[dns-operations] Natting DNS farm behind LB - using priv ip space.

Bob Paolucci Bob.Paolucci at rci.rogers.com
Fri Jun 3 18:04:57 UTC 2011

Ah yes... query source port was a concern for me as well.
And good point on the query storm!!!

-----Original Message-----
From: Florian Weimer [mailto:fw at deneb.enyo.de]
Sent: Fri 03/06/2011 1:30 PM
To: Bob Paolucci
Cc: dns-operations at mail.dns-oarc.net
Subject: Re: [dns-operations] Natting DNS farm behind LB - using priv ip space.
* Bob Paolucci:

> Bunch of DNS resolvers that are behind a load balancer, load
> balancer is presenting anycast to the clients for resolution, dns
> servers behind load balancer only have private ip's on their
> interfaces, load balancer has a single nat address for the outgoing
> queries / responses.

If you use a load balancer, you must make sure that nothing sets the
DF bit on the packets you sent to clients.  You should run identical
software on all nodes behind the load balancer.

You shouldn't run outgoing queries through the load balancer.  This
way, a query storm which results in cache misses will likely take out
the entire cluster.  Source port randomization is poison for NAT.

-------------- next part --------------

This e-mail (and attachment(s)) is confidential, proprietary, may be subject to copyright and legal privilege and no related rights are waived. If you are not the intended recipient or its agent, any review, dissemination, distribution or copying of this e-mail or any of its content is strictly prohibited and may be unlawful. All messages may be monitored as permitted by applicable law and regulations and our policies to protect our business. E-mails are not secure and you are deemed to have accepted any risk if you communicate with us by e-mail. If received in error, please notify us immediately and delete the e-mail (and any attachments) from any computer or any storage medium without printing a copy.

Ce courriel (ainsi que ses pièces jointes) est confidentiel, exclusif, et peut faire l?objet de droit d?auteur et de privilège juridique; aucun droit connexe n?est exclu. Si vous n?êtes pas le destinataire visé ou son représentant, toute étude, diffusion, transmission ou copie de ce courriel en tout ou en partie, est strictement interdite et peut être illégale. Tous les messages peuvent être surveillés, selon les lois et règlements applicables et les politiques de protection de notre entreprise. Les courriels ne sont pas sécurisés et vous êtes réputés avoir accepté tous les risques qui y sont liés si vous choisissez de communiquer avec nous par ce moyen. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et supprimer ce courriel (ainsi que toutes ses pièces jointes) de tout ordinateur ou support de données sans en imprimer une copie. 

More information about the dns-operations mailing list