DDNS Registration behind Load Balancer
Linux Addict
linuxaddict7 at gmail.com
Fri Jun 27 14:23:50 UTC 2008
Mark Andrews wrote:
>> Mark Andrews wrote:
>>
>>>> On Jun 26, 2008, at 4:05 PM, Kevin Darcy wrote:
>>>>
>>>>
>>>>> Chris Buxton wrote:
>>>>>
>>>>>
>>>>>> On Jun 26, 2008, at 1:53 PM, Linux Addict wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Greeting!!
>>>>>>>
>>>>>>> I am configuring a DNS setup where its mix of Linux and Windows
>>>>>>> hosts.
>>>>>>> I decided to go with BIND rather than MS DNS Server. I have Windows
>>>>>>> hosts doing dynamic registration to the BIND Master Server.
>>>>>>>
>>>>>>> The next step on my project is add Load Balancer with 3 servers. I
>>>>>>> was
>>>>>>> thinking of one master and 2 slaves initially. Then it struck me
>>>>>>> that
>>>>>>> when a Windows Host does DDNS registration against the Load Balancer
>>>>>>> VIP, and when the Load Balancer redirects the traffic to one of the
>>>>>>> slave server, it will not accept the changes as its only secondary.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Not true. 'allow-update-forwarding { any; };'.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> That'll work as long as the OP only has masters and slaves, but
>>>>> doesn't
>>>>> allow the flexibility to add caching-only resolvers in the future.
>>>>>
>>>>> I still think the best approach is to have the DHCP server(s), rather
>>>>> than the clients themselves, register the client names in DNS. It also
>>>>> raises less security issues.
>>>>>
>>>>>
>>>> I completely agree. I was just pointing out to the OP that one of his
>>>> assertions was untrue.
>>>>
>>>> Chris Buxton
>>>> Professional Services
>>>> Men & Mice
>>>>
>>>>
>>> Caching only name servers are a authorgonal issue. Your
>>> load balancer may be able to look at the DNS OPCODE and
>>> redirect all UPDATE requests to one machine.
>>>
>>>
>> It's not orthogonal if there is a proliferation of caching-only
>> resolvers at remote sites, with no load-balancers in front of them, or
>> no load-balancers capable of the OPCODE-based redirection you describe.
>> We don't have a lot of information about the OP's network topology
>> and/or their plans for the future, so we can only speculate in that regard.
>>
>
> UPDATE requests are sent to authoritative servers. They
> are *not* sent to caches. At worst the probing for the
> zone to update can add a cached NXDOMAIN response. Named
> doesn't cache negative responses to SOA queries so that it
> is possible to discover the containg zone without introducing
> side effects.
>
>
>> One thing we can be fairly certain of, however, is that there is some
>> sort of DHCP infrastructure in place -- if all the clients have static
>> IPs it presumably wouldn't be necessary to update DNS dynamically at all
>> -- and it seems to me cleaner and more straightforward to have the DHCP
>> server do the DNS update, rather than the client.
>>
>> Another missing piece of the puzzle is: why put the master *and* the
>> slaves behind the same load-balancer VIP? Seems to me, at a minimum,
>> you'd want to segregate the slaves from the master, since they serve
>> different functions. If the client *must* do the Dynamic Update, for
>> some reason, perhaps it could fail over to the master's address after
>> the Dynamic Update request gets REFUSEd by the slave VIP.
>>
>
> No, the correct response is NOTIMPL. The client does not
> implememt the forwarding of UPDATE requests to the master.
> REFUSED should result in the client immediately returning.
> (Yes there are update clients that continue on refused).
>
> This allows the client to distingish between a slave that
> has forward the UPDATE request to a master which then refused
> it and a slave that is not configured to forward updates.
>
> Mark
>
>
>> - Kevin
>>
I have around 1000 hosts mix of Linux and Windows and they all
Statically IPed. At this point not moving to DHCP. I am planning only 2
DNS servers per Data Center.
The plan is to have either master/slave or multi master. if
allow-update-forwarding will allow slave to accept/forward Dynamic
Registration, then that should do it for me.
Why am I putting master and slave both behind Load Balancer?? Well I am
planning only couple of servers for DNS and I have to put both of them
to achieve High Availability. But I am open to ideas. I cant think of
any better architecture with 2 servers.
Thank you
~LA
More information about the bind-users
mailing list