AW: DNS Server Cluster

Joseph Mack NA3T jmack at wm7d.net
Tue Nov 28 15:04:55 GMT 2006 

On Tue, 28 Nov 2006, Simon Pearce wrote:

> Do you think using fwmarks would be a better approach to the problem?

Having 250 IPs shouldn't be a problem. If it is, then it 
would be nice to figure it out. So you would go to fwmark if

o there was a problem with 250 IPs which was bypassed by 
using fwmark

o you found it easier to manage 250 IPs with a single fwmark 
(which I think is likely to be true).

> How would i go about setting up fwmarks if i understand you right all i
> need to do is make sure all traffic for the dns ip's hit the firewall
> the firewall marks the packet according to it's destination

destination being VIP:53 UDP and TCP (you'll need 500 rules, 
unless the IPs are in blocks).

> So i don't need to setup any vip's on the director?

It would be nice if this were true. We could in principle do 
this, but it hasn't been implemented. read

http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.routing_to_VIP-less_director.html

> For my education, why do you need a DNS server with 250 IPs?
>
> Because quite a few of our customers require there own dns servers with
> there own ip address. A lot of them don't really need it as you quite
> rightly suggest but it looks good to them anyway :)

good to know how the real world operates :-(

> Do you have a large iptables rule set that might be slowing things down?
> iptables scales with O(n^2); still 250 IPs doesn't seem a lot of IPs.
>
> No this is the output of iptables -L
>
> lvs01 ~ # iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  192.168.1.0/24       anywhere
> ACCEPT     all  --  anywhere             192.168.1.0/24
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> All i really use is ip masquerading so that my realservers can access
> the net to recieve updates everything else is left open.

this isn't part of your problem, but for security, it would 
be better to only allow the ports necessary to/from your 
realservers.

Joe

-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list