topic Re: ISP redundancy and DNS records for Web Servers in DMZ in Firewall and Security Management

ISP redundancy and DNS records for Web Servers in DMZ

Thomas_Hennebe1 — Tue, 16 Feb 2021 15:50:25 GMT

Hello all,

I have a question regarding ISP redundancy and DNS records for Web Servers behind my firewall.

Lets say I have a R80.30 Cluster XL with one ISP. I have a reverse proxy in my dmz which services stuff like webmail and some webservers. Each service has a unique public IP which is resolvable via A record for my domain from my externally configured DNS Servers. DNS looks like follows:

mydomain.com. 1800 IN NS ns1.dnsprovider.com mydomain.com. 1800 IN NS ns2.dnsprovider.com webmail.mydomain.com 1800 IN A 1.1.1.1 (sorry cloudflare, this is just an example) webserver.mydomain.com 1800 IN A 1.1.1.2 (see above)

If I add a second ISP, how can I make sure that in case of failure of ISP 1 my web-services are still reachable? The documentation for ISP redundancy and DNS proxy is not clear to me.

Do I have to point my domains name servers to my two public ip addresses of my firewalls now so that the DNS proxy can resolve the correct external IP during failover (so change ns1.dnsprovider.com to the public external IP of my firewall)?

What happens for non-A-records? Do I have to configure the external DNS provider for the firewall to forward the traffic to?

Thanks for your help 😉

Re: ISP redundancy and DNS records for Web Servers in DMZ

Vladimir — Tue, 16 Feb 2021 18:23:33 GMT

This is typically done in/with your public DNS service provider if you host your primary zone with them.

If you host it locally, you can script it yourself.

You configure service probing to change the A record when it fails on the first target.

Re: ISP redundancy and DNS records for Web Servers in DMZ

Wolfgang — Tue, 16 Feb 2021 20:12:42 GMT

The solution with „DNS proxy“ for ISP redundancy does only work if you host your DNS internal. Queries from external for your DNS names are intercepted by the gateway and answered with an IP specified for every ISP.
How this is working can be found in „ISP Redundancy and DNS“ of Advanced configuration options for ISP Redundancy

We are using Azures TrafficManager for these type of connection. TrafficManager can do a probing via ping or HTTPS or other to different destinations and then answers with an available destination.

Have a look at Cheap DNS Failover with Azure Traffic Manager

Wolfgang

Re: ISP redundancy and DNS records for Web Servers in DMZ

Thomas_Eichelbu — Mon, 20 Sep 2021 09:02:04 GMT

Hello together ...

i know this feature DNS Proxy for a long time, at its really doing what it is expected to do ... so far so good.
but now i have a different usecase:

When VPN tunnels or even when VPN Clients are connecting over the external interfaces and if DNS Proxy is enabled ... all DNS request are answered by the Firwall as it should be ...

but in many cases i want the VPN clients to get a response from the internal DNS ... so a Split DNS behavior ...
but iam failing to achive this ...
when i configure a Split DNS its not working ... with Split DNS enabled the Checkpoint Mobile says the version is not compatible ... maybe thats a different story?

Question:
Is it possible to exclude IP ranges or VPN or perhapes special suffixes from DNS proxy ???
or if this is not possible at all.
Split DNS ... who got it to work?

best regards
Thomas.

Re: ISP redundancy and DNS records for Web Servers in DMZ

Qlisz — Fri, 22 Aug 2025 20:44:37 GMT

Hello,

I have the same problem.

Did You find any solution?

regards,

Leszek