-----Original Message-----
From: Chuck Swiger <cswi...@mac.com>
Date: Friday, October 19, 2012 5:09 PM
To: John Miller <johnm...@brandeis.edu>
Cc: DNS BIND <bind-us...@isc.org>
Subject: Re: transparent DNS load-balancing with a Cisco ACE
>>
>> We're on a /16, so we have plenty of public IPs (though not as many as
>>you!) to play with, too. The choice to NAT has historically been more
>>about security than anything else--if something is privately IPed, we've
>>got it on a special VLAN as well.
>
>OK. I've seen too many examples of traffic leaking between VLANs to
>completely trust their isolation, but good security ought to involve many
>layers which don't have to each be perfect to still provide worthwhile
>benefits.
"NAT is not a security mechanism" :-)
>>If that's the case, how do you keep your probes (to the IP behind the
>>LB) working, while still sending back regular DNS traffic (that was
>>originally sent to the virtual IP) with the VIP as a source address?
>>Seems like you get only one or the other unless you tweak
>>iptables/ipfw/etc.
>
>There are two types of probes that I'm familiar with.
>
>One involves liveness probes between the LB itself to the reals, which is
>done so that the LB can decide which of the reals are available and
>should be getting traffic. For these, the reals are replying using their
>own IPs. The other type of probe is to the VIP; the LB forwards traffic
>to the reals, gets a reply, and then proxies or rewrites these responses
>and returns them to the origin of the probe using the IP of the VIP. Or
>you can short-cut replies going back via the LB using DSR ("Direct
>Service Return"), or whatever your LB vendor calls that functionality...
>
>All of your normal clients would only be talking to the VIP, and would
>only see traffic coming from the VIP's IP.
Hmm, I must have got lucky or this is being over-thought... I use ACE
with Linux/BIND reals and DSR. No problems with traffic or probes. I
would avoid NAT for DNS. It's certainly possible, though NDAs avoid
copy/paste. :-(
Ugly URLs suck almost as much as NDAs:
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Co
nfiguration_Examples_--_Server_Load-Balancing_Configuration_Examples#Exampl
e_of_a_UDP_Probe_Load-Balancing_Configuration
Better:
https://lists.isc.org/pipermail/bind-users/2012-March/087105.html
While you're at it, test your fixups... :-)
https://www.dns-oarc.net/oarc/services/replysizetest/
Good luck!
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
