Re: load balancing(2)
Greetings!
On Thu, 13 Mar 2003 17:26:21 +0100 Andrew Miehs <andrew@jinx.de> wrote:
> On Thu, Mar 13, 2003 at 04:47:47PM +0100, Volker Tanger wrote:
> > For incoming the firewalls simply use DNS Round-Robin on the FW
> > members which have to be listed as primary/master servers for the
> > domain in question. This way you are independent on network
> > mechanics.
> >
>
> If you use round robin DNS, you will have the problem that 50% of your
> traffic will disappear, when provider 1 goes down. Yes, you could try
> and fix this with changing TTLs, but its messy, and browers, and other
> DNS servers which are not in your control, may cache things, even
> though they shouldnt.
Yes - but is it not the run-of-the-mill DNS-round-robin as you might
know it. In the root DNS servers both servers (i.e. via the two provider
lines) are listed as equal masters.
So if one line goes down, the remaining DNS server still can be queried,
which of course lists only the IP addresses of the working line.
As the DNS sits on the FW cluster, the FW tweaks its
DNS-round-robin according to current line availability and capacity.
But yes, you are right: DNS caches, usually a good thing, will render
that failover mechanism useless. So basically "only" the ones with
advanced infrastructure (esp. big business customers) will suffer
failures.
Bye
Volker Tanger
IT-Security Consulting
--
discon gmbh
Wrangelstraße 100
D-10997 Berlin
Telefon (030) 6104-3307
Telefax (030) 6104-3435
volker.tanger@discon.de
http://www.discon.de/
Reply to: