Hi there,
I'm wondering is there a way to scale DNS service
using OpenBSD's CARP and loadbalancing/pool features
of pf ? How about hoststated(8) ? (as I know
hoststated(8) doesn't support UDP right now)
Here is the lab setup I tried but ran into problems:
1) setup two OpenBSD 4.1 servers with two CARP groups
and pfsync as written in OpenBSD FAQ/manuals,
2) each CARP group holds its public DNS IP address
(clients use these IPs as nameservers),
3) on each server, first DNS IP is x.x.x.1 and it is
bound to carp0, and second DNS IP is x.x.x.2 and it is
bound to carp1,
4) as this is a common active-active failover
scenario, each server is the CARP master for single
DNS IP (of course, it is also a backup for the other
DNS IP),
5) I create /etc/dns_pool which contains IP addresses
of the backend DNS servers located on the same LAN as
these two CARP boxes (LAN firewall denies direct
access from clients to these backend servers):
x.x.x.3
x.x.x.4
x.x.x.5
x.x.x.6
... etc
6) then, I build and enable the following pf.conf
(note the usage of /etc/dns_pool)
set skip on lo
scrub in no-df
table <dns_pool> persist file "/etc/dns_pool"
rdr pass on trunk0 proto { tcp udp } to { (carp0) \
(carp1) } port 53 -> <dns_pool> port 53 round-robin
block in quick inet6
pass out quick
pass quick on trunk0 proto carp
pass quick on fxp2 proto pfsync
pass in quick on trunk0 inet proto tcp to (trunk0) \
port 22
block in quick
7) as you can see I use trunk(4) (in failover mode) -
it works well,
8) now, when I try to use a client (with public DNS
IPs as nameservers) I got the following:
# host www.cnn.com
;; reply from unexpected source: x.x.x.3#53, expected
x.x.x.1#53
;; reply from unexpected source: x.x.x.3#53, expected
x.x.x.1#53
;; reply from unexpected source: x.x.x.5#53, expected
x.x.x.2#53
;; connection timed out; no servers could be reached
It is clear now that the client side DNS resolver
inspects DNS reply packet payload (which originates
from one of the backend servers) _and_ compares it
with the packet src IP (it is the public DNS IPs due
to "rdr" translation).
So please, any suggestions how to make DNS
loadbalancing on OpenBSD work ?
It would be great if this can be done with hoststated
so I would have enough arguments to choose OpenBSD
over Cisco CSM (which is currently being considered
for this task).
Thanks for any suggestion !
Reje
____________________________________________________________________________________Ready
for the edge of your seat?
Check out tonight's top picks on Yahoo! TV.
http://tv.yahoo.com/
