Message from discussion transparent DNS load-balancing with a Cisco ACE
Received: by 10.66.90.37 with SMTP id bt5mr732508pab.40.1350673725340;
Fri, 19 Oct 2012 12:08:45 -0700 (PDT)
From: Chuck Swiger <cswi...@mac.com>
Subject: Re: transparent DNS load-balancing with a Cisco ACE
Date: Fri, 19 Oct 2012 12:08:30 -0700
X-Trace: usenet.stanford.edu 1350673725 9615 220.127.116.11 (19 Oct 2012 19:08:45 GMT)
Cc: DNS BIND <bind-us...@isc.org>
To: John Miller <johnm...@brandeis.edu>
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0
adjust=0 reason=mlx scancount=1 engine=6.0.2-1203120001
X-Mailer: Apple Mail (2.1085)
X-Spam-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,
MALFORMED_FREEMAIL, RCVD_IN_DNSWL_LOW, SPF_PASS,
T_RP_MATCHES_RCVD autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx.ams1.isc.org
List-Id: BIND Users Mailing List <bind-users.lists.isc.org>
Content-Type: text/plain; CHARSET=US-ASCII
On Oct 19, 2012, at 11:25 AM, John Miller wrote:
> Hello everyone,
> Perhaps a Cisco list is a better destination for this, but I've seen a similar post here in the past couple of months, so posting here as well.
> I'm trying to get our Cisco ACE set up appropriately to handle DNS traffic. So far, I've gotten it working using NAT (each rserver has a public and a private IP) and using transparent load-balancing (ACE talks directly to the public IP), aka direct server return.
IMO, the only boxes which should have IPs in both public and private netblocks should be your firewall/NAT routing boxes.
> Here's a question, however: how does one get probes working for a transparent LB setup? If an rserver listens for connections on all interfaces, then probes work fine, but return traffic from the uses the machine's default IP (not the VIP that was originally queried) for the source address of the return traffic.
That's the default routing behavior for most platforms. Some of them might support some form of policy-based routing via ipfw fwd / route-to or similar with other firewall mechanisms which would let the probes get returned from some other source address if you want them to do so.
> What have people done to get probes working with transparent LB? Are any of you using NAT to handle your dns traffic? Not tying up NAT tables seems like the way to go, but lack of probes is a deal-breaker on this end.
The locals around here have the luxury of a /8 netblock, so they can setup the reals behind a LB using publicly routable IPs and never need to NAT upon DNS traffic. Folks with more limited # of routable IPs might well use LB to reals on an unrouteable private network range behind NAT, but in which case they wouldn't configure those boxes with public IPs.