[dns-operations] Natting DNS farm behind LB - using priv ip space.

Fri Jun 3 16:02:06 UTC 2011

We've had pretty good luck with Cisco's CSM after some growing pains but it does not support V6 and we are looking to a new LB that supports such for Native V6 transport.

New LB is A10 ADC60,

Anyone have any experience / comments about using such LB's for DNS? :)

Now back to the discussion,

Is there any reason why we would want to use routable real IP's on the DNS servers to avoid having to NAT for outgoing DNS traffic?  Its what we're doing right now under the CSM config.
The proposal is to use private IP's on DNS servers under the new LB and NAT.... 
Im leaning towards using real IP's on the DNS servers...

Again, comments appreciated :)

-----Original Message-----
From: João Damas [mailto:joao at bondis.org]
Sent: Fri 03/06/2011 11:33 AM
To: Bob Paolucci
Cc: dns-operations at mail.dns-oarc.net
Subject: Re: [dns-operations] Natting DNS farm behind LB - using priv ip space.

main issues in those setups tend to be:
- latency introduced by the LB
- state kept by the LB, which can kill it if the DNS servers get a lot of queries, particularly over UDP as is normal for DNS and abnormal for LB
- support for modern DNS packets in the LB (some of them are really broken and look into things they shouldn't)

Joao

On 3 Jun 2011, at 17:16, Bob Paolucci wrote:

> Hey guys,
> 
> This is a pretty open question...
> 
> But anyone forsee any issue with the following setup:
> 
> Bunch of DNS resolvers that are behind a load balancer, load balancer is presenting anycast to the clients for resolution, dns servers behind load balancer only have private ip's on their interfaces, load balancer has a single nat address for the outgoing queries / responses.
> 
> Thoughts?  Concerns?
> 
> This e-mail (and attachment(s)) is confidential, proprietary, may be subject to copyright and legal privilege and no related rights are waived. If you are not the intended recipient or its agent, any review, dissemination, distribution or copying of this e-mail or any of its content is strictly prohibited and may be unlawful. All messages may be monitored as permitted by applicable law and regulations and our policies to protect our business. E-mails are not secure and you are deemed to have accepted any risk if you communicate with us by e-mail. If received in error, please notify us immediately and delete the e-mail (and any attachments) from any computer or any storage medium without printing a copy.
> 
> Ce courriel (ainsi que ses pièces jointes) est confidentiel, exclusif, et peut faire l'objet de droit d'auteur et de privilège juridique; aucun droit connexe n'est exclu. Si vous n'êtes pas le destinataire visé ou son représentant, toute étude, diffusion, transmission ou copie de ce courriel en tout ou en partie, est strictement interdite et peut être illégale. Tous les messages peuvent être surveillés, selon les lois et règlements applicables et les politiques de protection de notre entreprise. Les courriels ne sont pas sécurisés et vous êtes réputés avoir accepté tous les risques qui y sont liés si vous choisissez de communiquer avec nous par ce moyen. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et supprimer ce courriel (ainsi que toutes ses pièces jointes) de tout ordinateur ou support de données sans en imprimer une copie. 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-------------- next part --------------

This e-mail (and attachment(s)) is confidential, proprietary, may be subject to copyright and legal privilege and no related rights are waived. If you are not the intended recipient or its agent, any review, dissemination, distribution or copying of this e-mail or any of its content is strictly prohibited and may be unlawful. All messages may be monitored as permitted by applicable law and regulations and our policies to protect our business. E-mails are not secure and you are deemed to have accepted any risk if you communicate with us by e-mail. If received in error, please notify us immediately and delete the e-mail (and any attachments) from any computer or any storage medium without printing a copy.

Ce courriel (ainsi que ses pièces jointes) est confidentiel, exclusif, et peut faire l?objet de droit d?auteur et de privilège juridique; aucun droit connexe n?est exclu. Si vous n?êtes pas le destinataire visé ou son représentant, toute étude, diffusion, transmission ou copie de ce courriel en tout ou en partie, est strictement interdite et peut être illégale. Tous les messages peuvent être surveillés, selon les lois et règlements applicables et les politiques de protection de notre entreprise. Les courriels ne sont pas sécurisés et vous êtes réputés avoir accepté tous les risques qui y sont liés si vous choisissez de communiquer avec nous par ce moyen. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et supprimer ce courriel (ainsi que toutes ses pièces jointes) de tout ordinateur ou support de données sans en imprimer une copie. 