Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DNS Load Balancing?

Status
Not open for further replies.
shadedecho

shadedecho

Programmer
Oct 4, 2002
336
US
I'm being told by my registrar that I am not allowed to have 2 different nameserver names (ns.mydomain.com and ns2.mydomain.com) pointing to the same IP address. Now, to be fair, I understand the rationale behind this as a general default protection, because usually, it's not good to have a single point of failure in the DNS system.

However, I have set up a Load Balancer server, which has one external IP address, and which accepts incoming DNS requests (port 53) and doles them out to a number of internal DNS servers.

Load Balancing is a very standard thing in enterprise network architecture these days, and I just can't believe that the registry systems have no way of accomodating businesses who want to point multiple nameserver names at the same load-balancer.

It is not currently and option for me to simple assign another external IP address to the load-balancer, as my ISP account has no more in it to give out.

Moreover, it seems to me that I should be able to just temporarily (for 36-72 hours) give one of the two nameservers a bogus IP address, different from the valid one, so that I can put it into the registrar's system, and then once that's in there, since I manage the DNS, shouldn't I just be able to change the A record for that bogus nameserver IP back to the correct valid one, same as the other nameserver A record?

Since my DNS holds SOA over the domain, and the nameserver *names* are simply subdomains of the SOA domain I hold, shouldn't I be able to just change the A record, re-propogate, and that would set the IP's to the same if I want and thus get around my registrar's restrictions? I have trouble believing this is what companies in my situation do to accomodate load-balancing, but I am trying to figure out if there are any gotcha's in my plan?

Anyone shed some light on this peculiar and surprising situation?
 
Sort by date Sort by votes
As you have said "it's not good to have a single point of failure in the DNS system." ICANN requires registrars to have two or more unique dns servers for a domain (zone). All you have to do is find a free dns service and signup for an account. Then list their dns server as the second (fall over) ip address. You could use and the only time that server will be used is if the first server is unavailable. So your load balancing dns server will still function as expected.
 
Upvote 0 Downvote
I know the DNS theory is that the first nameserver is checked always, and the second only gets checked if the first is unresponsive...

but i have noticed that it seems a bit sketchy and undefined as to which of the two "primary nameservers" will be checked first in various situations. For instance, I have had some email related issues in the past where some mail servers (for spam-checkign purposes) were checking one and some were checking another, and there were some records in one not in the other, which caused some email to bounce and some not to. it even seemed that from the same ISP sometimes it's mail server checked the first one and sometimes the second one.

So, this has led me to believe that to be comfortable and safe, the two primary nameservers have to both have identical information. therefore, just listing a bogus ZoneEdit dns account/ip, with no plan to populate it with valid data, is not viable.

Obviously, I do not want to actually manage two sets of DNS information, so my only other option I think is to find a place where I can have a slave DNS server simply caching the authoritative info from the main dns-cluster.

ZoneEdit seems to only give free domain managment for the first 5 domains, and under certain bandwidth usage limits, and it appears they do not offer DNS mirroring/slave. All-in-all, this is not a scalable solution for me for multiple reasons as discussed.

I just think it's a really ignorant policy for the registrar or ICANN or whoever to put in place that says there must be different IP's, when in fact, as is commonly known, I could simply have two IP's on the same box and get around their restriction and be no more safe than if the restriction didn't exist.

It's a PITA to have a restriction like this and have it furthermore not even make any sense in today's world of load-balancing, virtual ip'ing, etc etc etc. I just can't believe I'm the first person they've ever had want something like this. Blows my mind.
 
Upvote 0 Downvote
I did not say to use a "bogus ZoneEdit dns account/ip, with no plan to populate it with valid data, is not viable". Zoneedit does offer a secondary or slave service. Here is a link Zoneedit is an inexpensive dns provider.

"I just think it's a really ignorant policy for the registrar or ICANN or whoever to put in place that says there must be different IP's, when in fact, as is commonly known, I could simply have two IP's on the same box and get around their restriction and be no more safe than if the restriction didn't exist."

Actually ICANN tries to check to see if the ip's are from different network connections based upon ip assignment. This would not stop you from getting a second internet connection and still have dns resolving from one machine. They are looking at the bigger picture as in the internet as a whole needs to be reliable. If you think about it the internet would be almost useless without the dns system, so you need that system to be reliable as possible.

There is more than one way to skin a cat. Some of them are harder than others, but they all get the job done.
 
Upvote 0 Downvote
as an update... my suspicion was confirmed, in that I now have a fully functioning domain which has both name servers (as listed at the registry root servers) pointing to the same IP address. No problems reported, and all tests pass on "dnsreport.com" (except of course the single-point-of-failure tests they recently added).

so, to demystify things... the root servers, ICANN, etc.. they do NOT prevent two name servers from sharing an IP. They may very well frown on it, but they allow it.

It was just my registrar who was causing me frustrations in getting that configuration set up. They claimed, as did you, that the registry wouldn't allow it, but in fact, it's just a recommendation, not a rule, and even if so, it's obviously not enforced.
 
Upvote 0 Downvote
Here is a scenario for you, that single wire going into your building from that single ISP goes down. You have now knocked out all of your public DNS servers.

Now consider this, during that down time someone tries to send you an e-mail, lets assume a NEW customer. What do you think will happen? It will bounce as an invalid domain because the DNS lookup will fail as your DNS info is not cached (since they are a NEW customer)

However if you had a secondary zone on a different subnet, or free zone (i.e. ZoneEdit) then at least your domain will continue to resolve, even if all the servers are un-accessible. From an e-mail perspective the sending mail server will attempt to resend for a period of time (usually 24-48 hours) before giving up.

Its just a matter of your network priorities. These are the type of factors that ICANN take into consideration.
 
Upvote 0 Downvote
like I said, I perfectly understand the single point of failure risks... and I do not intend to keep this situation like this forever. Yes, ideally, it would be nice to have an offsite backup/slave DNS just in case something like that happens, but at the moment, it's not possible. What is possible is to at least take care of what may happen if I get a LOT of DNS traffic on this domain, as I am expecting, and try to handle the overload smartly.

Moreover, to me, the fact that servers can so easily have multiple IP's means that allowing two different IP's on the same subnet is no different from allowing the same IP, as far as multiple NS records, in terms of preventing single point of failure. They both pose the same risk IMHO.

But for some reason, someone at my registrar made the decision that one case should be ok and the other not. This just seems to me to be kind of arbitrary. This is what my complaint is. That, and the fact that they blamed it on the registrar, when in fact it's just a policy they made as a result of their own judgement call on what's good and what's not.
 
Upvote 0 Downvote
Hi,
FYI...
I have registered a couple of domains and had the same issue -"Need TWO dns servers".

So I registered as follows

Primary DNS server - my home DNS server
Secondary DNS Server - 192.168.0.1

So the primary DNS is always queried. Sec DNS is invalid but no one at the registrar worried about this. No checks that the DNS are actually valid.

If the Pri DNS goes down, ah well, it means everything fails - Thats just something we have to live with.
 
Upvote 0 Downvote
Apparently, both of our techniques are "invalid", so really it's just a question of which "invalid" you are more comfortable with in a certain situation. :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

KenMeans
  • Locked
  • Question
DNS Issues with wireless router behind Atlantic Broad band Business Modem
Replies
0
Views
10K
KenMeans
KenMeans
alpha76
  • Locked
  • Question
Advice on DNS setup/configuration
Replies
3
Views
11K
technome
technome
tbright
  • Locked
  • Question
DNS reverse lookup errors: zone 1.168.192.in-addr.arpa/IN: has no NS records
Replies
1
Views
12K
tbright
tbright
Richard Carter
  • Locked
  • Question
Set up BIND on DNS server for local home server
Replies
0
Views
10K
Richard Carter
Richard Carter
rvirene
  • Locked
  • Question
MS DNS / Powershell Script Question
Replies
2
Views
11K
rvirene
rvirene

Part and Inventory Search

Sponsor

Back
Top