silly doubt abt isp redundancy

[sebastan_bach]

hi all i am new checkpoint and this is my first post in this section .

in the isp redundancy documentation .they have mentioned that for incoming connections to the webserver the isp wil forward the dns request to the vpn-1
and the vpn1 firewall will resolve the address.

i didn;t understand this why will a isp forward the dns request to the enterprise. i guess when we buy public ip;s and hosting web servers. the service provider adds a dns entry in his dns server with the domain-name of the site to the static public ip address given by the isp. so i guess for the incoming connection the isp itself resolves the address and gives the address to the host.

when there are 2 links from different isp and we have static natted the server to both the routable address and the user from the internet queries for the l webserver. when it queries it;s isp for the dns . it depends on the isp as to which dns reply it;s forwarding.

lets say the link1 is form isp 1 and link 2 is from isp2.
the server is mapped to address from both the isp .

now the host when it connects to a xyz isp queries for the webserver.let;s say the isp dns replies with the ip address of isp1. and now the user sends the traffic to the ip address of isp1 given to the server.but the link to isp1 say it;s down.

so it will be dropped.

so where;s the redundancy.

guys if i am wrong pls correct me.

hoping get any help on the same.

regards

sebastan

[MarioL]

When you have 2 ISP links you should host your own DNS server. Also, the Firewall will "capture" the DNS requests and answer them directly. This means that if you configure your domain information you will be able to do some cool tricks.

[mcnallym]

Note that the DNS Proxy on the ISP Redundancy only answers for a records. Other records such as MX Record need to be hosted on your DNS Server in the DMZ.

You need to tell the ISP's that the DNS Server for your domain is one of your IP range, with a backup DNS Server in the other range.

[sebastan_bach]

hi thanks a lot for ur reply. so u mean to say the isp dns server will forward the dns request to the enterprise dns server???? .

in that case i will also have to do a static nat for the internal dns server and permit traffic to it in the policy right ???.

in the internal dns server i will be mapping the same domain to 2 different ip address right.

so now when my internal users query the internal dns server for the website the dns will forward them the 2 public ip;s. so in this the internal users will send the traffic out and then the traffic will come back in.

is there a way wherein the internal users will access the same domain on their private address and internet users access the website on their public address.

in cisco there is dns doctoring for the same. but i guess that;s not there with checkpoint.

any ideas over the same ????.

regards

sebastan