inbound DNS configuraton problem

[Brian]

I want to setup ISP redundancy on a 2nd circuit that has just been installed, and it has to work in primary/backup mode rather than load sharing. I would be pleased if anyone could suggest a way of getting this to work because I seem to have reached a stumbling block for inbound connections.

As far as I can see, this will only reliably work if there are only have two DNS servers, one on each circuit, so that DNS queries will than be handled by the Checkpoint module regardless of which circuit has failed. As soon as I have a secondary DNS server out on the Internet, there's a good possibility that this will be queried by remote clients and it will return an address on the primary circuit, which is useless when the primary circuit has failed.

Relying on just two name servers on my site is not an option since we have MX records for remote subdomains, and to cover the situation where our entire site is out of action we must have an offsite name server running.

[mcnallym]

I think slightly misunderstanding how the DNS would work. This is how I would set it up.

2 DNS Servers in the DMZ. 1 per ISP Link. This is not a HA DNS System. DNS1 will respond with IP from ISP1 and DNS2 will respond with IP from ISP2.

You NAT DNS1 behind ISP1, and DNS2 behind ISP2.

Out on the Internet under your domain details, then you list DNS1 as the primary DNS and DNS2 as the secondary DNS. You list an offisite DNS3 with an even lower priority.

These DNS Servers are not synched and would be maintained seperately of each other. They also should not be used as Internal DNS Servers but purely for responding to requests from the Internet for your domain.

DNS does not by default load balance or round robin etc, so all queries will goto DNS1 as you will configure that to have a higher priority. Only if they cannot get a response from DNS1 will it attempt to query DNS2, and DNS3 would only be requested if there is no response from DNS1 or DNS2.

DNS1 could be a High Availability Box so that in the event of a failure of the Server then DNS1 still responds. In this way unless the ISP1 link fails you should get a response from DNS1 so that the Internet will send traffic to ISP1addresses.

If and ONLY if DNS1 does not respond will the Internet access DNS2 and thus get an IP address in the ISP2 range.


Traffic Flow would be

Internet Client does DNS request.
Internet goes to DNS1 to get a response (as DNS1 is the primary DNS Server for your domain)
DNS1 responds back and the Internet Client gets a response with an address from ISP1.

Internet Client does DNS request
Internet goes to DNS1 to get a response (as DNS1 is the primary DNS Server for your domain)
Internet gets no response from DNS1, so attempts to access DNS2
DNS2 responds back and the Internet Client gets a response with an address from ISP2.

Internet Client does DNS request
Internet goes to DNS1 to get a response (as DNS1 is the primary DNS Server for your domain)
Internet gets no response from DNS1, so attempts to access DNS2
Internet gets no response from DNS2, so attempts to access DNS3
DNS3 responds back and the Internet Client gets a response with an offsite Disaster Recovery ISP address.

I hope this helps answer your stumbling block. You could potentially add another offsite DNS to make 4 DNS Servers, however you need to remember that they are not load balanced but will be accessed sequentially only if the higher priority DNS Server is not responding. If it responds but hasn't resolved then you won't attempt to access another DNS Server as you have had a response.

[Brian]

Thanks for the the very quick detailed response, but it all depends upon being able to prioritise the dns server lookup, dns1 - dns2 - dns3, so that dns3 will only be accessed if dns1 and dsn2 are unavailable.

I don't see how this is possible, I believe that selection of an authoritive name server is based purely on the RTT, which is uncontrolable?

[rhmeyering]

What appears to be missing from this discussion is how CheckPoint ISP redundancy proxies the DNS querries for inbound connections...

This has to be configured in the SmartDashboard under your Gateway | Topology | ISP Redundancy | Enable DNS Proxy (see notes below).

Please read the Check Point Help pages in your ISP Redundancy tab [help]

The gateway will intercept inbound DNS querries and for the configured hosts and reply with the "A" record for the preferred ISP link (active/backup) regardless of the DNS Server Priority or TTL.

I typically recommend to clients that they do not try to host thier entire DNS structure. I recommend creating a subordinate zone (aka vdns.yourdomain.com) and have your ISP/DNS provider deligate this DNS zone to your DNS servers. Hosts in this domain would be denoted as www.vdns.yourdomain.com.

In this way you are not forced to be the SOA for your entire DNS domain, and only querries for the subordinate zone with be sent to your DNS and proxied by the CheckPoint Gateway.

To configure the DNS server for incoming connections:

In the DNS Proxy tab of the ISP Redundancy window, select Enable DNS proxy. VPN-1 responds to DNS queries with either one or two IP addresses, depending on the status of the ISP link and the redundancy mode. To configure this behavior, map each server name to an IP address pair by clicking Add... in the DNS Proxy tab.

Type a Host name (for example, www.vdns.yourdomain.com).
Add an IP address for ISP-1 (for example, 192.168.1.2) and an IP address for ISP-2 (for example, 172.16.2.2).

Each DNS reply has a Time To Live (TTL) field which indicates to the recipients of the reply how long the information in the reply may be cached. By default, VPN-1 replies with a TTL of 15 seconds. This can be changed in the DNS TTL field.

Hope this helps.