Redundant ISP Connection Setup and Config of Routers and DNS?

Posted on 2008-06-20
Last Modified: 2013-11-16
We're going to be transitioning from Verizon to AT&T and we want to run them in tandem for a week or two.  We're trying to avoid an interruption in service to our web and email servers.  We want the Verizon link to answer up and resolve names while the AT&T dns info propagates out across the web.

I'm asking for an overview on the setup of routing and dns for
redundant ISP connections.  We own the routers, Verizon and AT&T manage them.
Verizon  uses a Cisco 3600, AT&T it's a Cisco and it's a later model than the 3600 not sure just yet.
We maintain the primary DNS server in house, running Bind 8.2, Verizon and AT&T maintain the secondaries.   Network Solutions is our registar there is something thats setup there that points to the name servers.
Checkpoint R60 does the Nat'ing for us.  I'm using Static or one to one nat.

Quesitons on DNS - Can you have both sets of secondary servers in the Allow Transfer On line in the named.conf file?
What do you do in the zone files?  I currently have Verizons public ip addresses assigned to us setup as the A records in the zone files.  Can I simply add the AT&T public ip addresses in the zone file?
Question by:Westez
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
LVL 71

Accepted Solution

Chris Dent earned 450 total points
ID: 21836914

You can have as many Secondary DNS Servers listed there as you need.

If you can have both IP Ranges route in correctly it doesn't particularly matter which IP Addresses are used in the zone file (for hosts).

Propagation will occur during the lifetime of the TTL (Time To Live) for each record in DNS.

For example, if the Host Record used in your MX Record has a TTL of 3600 seconds (1 hour) and you change the IP it will take 1 hour for that to propagate fully.

There's a caveat though. Some of the larger mail hosts, including AOL, Hotmail and Gmail, ignore the TTL value for those records and take up to two days before they get it right.


LVL 13

Assisted Solution

kdearing earned 50 total points
ID: 21837473
Don't forget to make sure the reverse-DNS pointers are configured.
Most spam filters look for this.

Author Comment

ID: 21851622
DNS: Just so I'm sure I understand you.  I can have two A records from two different ISP providers pointing back to the same host name in the zone file?  Such as - IN A IN A
I ask because I have couple of different books covering DNS, this setup isn't mentioned, and it blows my mind that it works this way.  It seems just too simple.

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

LVL 13

Expert Comment

ID: 21852251
Just to be sure we're talking about the same thing...
You are asking about external (public) DNS, right?

You can only have one A record for any given hostname.

When you want to change your DNS records, the common trick is to do it after-hours on a Friday.
Because DNS info can take up to 48 hours to propagate, everything should be up and running on the 'new' DNS by Monday morning.

If you have an email server, ensure the ISP configures your reverse-DNS.
This can be done before-hand.

Note that you can have several MX records.
In fact at least 2 are recommended.

All of the above applies to inbound traffic (except email).
Of course, for outbound traffic, you can use as many ISPs as you choose.
If internet connectivity is critical to your business, you may want to consider keeping the second ISP.
LVL 71

Expert Comment

by:Chris Dent
ID: 21853503

Hey guys,

> You can only have one A record for any given hostname.

That's not true.


> I can have two A records from two different ISP providers pointing
> back to the same host name in the zone file?

Yes, but...

The DNS Server will use Round Robin when responding to clients with those addresses.

The difficultly there is DNS isn't service aware, so if one of the IPs is unavailable it will continue to hand out the "bad" IP.

In other words, if you do that you will have to be careful to make sure the service is available on both IP addresses (and that return paths are correctly calculated).

> Because DNS info can take up to 48 hours to propagate

DNS takes the value of the TTL to Propagate, with few a exceptions mentioned previously.


Author Comment

ID: 21870865
I am talking about external\public DNS.  And we only want to run them in tandem long enough for the public addresses for AT&T to propagate out across the Internet.

Routing: I can't have two default gateways. Our external default gateway is defined on the firewall server.  Because we're transitioning to AT&T I'm thinking I should change the default gateway from the Verizon address to the AT&T address.  And add a static route on the firewall for the Verizon network.  What do you guys think about doing it this way?  If you alternative suggestions please let me know.  And we don't manage the routers, Verizon wouldn't even give us a copy of the router config.  Seeing how I plan on changing Verizon's network from being the default gateway.  Would changes need to be made on the router Verizon manage's? Such as routes being added or deleted?
LVL 13

Expert Comment

ID: 21871057
As I said, you can probably handle the propagation issue by switching it over the weekend.
Note that although it may take up to 48 hours to propagate, the vast majority will be done within 12 hours.

You should be able to configure multiple default gateways on the firewall. Just make sure the second gateway has a higher metric.

I doubt that Verizon is going to allow any changes to the router config that will speed up the process of you terminating their service.

Author Comment

ID: 21900647
As I stated the number one goal is to avoid any down time while the new addresses propagate out across the Internet.  I don't have 12 to 48 hours to allow the propagation of the new addresses to take place.  If I did I wouldn't have needed to post the questions.

On the firewall (Checkpoint SPLAT R60) we run, you can have one default gateway.  From what I've read while researching the problem, you can have only one default gateway, and I would need to setup another static route.  If you can point me towards some articles that explain how to setup two default routes then please do so.
LVL 71

Expert Comment

by:Chris Dent
ID: 21901646

Sorry I must have missed replying earlier.

You're right in thinking you can only have one Default Route. It is, after all, the last resort. You could have failover gateways potentially, but that's no good in this scenario (only any good for outbound traffic).

If you can't configure Routing so both lines are available then you're back in DNS. But DNS isn't as inflexible as it sounds here. The 24 - 48 hours quoted are a bit misleading. In general you can speed propagation up significantly by reducing the TTL either on individual records for for the entire zone.

Therefore, if you're swapping records around can't you just reduce the TTL to a more acceptable value? Perhaps 15 minutes (a TTL of 900)?

There are a small number of ISPs that will cause the change to lag. For instance AOL perform a lot of extra caching in DNS so you tend to find their customers are behind the times. Do they represent an important part of your customer base?

LVL 71

Expert Comment

by:Chris Dent
ID: 21901663

> ... records for for the ...

Should have read:

... records or for the ...


Author Comment

ID: 21913206
Ok guys thanks for the feedback, we can put this one to rest for now, it's been pushed back to August..  I'm going to split the points.

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
script to read a file and populate DNS records to a domain. 2 38
Syslog-ng works. Now what? How to filter and manage? 8 91
EIGRP Bandwidth 9 41
Public DNS  Vs BGP 20 57
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question