How do I set up DNS with my Linkproof?

Document ID: 1000001 Published: 30/03/2006 10:31:32 a.m.

To provide inbound load balancing and redundanc ! the "in#proo$ utili%es D&' resolution to control the $lo( o$ incoming tra$$ic. This document is intended to give a step)b )step overvie( o$ con$iguring "in#proo$ (ith D&'. It assumes that ou are $amiliar (ith con$iguring the "in#proo$*s inter$ace addresses and &e+t ,op -outers .$or $urther in$ormation on setting up the "in#proo$! re$er to the "in#proo$ /ser*s 0uide1. It also assumes ou have a (or#ing #no(ledge o$ D&' .$or $urther in$ormation on D&'! re$er to D&' and 2ind published b 3*-eill 4 5ssociates1. 5lthough the "in#proo$ has a built)in D&' agent! it is not a $ull D&' server. It cannot ans(er 6ueries $or &' records! 7&589'! or 8: records. 3nl 5 record re6uests that match /-"s listed in the D&' ; &ame to "ocal IP table (ill receive a response.

1: Simple Setup Single Linkproof with Extern l S!"

5 t pical .simple1 scenario might be the $ollo(ing: 738P5&<.738 has one Internet lin#! I'P1. This I'P currentl ans(ers all re6uests $or (((.compan .com. =ith the installation o$ a ne( Internet lin#! 738P5&< adds a "in#proo$. .>or the e+amples (e (ill use non)routeable addresses. 5n actual installation (ould re6uire public! routeable addresses1

The $irst step is to set up static nat addresses $or the (ebserver. 'ince the "in#proo$ (ill be handling the public addresses! (e*ll use the $ollo(ing static nat settings:

'T5TI7 &5T -3/T9-

"375"

'9-?9-

1@2.16A.1.100

I'P1

1B2.16.1.100

10.1.1.100

I'P2

1B2.16.1.100

(Linkproof > Global Configuration > Enable Smart Nat) (Linkproof > SmartNAT > Static NAT > Insert rows)

&e+t! (e con$igure D&' to "ocal IP .Linkproof > NS > Name to Local I!1

/-"

"375" IP 5DD-9''

(((.compan .com

1B2.16.1.100

C&ote: /se the internal address o$ the server! not the static nat addresses.

This alone is enough to allo( the "in#proo$ to ans(er 6ueries $or (((.compan .com! and loo#ups directed to the inter$ace address .i.e.! 1@2.16A.1.10 4 10.1.1.101 (ill return static nat addresses. ,o(ever! since most o$ the (orld (ill be 6uer ing I'P1*s D&' server! (e (ill have to modi$ the %one $ile to get the re6uests to the "in#proo$.

#: $odifying DNS on the Extern l S!"

The original %one $ile $or 738P5&<.738 on I'P1*s D&' server might loo# li#e >igure 2.1 .this is highl simpli$ied1:

To re$er the 5 record resolution to the "in#proo$! (e ma#e the $ollo(ing changes.

=hat this does is to delegate the $inal ans(er to the "in#proo$. Initiall the client 6ueried the D&' server and received the IP. &o(! the client 6ueries the D&' server! (ho tells the client to as# the "in#proo$ at one o$ the I'P inter$ace addresses. The client then 6ueries the inter$ace IP on the "in#proo$! and is given the static nat address $or (((.compan .com! choosing the best route to bring in the connection based on load balancing .or pro+imit 1. T(o &' records are used and returned to the client because the e+ternal D&' server (ill not #no( i$ either o$ the lin#s is do(n. Providing both I'P inter$aces $or the "in#proo$ as 5 records is necessar to properl delegate the 6uer . The '35 can be made to round robin the &' records it gives out! so that D&' 6ueries are activel sent to each I'P. C&ote: In =indo(s2000! adding an &' record is called D&e( Delegation.E The $lo( o$ 6ueries is something li#e this: Client (to ISP): Where is www.company.com? ISP DNS: I dont know ask !inkproo"#.company.com or !inkproo"$.company.com. (%his is the dele&ation) Client (to ISP): Where is linkproo"#.company.com? ISP DNS: #'$.#().#.#* Client (to !P#): Where is www.company.com? !inkproo"#: #'$.#().#.#** The same %one $ile (ould appl to multiple D&' servers! so that compan .com can register I'P1*s D&' server! as (ell as I'P2*s D&' server as the '35 .thus eliminating an additional point o$ $ailure1. =e do not recommend delegating our root)level domain name .compan .com1 as this could potentiall cause clients to come to the "in#proo$ as#ing $or 8: records. It is advisable to use t(o static 5 records $or the domain root! ensuring clients are able to connect via either lin#. It is possible .in some cases1 to create a 7&589 $or the root domain to point to a subdomain .i.e.! compan .com F (((.compan .com1 and then delegate the subdomain! but doing this ma limit the %one*s abilit to delegate other records .speci$icall 8: records1.

"dding

%edund nt Linkproof

The addition o$ a bac#up "in#proo$ is simple and does not re6uire much deviation $rom the above settings. 3bviousl ! the static nat addresses that e+ist on the primar should be duplicated on the bac#up .but set in bac#up mode1 as (ell as the D&' to "ocal IP table. This paper also assumes $amiliarit (ith redundanc setup in general. ,ere (e $ocus on the changes in relation to D&'. The main deviation $rom the $irst setup is the creation o$ a D&' ?irtual IP. This is an additional! uni6ue IP address on each I'P subnet. 3n the primar unit above! (e (ill create the $ollo(ing entries .Linkproof > NS > NS "irtual I!1 3n the bac#up unit! the same entries are made! but the mode is bac#up. The %one $ile above (ould simpl re$lect that "I&GP-33>1 and "I&GP-33>2 IP addresses are no( .11 instead o$ .10 .'ee >igure 2.31

+i&,re $.-

COMPANY.COM @ IN IN WWW IN WWW IN MAIL IN MAIL IN LINKPROOF1 IN LINKPROOF2 IN

SOA MX NS NS NS NS A A

ns.company.com mail linkproof1 linkproof2 linkproof1 linkproof2 1 2.1!".1.11 1#.1.1.11

&: 'omplete Setup %edund nt Linkproofs with $ultiple Intern l S!"s

&o( let*s suppose 7ompan .com (ants to add a second $ire(all and bring the '35 in)house. The $ire(alls themselves run D&' services! and D&' re6uests should be load balanced bet(een them .this (ould also appl i$ the D&' servers (ere behind a D8H1. >igure 3.1 illustrates the la out o$ the net(or#. >or simplicit *s sa#e! (e (ill assume the $ire(alls ans(er D&' on a uni6ue IP address .rather than their inter$ace addresses1! and &5T tra$$ic $rom the internal "5& to a uni6ue IP. In this (a the "in#proo$ can di$$erentiate outbound "5& tra$$ic $rom inbound D&' .or (eb1 re6uests. =hile it is possible that all tra$$ic .in and out1 can be natted to the $ire(all*s inter$ace address! such a setup (ill be covered separatel .
&ame >I-9=5"")5 >I-9=5"")2 Inter$ace 5ddr 1B2.16A.1.30 1B2.16A.1.31 D&' 5ddress 1B2.16A.1.I0 1B2.16A.1.I1 &5T address 1B2.16A.1.J0 1B2.16A.1.J1

The $irst step is to create a ?irtual IP rather than the static &5Ts covered in the $irst e+ample. /nder "in#proo$ ; ?irtual IP (e de$ine a single! private IP .1B2.16A.1.1001 (hich is mapped to the D&' addresses on each $ire(all .1B2.16A.1.I0 and 1B2.16A.1.I11. =e can then create a 'tatic &5T address $or each I'P subnet! and use the ?irtual IP as the local server ."in#proo$ ; 'mart &5T ; 'tatic &5T1. These t(o static &5T entries (ill be registered as the '35 nameservers (ith &et(or# 'olutions. C&ote: I$ using internal D&' servers! be a(are o$ changes needed to pro+imit parameters on the "in#proo$. 'ince an internal D&' server (ill 6uer the "in#proo$ $or the 5 record! (e need to tell the "in#proo$ to ignore pro+imit calculations to these servers .other(ise he (ill calculate pro+imit $or the internal subnet1. =hen D&' re6uests $rom the internet enter the static nat addresses! the are load balanced bet(een the t(o $ire(alls .using the same algorithm that is used $or &,- load balancing1. 9ach $ire(all is con$igured (ith a %one $ile similar to the $irst e+ample! so that the handling o$ the 5 record .the $inal! destination IP1 is re$erred to the "in#proo$*s inter$ace .or ?irtual D&' 5ddress1.