[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2461
  • Last Modified:

DNS and ISP redundancy

I have a firewall with 2 Internet interfaces.  I have lets say ISP1 in interface 1 with IP of 200.200.200.200 and ISP2 in interface 2 with IP of 210.210.210.210.  We run Outlook Web Access that needs to be up ALL the time.  The firewall will automatically fail over to ISP2 if ISP1 is down.  This works perfectly.  The problem is DNS.  The A record webmail points to 200.200.200.200.  If this IP goes down and the other ISP is up, DNS has no way of knowing where to find Outlook Web Access.  It will just come up page cannot be displayed.  If a user types in 210.210.210.210 in this case, OWA will come up.  Is there some kind of DNS failover like MX records have where if record 1 isn't available go to record 2?
0
etechit
Asked:
etechit
  • 4
  • 2
  • 2
  • +4
1 Solution
 
bswinnertonCommented:
I'm all over your posts tonight etechit ;)

Yes, you can specify a hierarchy in MX records. I'm not too sure if you have windows DNS or not, but you can simply set the mail priority lower on the main email server ip, and higher on the backup one.

For example:

IN MX 192.168.0.1 [10]  <-- Your main server
IN MX 192.168.0.2 [100] <-- Backup mail server
0
 
etechitAuthor Commented:
Yes, thanks for the help.  I was only siting MX records as an example.  This is not for MX records.  It is for A records.  The A record webmail points to ISP1 200.200.200.200, but when ISP1 goes down so does webmail because DNS is not smart enough to failover to ISP2 210.210.210.210.  Is there someway I can get DNS to do this?  DNS is hosted externally via Go Daddy.
0
 
bswinnertonCommented:
Ohh, My apologies. No, I don't believe that there is a way to do that with A records. I know that this may not help you very much but if you had an apache server running the webmail there is something called heartbeat where if one server goes down, the other one will automatically pick up in it's place. I do not know if there is an exchange alternative.


0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
jkocklerCommented:
Just add an additional A record in Godaddy total DNS control, with the alternative IP address.  If the first DNS entry times out, it will go to the next.
0
 
etechitAuthor Commented:
I don't think Apache would help because no matter what server, the outside users are calling for webmail.companyabc.com which normall points to ISP1, if ISP1 fails, then it needs to point to ISP2.  I guess what do ISP's do?  They do smtp as smtp.isp.com and I know they have redundancy?
0
 
jkocklerCommented:
Call Godaddy, their support is usually pretty good about helping out with these sort of things and I am sure they get this question all the time.  People put servers hosing the same applications, resolving to the same host name, on the opposite sides of the world to prevent against natural disasters bringing down service.  This definitely can be done.
0
 
SteveNetwork ManagerCommented:
we do exactly what you're talking about.. in two different but similar scenarios :

for DNS redundancy :
we have our Primary DNS Record hosted on ISP1 and our secondary DNS on ISP2 .. they have an arrangement between them for DNS zone tranfers so we only have to update records on ISP1

then we have another site that is mission critical that we do failover with by using http://support.easydns.com/Failoverfaq.php

in terms of your question about smtp.isp etc.. we do the same thing via our load balancer..
http://www.simplefailover.com/scenario3.aspx


0
 
thehagmanCommented:
Since the validity of A records is not restricted by their IPs being reachable for any service, your only option is to make sure the DNS is updated in case of line failure.

The following is however possible:
To make host.domain.com point to one of 200.200.200.200 or 210.210.210.210, whatever is available, delegate host.domain.com to two nameservers, one behind each of the two lines and make these nameservers deliver their corresponding ip address as A record for host.domain.com - of course with very low TTL.

in public DNS:
host.domain.com. 86400  NS  ns1.domain.com
host.domain.com. 86400  NS  ns2.domain.com
ns1.domain.com. 86400 A 200.200.200.200
ns2.domain.com. 86400 A 210.210.210.210

on ns1:
host.domain.com 60 A 200.200.200.200

on ns2:
host.domain.com 60 A 210.210.210.210

Any successful resolution of host.domain.com is then at most 60 seconds old and was delivered via an operational line.

0
 
etechitAuthor Commented:
jkockler; I didn't know I could have 2 of the same A record; webmail pointing to 200.200.200.200 and webmail pointing to 210.210.210.210?
0
 
etechitAuthor Commented:
I contacted Go Daddy and they said this could not be done with A records.  The best way is to put a NS on each ISP with the corresponding A records.
0
 
Fredde87Commented:
Hi hagman,

Sorry to hijack this thread but I wanted to impletement the same solution you suggested. However there is a problem I think with this setup since there is no priority on the NS records. Won't the name server which is used be random, which means sometimes you will get 200.200.200.200 back as the A record and sometimes you will get 210.210.210.210?

Wont this in turn cause massive problems with for example something like a webmail service? If the TTL is only 60 seconds and the user is using server 1's webmail interface, but then relooks up the A record after 60 seconds and then suddenly sends the next page request to server 2?
0
 
suffolkditCommented:
I agree with what Fredde87 said.  I have the same problem.  Network Solutions hosts A records for our two external DNS servers we have onsite.  each is on a different ISP.  the name server an outside computers uses is random from what Network Solutions tells me.  So even though NS1 may be down because that ISP is down, the record still exists that network solutions holds so PC's on the outside will probably 50% of the time get the bad A record.
0
 
Fredde87Commented:
Hi suffolkdit.

A lot has changed since I last commented on this post. I have now successfully implemented this solution.

In the end I setup two nameservers, one on each of the servers as well. I then set the NS records of my domains to both my servers (lets called them srv1.domain.com and srv2.domain.com).

I then setup a MySQL replicated database to hold all of my domains DNS settings so that if I change it on one server, it will be replicated onto the other.

I made sure I had a low TTL on all the critical records. I then created two shell scripts which run on both servers which tests the other one to make sure it is up. If everything is OK, then the critical A records are left set to srv1 (my primary one). If the servers cant reach each other, then they both change the A record to point to themselves. That way it doesn't really matter which server goes down, the user will query which ever one is up and use it until the other one is back online.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 2
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now