Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Thomas_Hennebe1
Participant

ISP redundancy and DNS records for Web Servers in DMZ

Jump to solution

Hello all,

I have a question regarding ISP redundancy and DNS records for Web Servers behind my firewall.

Lets say I have a R80.30 Cluster XL with one ISP. I have a reverse proxy in my dmz which services stuff like webmail and some webservers. Each service has a unique public IP which is resolvable via A record  for my domain from my externally configured DNS Servers. DNS looks like follows:

 

mydomain.com. 1800 IN NS ns1.dnsprovider.com
mydomain.com. 1800 IN NS ns2.dnsprovider.com
webmail.mydomain.com 1800  IN A 1.1.1.1 (sorry cloudflare, this is just an example)
webserver.mydomain.com 1800  IN A 1.1.1.2 (see above)

 

If I add a second ISP, how can I make sure that in case of failure of ISP 1 my web-services are still reachable? The documentation for ISP redundancy and DNS proxy is not clear to me.

Do I have to point my domains name servers to my two public ip addresses of my firewalls now so that the DNS proxy can resolve the correct external IP during failover (so change ns1.dnsprovider.com to the public external IP of my firewall)?

What happens for non-A-records? Do I have to configure the external DNS provider for the firewall to forward the traffic to?

Thanks for your help 😉

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Mentor
Mentor

The solution with „DNS proxy“ for ISP redundancy does only work if you host your DNS internal. Queries from external for your DNS names are intercepted by the gateway and answered with an IP specified for every ISP. 
How this is working can be found in  „ISP Redundancy and DNS“ of Advanced configuration options for ISP Redundancy 

We are using Azures TrafficManager for these type of connection. TrafficManager can do a probing via ping or HTTPS or other to different destinations and then answers with an available destination.

Have a look at Cheap DNS Failover with Azure Traffic Manager 

Wolfgang

View solution in original post

3 Replies
Vladimir
Champion
Champion

This is typically done in/with your public DNS service provider if you host your primary zone with them.

If you host it locally, you can script it yourself.

You configure service probing to change the A record when it fails on the first target.

0 Kudos
Wolfgang
Mentor
Mentor

The solution with „DNS proxy“ for ISP redundancy does only work if you host your DNS internal. Queries from external for your DNS names are intercepted by the gateway and answered with an IP specified for every ISP. 
How this is working can be found in  „ISP Redundancy and DNS“ of Advanced configuration options for ISP Redundancy 

We are using Azures TrafficManager for these type of connection. TrafficManager can do a probing via ping or HTTPS or other to different destinations and then answers with an available destination.

Have a look at Cheap DNS Failover with Azure Traffic Manager 

Wolfgang

Thomas_Eichelbu
Advisor

Hello together ...

i know this feature DNS Proxy for a long time, at its really doing what it is expected to do ... so far so good.
but now i have a different usecase:

When VPN tunnels or even when VPN Clients are connecting over the external interfaces and if DNS Proxy is enabled ... all DNS request are answered by the Firwall as it should be ...


but in many cases i want the VPN clients to get a response from the internal DNS ... so a Split DNS behavior ...
but iam failing to achive this ...
when i configure a Split DNS its not working ... with Split DNS enabled the Checkpoint Mobile says the version is not compatible ... maybe thats a different story?

Question:
Is it possible to exclude IP ranges or VPN  or perhapes special suffixes from DNS proxy ???
or if this is not possible at all.
Split DNS ... who got it to work?

best regards
Thomas.

 

 

0 Kudos