Greetings! On Thu, 13 Mar 2003 17:26:21 +0100 Andrew Miehs <[EMAIL PROTECTED]> wrote:
> On Thu, Mar 13, 2003 at 04:47:47PM +0100, Volker Tanger wrote: > > For incoming the firewalls simply use DNS Round-Robin on the FW > > members which have to be listed as primary/master servers for the > > domain in question. This way you are independent on network > > mechanics. > > > > If you use round robin DNS, you will have the problem that 50% of your > traffic will disappear, when provider 1 goes down. Yes, you could try > and fix this with changing TTLs, but its messy, and browers, and other > DNS servers which are not in your control, may cache things, even > though they shouldnt. Yes - but is it not the run-of-the-mill DNS-round-robin as you might know it. In the root DNS servers both servers (i.e. via the two provider lines) are listed as equal masters. So if one line goes down, the remaining DNS server still can be queried, which of course lists only the IP addresses of the working line. As the DNS sits on the FW cluster, the FW tweaks its DNS-round-robin according to current line availability and capacity. But yes, you are right: DNS caches, usually a good thing, will render that failover mechanism useless. So basically "only" the ones with advanced infrastructure (esp. big business customers) will suffer failures. Bye Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstraße 100 D-10997 Berlin Telefon (030) 6104-3307 Telefax (030) 6104-3435 [EMAIL PROTECTED] http://www.discon.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
