[dns-operations] Natting DNS farm behind LB - using priv ip space.

Florian Weimer fw at deneb.enyo.de
Fri Jun 3 17:30:53 UTC 2011

* Bob Paolucci:

> Bunch of DNS resolvers that are behind a load balancer, load
> balancer is presenting anycast to the clients for resolution, dns
> servers behind load balancer only have private ip's on their
> interfaces, load balancer has a single nat address for the outgoing
> queries / responses.

If you use a load balancer, you must make sure that nothing sets the
DF bit on the packets you sent to clients.  You should run identical
software on all nodes behind the load balancer.

You shouldn't run outgoing queries through the load balancer.  This
way, a query storm which results in cache misses will likely take out
the entire cluster.  Source port randomization is poison for NAT.

More information about the dns-operations mailing list