Failover network strategy

Chris Buxton cbuxton at
Thu Sep 21 20:53:35 UTC 2006

The ideal solution is to use BGP instead of separate subnets. This  
really is the superior solution, and you should consider it.

The next best thing (a distant second, really) is to do essentially  
what you've said, setting up two sets of DNS servers with different  
data. If one line goes down, those DNS servers will be unreachable,  
and traffic will naturally flow to the other set of DNS servers. This  

- maintaining two sets of DNS servers
- having traffic go over both connections when both are up
- using really short TTL's

And it still isn't perfect. A foreign (meaning not under your  
control) DNS server can cache data for an arbitrary period of time,  
ignoring (overriding) your TTL's. And browsers tend to remember name- 
to-IP data in memory, rather than asking DNS for each page or image  
load; so if a line goes down, an outside web browser won't switch to  
the other connection.

Chris Buxton
Men & Mice
Take control of your network

On Sep 21, 2006, at 8:47 AM, Jeff Lightner wrote:

> What is the best way to deal with failover networks served by DNS?
> Say we have a range of IP addresses assigned to us from the outside
> world and existing DNS servers have been setup to resolve the names to
> the appropriate places.  (Registrar setup done, reverse lookups etc...
> all done and working, NATting done to the real internal IPs of the
> various destinations.)
> We also have another range of IP addresses assigned to us with  
> separate
> switches that would allow NATting these addrsses to the same real
> internal IPs of the various destinations.
> We could of course just set up different DNS servers on this other  
> range
> that only know this other range of IPs.  The downside being we'd  
> have to
> either have them registered all the time and turned off (allowing the
> possibility of needless timeouts on queries) or not registered  
> until we
> need them which means there could be a delay between the time the
> primary range failed and the second set of DNS servers were seen by  
> the
> outside world.
> I don't think we're the first to look at this so was wondering how  
> other
> people do it.
> Jeffrey C. Lightner
> Unix Systems Administrator
> DS Waters of America, LP
> 678-486-3516

More information about the bind-users mailing list