[H-GEN] DNS Load sharing
David Findlay
david at davsoft.com.au
Thu Oct 17 05:16:59 EDT 2002
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Has anyone had problems with DNS replies from DNS server farms? One very large
ISP has recently changed from a single primary and single secondary DNS
server to one DNS server farm, run by a load balancer of some sort. They now
tell you not to put anything in as a secondary, only to enter a primary in
your settings. I believe that this is not a good idea.
Also, when you send a DNS lookup to their farm, you send it to address X which
is the load balancer. Then box Y behind the load balancer responds to you
directly. This basically means that you have to open your firewall to DNS
replies from all their boxes, and when they add a new one, or change
something you have to go and change all your settings. This can be difficult
if you maintain a large number of routers. They are saying that you should
open port 53 wide open. I don't think that this is a very good idea if you
want a secure network.
So here's the question. With load balancing, are all replies supposed to
appear to come from the load balancer external address, or not? Thanks,
David
- --
If you give someone a program, you will frustrate them for a day. If you teach
them how to program, you will frustrate them for a lifetime.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9roALZOfFgbBAbXARAn4iAJ44xC+Tf5qAFq8TeDbWay8My6bJRQCdElIf
bC8pi75k1iHs+gC2vRa1Bf4=
=3qyO
-----END PGP SIGNATURE-----
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'. See http://www.humbug.org.au/
More information about the General
mailing list