off reliability and usability. So rather than doing staggered parallel connects which would have given them reliability and usability they decided to throw away reliability. Non blocking connects have existed since before the first web browser was written. > -- > Barry Margolin > Arlington, MA > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 2013-11-13 at 16:49 -0500, Barry Margolin wrote: > It means that users will have to wait for an arbitrary > number of timeouts before the browser can give them an error message. Well, the browser *could* of course give a message like "I have tried $N out of $M possible ip addresses with no success - do you want to abandon this?" at any time while trying that collection of ip addresses. The other approach is to try them all in parallel, sort of like ipv4 and ipv6 parallel connection attempts in http://tools.ietf.org/html/rfc6555 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlKD+2MACgkQL6j7milTFsHZGQCfTvrWBpL/0qqESlTbUSZoo2Fo EG4An3GdHZty3kVTJvG/Wjns1grYC+RP =Ns3q -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
In article , Mark Andrews wrote: > No, there is no such requirement. The browsers are just BROKEN if > they don't try all the offered addresses. All browsers we were > written after RFC 1123 was published. That attitude should probably be moderated when interactive applications are involved. It means that users will have to wait for an arbitrary number of timeouts before the browser can give them an error message. The requirement is stated as a SHOULD, not a MUST. This gives latitude to the application designer to trade off reliability and usability. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
In message , Joseph S D Yao writes: > On 2013-11-13 00:16, Manish Rane wrote: > ... > > 6.Assume if ISP1 goes down, client coming on ISP1 would never be able > > to reach; hence as per DNS protocol will try for another link and > > come > > on ISP2 and then probably get an IP address of Link 2 i.e. 2.2.2.2. > ... > > > I'm not sure about your DNS setup, because I didn't understand how you > described it. But that doesn't matter. > > Even if you 100% properly did what you intended to do, it breaks down > at step 6. The DNS protocol definitions only go as far as saying what > your BIND DNS server will return. Importantly (for this answer), it > does NOT say (a) what a remote user's caching/resolving name server will > actually do with your responses, or (b) what the actual application will > do with your responses. > > If the application is an SMTP server or another DNS server then, yes, > BY THE DEFINITION OF THAT PROTOCOL, it will try again for another > server. RFC 1123 (October 1989) applies to all applications on all hosts. Note "SHOULD" and "until". 2.3 Applications on Multihomed hosts When the remote host is multihomed, the name-to-address translation will return a list of alternative IP addresses. As specified in Section 6.1.3.4, this list should be in order of decreasing preference. Application protocol implementations SHOULD be prepared to try multiple addresses from the list until success is obtained. More specific requirements for SMTP are given in Section 5.3.4. When the local host is multihomed, a UDP-based request/response application SHOULD send the response with an IP source address that is the same as the specific destination address of the UDP request datagram. The "specific destination address" is defined in the "IP Addressing" section of the companion RFC [INTRO:1]. Similarly, a server application that opens multiple TCP connections to the same client SHOULD use the same local IP address for all. > If the application is a Web browser - which is likely, given that you > mention port 80, presumably TCP - then it will only look at one of the > two IP addresses [for almost all currently available Web browsers]. If > it gets a bad one, it will return the user an error. Because that is > how THAT protocol is defined. Most protocols are not defined to re-try > different servers. No, there is no such requirement. The browsers are just BROKEN if they don't try all the offered addresses. All browsers we were written after RFC 1123 was published. > What you are trying to do is what the F5 BigIP GTM does - only return > the IP address for a known-working site. There's a reason that F5 can > sell those boxes - they work where doing this in pure DNS does not. > > > Joe Yao > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
On 2013-11-13 00:16, Manish Rane wrote: ... 6.Assume if ISP1 goes down, client coming on ISP1 would never be able to reach; hence as per DNS protocol will try for another link and come on ISP2 and then probably get an IP address of Link 2 i.e. 2.2.2.2. ... I'm not sure about your DNS setup, because I didn't understand how you described it. But that doesn't matter. Even if you 100% properly did what you intended to do, it breaks down at step 6. The DNS protocol definitions only go as far as saying what your BIND DNS server will return. Importantly (for this answer), it does NOT say (a) what a remote user's caching/resolving name server will actually do with your responses, or (b) what the actual application will do with your responses. If the application is an SMTP server or another DNS server then, yes, BY THE DEFINITION OF THAT PROTOCOL, it will try again for another server. If the application is a Web browser - which is likely, given that you mention port 80, presumably TCP - then it will only look at one of the two IP addresses [for almost all currently available Web browsers]. If it gets a bad one, it will return the user an error. Because that is how THAT protocol is defined. Most protocols are not defined to re-try different servers. What you are trying to do is what the F5 BigIP GTM does - only return the IP address for a known-working site. There's a reason that F5 can sell those boxes - they work where doing this in pure DNS does not. Joe Yao ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Can I have Inbound load balancing achieved with below settings
Hey Fellas, I am thinking on this perspective need some help on this. Please guide me if I am wrong or let me know if I can achieve the stuff 1. I have a firewall with TWO ISP links, lets assume ISP1 and ISP2. And then I have internal webserver www.foobar.com with IP 192.168.1.10 2. I have natted 192.168.1.10 with ISP1 and ISP2 Public IP addresses 1.1.1.1 [ISP1] ==> 192.168.1.10 Port 80 2.2.2.2 [ISP2] ==> 192.168.1.10 Port 80 3. NS server for foobar.com is on Internet lets assume ns.xyz.com. Added a sub-domain www.foobar.com 4. Now this sub-domain with www.foobar.com is on BIND server and kept it in my network say IP 192.168.1.20 which is again natted with Public IP addresses for ISP1 [1.1.1.10] and ISP2 [2.2.2.20] 5. So, if both the links are up, client coming on either of the link would get both the IP addresses 6.Assume if ISP1 goes down, client coming on ISP1 would never be able to reach; hence as per DNS protocol will try for another link and come on ISP2 and then probably get an IP address of Link 2 i.e. 2.2.2.2. 7. I am sure in this case he would get both the IP addresses even if he is coming from other link; that's what puzzles me or wondering if I can return only IP of ISP2 in case of IPS1 is down? That way I achieve HA or loadbalance? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
