Issue or best practice with resolution via hardware load balancer

Kevin Darcy kcd at daimlerchrysler.com
Thu Mar 25 23:12:42 UTC 2004 

__ __ wrote:

>Hi
>
>I'm looking for some info regarding a scenario I've recently been given.
>Apologies if part of the question is regarding Windows 2000 DNS, but it's
>really the BIND implementation I want to get right, and where the question
>really is.
>
>The DNS infrastructure is run on a hybrid environment - the top of the
>internal hierarchy is run on BIND (on Solaris) v8.2.3. The main domain used
>by most devices (desktop and mid-tier servers) is in a delegated domain run
>on Windows 2000 AD-integrated DNS.
>
>The top-level DNS domain is also partially delegated (the _ AD zones that
>tend to be required for an AD domain to be happy), largely for historical
>reasons (implemented before the main DNS infrastructure was on BIND
>revisions supporting dynamic updates and SRV records), now. As the top-level
>/ placeholder AD domain is also at the top-level of the DNS space, but these
>AD machines aren't authoritative for all of that domain.
>
>We also use hardware load balancer devices that provide access to redundant
>app (web) servers. These hardware load balancers actually do the pseudo-name
>resolution for the host names used for the servers. These devices are all,
>really, in the top-level DNS domain.
>
>To achieve this, so far, delegation records have been added to the top level
>DNS domain, for names resolved by the hardware devices.
>
>So for example, if the top level: acme.com, then servers notionally known as
>webname1 are dealt with thus:-
>
>webname1 IN NS lb1.acme.com
>webname1 IN NS lb2.acme.com
>
>And as lb1 and lb2 are valid hosts within acme.com, they also have A
>records.
>
>However, webname1 isn't truly a domain - it's only used as a host record,
>but when resolved, returns a valid, dynamically resolved address record via
>lb1 or lb2 - when queried from the top-level domain acme.com
>
>This configuration is something of a fait accomplis at the moment, so I'm
>trying to establish whether it's valid or not.
>
>The problem being that most of the internal hosts are on the sub DNS domain
>(eg: corp.acme.com - which is delegated to Windows 2000 DNS run in an AD
>integrated DNS infrastructure. This DNS domain (corp.acme.com) is set to
>forward to acme.com (and as it's Windows 2000, it won't deal with
>conditional forwarding). And in turn, acme.com forwards to our ISPs DNS
>servers.
>
>When requesting the same name (webname1) from corp.acme.com I just get
>timeouts. If I specify to request NS records, I get the correct resolution,
>but A record resolution doesn't happen - yet it does if request using the
>top-level DNS domain, and it's DNS servers.
>
>So to get to the crux if my question, I'm not convinced that it's truly a
>valid configuration to delegate what really is only a host, as a domain
>delegation, although it seems to work from the top-level DNS domain. What
>I'm wondering is how that really should be configured in the top-level
>domain (ie delegation actual resolution for names in the top-level domain,
>to the hardware load-balancers). I've been considering conditional
>forwarding, or stub zones, and tried to research what really is the best way
>of achieving this?
>
Load-balancers tend to be skimpy implementations of DNS. Ours, for 
instance, as they are configured, don't have any way to configure SOA, 
NS records, etc. (really, anything other than A records), and thus  have 
no notion of a "zone" and cannot provide zone transfers either.

However, the symptoms you describe should *not* be specific to the fact 
that you're delegating to load-balancers. Can you resolve names in *any* 
zones that are delegated from acme.com and for which your main 
nameserver is not authoritative? It sounds like your nameserver is not 
honoring recursion for the forwarded queries coming from the Microsoft 
box, or the Microsoft box is for some reason not sending recursive 
queries; maybe that's controlled by some configuration setting on 
Microsoft box -- I wouldn't know.

I suppose it's barely plausible that the Microsoft box is getting the 
responses for the load-balancer names, but rejecting them for some 
reason (e.g. because they lack NS records in the Authority Section, or 
because the TTL is 0 (which is the default setting in some load-balancer 
implementations)).

Is there any reason why your clients *have* to use the Microsoft box for 
DNS resolution? We have AD here, but all of our clients still use BIND 
servers (on Unix boxes) to resolve DNS...

                                                                         
                                                         -Kevin

P.S. You may find that delegating a single "container" zone to the 
load-balancers (or a container zone for each *set* of load-balancers if 
you have more than one set) and then using RFC 2317-like aliases 
pointing into that container zone is a more scalable solution than 
delegating each name to the load-balancers separately. Take a look at 
www.chrysler.com on the Internet to see what I'm talking about. Among 
other things, it allows you to point names within the same hierarchy to 
different load-balancers, e.g. foo.bar.example.com could be served by a 
different set of load-balancers than bar.example.com, which is not 
possible if bar.example.com is delegated directly.

More information about the bind-users mailing list