Re: AW: DNS Server Cluster

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: AW: DNS Server Cluster
From: Joseph Mack NA3T <jmack@xxxxxxxx>
Date: Tue, 28 Nov 2006 07:04:55 -0800 (PST)
On Tue, 28 Nov 2006, Simon Pearce wrote:

Do you think using fwmarks would be a better approach to the problem?

Having 250 IPs shouldn't be a problem. If it is, then it would be nice to figure it out. So you would go to fwmark if

o there was a problem with 250 IPs which was bypassed by using fwmark

o you found it easier to manage 250 IPs with a single fwmark (which I think is likely to be true).

How would i go about setting up fwmarks if i understand you right all i
need to do is make sure all traffic for the dns ip's hit the firewall
the firewall marks the packet according to it's destination

destination being VIP:53 UDP and TCP (you'll need 500 rules, unless the IPs are in blocks).

So i don't need to setup any vip's on the director?

It would be nice if this were true. We could in principle do this, but it hasn't been implemented. read

For my education, why do you need a DNS server with 250 IPs?

Because quite a few of our customers require there own dns servers with
there own ip address. A lot of them don't really need it as you quite
rightly suggest but it looks good to them anyway :)

good to know how the real world operates :-(

Do you have a large iptables rule set that might be slowing things down?
iptables scales with O(n^2); still 250 IPs doesn't seem a lot of IPs.

No this is the output of iptables -L

lvs01 ~ # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --       anywhere
ACCEPT     all  --  anywhere   

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

All i really use is ip masquerading so that my realservers can access
the net to recieve updates everything else is left open.

this isn't part of your problem, but for security, it would be better to only allow the ports necessary to/from your realservers.


Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at
Homepage It's GNU/Linux!

<Prev in Thread] Current Thread [Next in Thread>