transparent DNS load-balancing with a Cisco ACE

Michael Hoskins (michoski) michoski at cisco.com
Sat Oct 20 00:03:16 UTC 2012


-----Original Message-----

From: Chuck Swiger <cswiger at mac.com>
Date: Friday, October 19, 2012 5:09 PM
To: John Miller <johnmill at brandeis.edu>
Cc: DNS BIND <bind-users at isc.org>
Subject: Re: transparent DNS load-balancing with a Cisco ACE

>> 
>> We're on a /16, so we have plenty of public IPs (though not as many as
>>you!) to play with, too.  The choice to NAT has historically been more
>>about security than anything else--if something is privately IPed, we've
>>got it on a special VLAN as well.
>
>OK.  I've seen too many examples of traffic leaking between VLANs to
>completely trust their isolation, but good security ought to involve many
>layers which don't have to each be perfect to still provide worthwhile
>benefits.

"NAT is not a security mechanism" :-)

>>If that's the case, how do you keep your probes (to the IP behind the
>>LB) working, while still sending back regular DNS traffic (that was
>>originally sent to the virtual IP) with the VIP as a source address?
>>Seems like you get only one or the other unless you tweak
>>iptables/ipfw/etc.
>
>There are two types of probes that I'm familiar with.
>
>One involves liveness probes between the LB itself to the reals, which is
>done so that the LB can decide which of the reals are available and
>should be getting traffic.  For these, the reals are replying using their
>own IPs.  The other type of probe is to the VIP; the LB forwards traffic
>to the reals, gets a reply, and then proxies or rewrites these responses
>and returns them to the origin of the probe using the IP of the VIP.  Or
>you can short-cut replies going back via the LB using DSR ("Direct
>Service Return"), or whatever your LB vendor calls that functionality...
>
>All of your normal clients would only be talking to the VIP, and would
>only see traffic coming from the VIP's IP.

Hmm, I must have got lucky or this is being over-thought...  I use ACE
with Linux/BIND reals and DSR.  No problems with traffic or probes.  I
would avoid NAT for DNS.  It's certainly possible, though NDAs avoid
copy/paste.  :-(

Ugly URLs suck almost as much as NDAs:

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Co
nfiguration_Examples_--_Server_Load-Balancing_Configuration_Examples#Exampl
e_of_a_UDP_Probe_Load-Balancing_Configuration

Better:

https://lists.isc.org/pipermail/bind-users/2012-March/087105.html

While you're at it, test your fixups...  :-)

https://www.dns-oarc.net/oarc/services/replysizetest/

Good luck!




More information about the bind-users mailing list