Issue or best practice with resolution via hardware load balancer
Kevin Darcy
kcd at daimlerchrysler.com
Thu Mar 25 23:12:42 UTC 2004
__ __ wrote:
>Hi
>
>I'm looking for some info regarding a scenario I've recently been given.
>Apologies if part of the question is regarding Windows 2000 DNS, but it's
>really the BIND implementation I want to get right, and where the question
>really is.
>
>The DNS infrastructure is run on a hybrid environment - the top of the
>internal hierarchy is run on BIND (on Solaris) v8.2.3. The main domain used
>by most devices (desktop and mid-tier servers) is in a delegated domain run
>on Windows 2000 AD-integrated DNS.
>
>The top-level DNS domain is also partially delegated (the _ AD zones that
>tend to be required for an AD domain to be happy), largely for historical
>reasons (implemented before the main DNS infrastructure was on BIND
>revisions supporting dynamic updates and SRV records), now. As the top-level
>/ placeholder AD domain is also at the top-level of the DNS space, but these
>AD machines aren't authoritative for all of that domain.
>
>We also use hardware load balancer devices that provide access to redundant
>app (web) servers. These hardware load balancers actually do the pseudo-name
>resolution for the host names used for the servers. These devices are all,
>really, in the top-level DNS domain.
>
>To achieve this, so far, delegation records have been added to the top level
>DNS domain, for names resolved by the hardware devices.
>
>So for example, if the top level: acme.com, then servers notionally known as
>webname1 are dealt with thus:-
>
>webname1 IN NS lb1.acme.com
>webname1 IN NS lb2.acme.com
>
>And as lb1 and lb2 are valid hosts within acme.com, they also have A
>records.
>
>However, webname1 isn't truly a domain - it's only used as a host record,
>but when resolved, returns a valid, dynamically resolved address record via
>lb1 or lb2 - when queried from the top-level domain acme.com
>
>This configuration is something of a fait accomplis at the moment, so I'm
>trying to establish whether it's valid or not.
>
>The problem being that most of the internal hosts are on the sub DNS domain
>(eg: corp.acme.com - which is delegated to Windows 2000 DNS run in an AD
>integrated DNS infrastructure. This DNS domain (corp.acme.com) is set to
>forward to acme.com (and as it's Windows 2000, it won't deal with
>conditional forwarding). And in turn, acme.com forwards to our ISPs DNS
>servers.
>
>When requesting the same name (webname1) from corp.acme.com I just get
>timeouts. If I specify to request NS records, I get the correct resolution,
>but A record resolution doesn't happen - yet it does if request using the
>top-level DNS domain, and it's DNS servers.
>
>So to get to the crux if my question, I'm not convinced that it's truly a
>valid configuration to delegate what really is only a host, as a domain
>delegation, although it seems to work from the top-level DNS domain. What
>I'm wondering is how that really should be configured in the top-level
>domain (ie delegation actual resolution for names in the top-level domain,
>to the hardware load-balancers). I've been considering conditional
>forwarding, or stub zones, and tried to research what really is the best way
>of achieving this?
>
Load-balancers tend to be skimpy implementations of DNS. Ours, for
instance, as they are configured, don't have any way to configure SOA,
NS records, etc. (really, anything other than A records), and thus have
no notion of a "zone" and cannot provide zone transfers either.
However, the symptoms you describe should *not* be specific to the fact
that you're delegating to load-balancers. Can you resolve names in *any*
zones that are delegated from acme.com and for which your main
nameserver is not authoritative? It sounds like your nameserver is not
honoring recursion for the forwarded queries coming from the Microsoft
box, or the Microsoft box is for some reason not sending recursive
queries; maybe that's controlled by some configuration setting on
Microsoft box -- I wouldn't know.
I suppose it's barely plausible that the Microsoft box is getting the
responses for the load-balancer names, but rejecting them for some
reason (e.g. because they lack NS records in the Authority Section, or
because the TTL is 0 (which is the default setting in some load-balancer
implementations)).
Is there any reason why your clients *have* to use the Microsoft box for
DNS resolution? We have AD here, but all of our clients still use BIND
servers (on Unix boxes) to resolve DNS...
-Kevin
P.S. You may find that delegating a single "container" zone to the
load-balancers (or a container zone for each *set* of load-balancers if
you have more than one set) and then using RFC 2317-like aliases
pointing into that container zone is a more scalable solution than
delegating each name to the load-balancers separately. Take a look at
www.chrysler.com on the Internet to see what I'm talking about. Among
other things, it allows you to point names within the same hierarchy to
different load-balancers, e.g. foo.bar.example.com could be served by a
different set of load-balancers than bar.example.com, which is not
possible if bar.example.com is delegated directly.
More information about the bind-users
mailing list