[H-GEN] DNS Load sharing

[David Findlay]

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Has anyone had problems with DNS replies from DNS server farms? One very large 
ISP has recently changed from a single primary and single secondary DNS 
server to one DNS server farm, run by a load balancer of some sort. They now 
tell you not to put anything in as a secondary, only to enter a primary in 
your settings. I believe that this is not a good idea.

Also, when you send a DNS lookup to their farm, you send it to address X which 
is the load balancer. Then box Y behind the load balancer responds to you 
directly. This basically means that you have to open your firewall to DNS 
replies from all their boxes, and when they add a new one, or change 
something you have to go and change all your settings. This can be difficult 
if you maintain a large number of routers. They are saying that you should 
open port 53 wide open. I don't think that this is a very good idea if you 
want a secure network. 

So here's the question. With load balancing, are all replies supposed to 
appear to come from the load balancer external address, or not? Thanks,

David

- -- 
If you give someone a program, you will frustrate them for a day. If you teach 
them how to program, you will frustrate them for a lifetime.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9roALZOfFgbBAbXARAn4iAJ44xC+Tf5qAFq8TeDbWay8My6bJRQCdElIf
bC8pi75k1iHs+gC2vRa1Bf4=
=3qyO
-----END PGP SIGNATURE-----


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/