Re: AW: DNS Server Cluster

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: AW: DNS Server Cluster
From:	Joseph Mack NA3T <jmack@xxxxxxxx>
Date:	Tue, 28 Nov 2006 07:04:55 -0800 (PST)

On Tue, 28 Nov 2006, Simon Pearce wrote:

Do you think using fwmarks would be a better approach to the problem?

Having 250 IPs shouldn't be a problem. If it is, then itwould be nice to figure it out. So you would go to fwmark if

o there was a problem with 250 IPs which was bypassed byusing fwmark

o you found it easier to manage 250 IPs with a single fwmark(which I think is likely to be true).

How would i go about setting up fwmarks if i understand you right all i
need to do is make sure all traffic for the dns ip's hit the firewall
the firewall marks the packet according to it's destination

destination being VIP:53 UDP and TCP (you'll need 500 rules,unless the IPs are in blocks).

So i don't need to setup any vip's on the director?

It would be nice if this were true. We could in principle dothis, but it hasn't been implemented. read


http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.routing_to_VIP-less_director.html

For my education, why do you need a DNS server with 250 IPs?

Because quite a few of our customers require there own dns servers with
there own ip address. A lot of them don't really need it as you quite
rightly suggest but it looks good to them anyway :)


good to know how the real world operates :-(

Do you have a large iptables rule set that might be slowing things down?
iptables scales with O(n^2); still 250 IPs doesn't seem a lot of IPs.

No this is the output of iptables -L

lvs01 ~ # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  192.168.1.0/24       anywhere
ACCEPT     all  --  anywhere             192.168.1.0/24

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

All i really use is ip masquerading so that my realservers can access
the net to recieve updates everything else is left open.

this isn't part of your problem, but for security, it wouldbe better to only allow the ports necessary to/from yourrealservers.


Joe

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

<Prev in Thread]	Current Thread	[Next in Thread>
DNS Server Cluster, Simon Pearce Re: DNS Server Cluster, Joseph Mack NA3T Re: DNS Server Cluster, Graeme Fowler Re: DNS Server Cluster, Horms AW: DNS Server Cluster, Simon Pearce Re: AW: DNS Server Cluster, Joseph Mack NA3T <= Re: DNS Server Cluster, Joseph Mack NA3T Re: DNS Server Cluster, Mark de Vries Re: DNS Server Cluster, Wayne at CAI AW: DNS Server Cluster, Simon Pearce Re: DNS Server Cluster, Joseph Mack NA3T

Previous by Date:	Re: Our LVS/DR backends freezes, Joseph Mack NA3T
Next by Date:	Re: Our LVS/DR backends freezes, Olle Ö?stlund
Previous by Thread:	AW: DNS Server Cluster, Simon Pearce
Next by Thread:	Re: DNS Server Cluster, Joseph Mack NA3T
Indexes:	[Date] [Thread] [Top] [All Lists]