?
Solved

failover options for DNS?

Posted on 2009-02-21
11
Medium Priority
?
398 Views
Last Modified: 2012-05-06
We have two sites for our servers. One is up and live 24/7. the other has no servers turned on. Our website A record points to our live servers in the primary site.

Question - if our servers go down we will boot up the alternate site servers. we will change DNS where the A record points to. Is this a good strategy? We don't get thousands of hits (field reps use our website, not public). We would need TTL to be low enough ahead of time that we can make change in DNS through our registrar (Register.com) and assume the field reps will see those changes 15 minutes later when they start querying our website again.

We can't build new servers to run BIND. Register.com is where we control the records. We don't want both IPs published at the same time because our other site is always down (the firewall is up, but no servers). We don't want users being directed to the IP of the DR site while it's not up and running.
0
Comment
Question by:GCIT_Manager
  • 6
  • 5
11 Comments
 
LVL 2

Expert Comment

by:sstops
ID: 23701221
Hello,

if you do have to possiblitly to set a low enough TTL on the DNS record it should work unless your field reps are in a network (e.g. at customers site) that caches DNS requests for a longer period.

A simple no-cost solution to overcome the mentioned limitation would be to set-up a permanent second record for your backup-site for your field reps to call if the primary site goes down and they are in a network that has either a DNS cache or bad configured proxy.

I hope the idea helps a little.

Regards
Sascha
0
 

Author Comment

by:GCIT_Manager
ID: 23701415
Thanks. It looks like very few online registrar's let the customer control the TTL value. At least I can't find one. The problem with a secondary A record is that our field reps are connecting over a plethora of proxies from the middle east, even via satellite. So there's often timeouts and we don't want them being directed to the DR site until we "say" so. Any thoughts?
0
 
LVL 2

Expert Comment

by:sstops
ID: 23701531
I know changing the TTL is always trouble with registrars. Sorry, I meant a second record not for the same name but something like backup-site.yourdomain.com and do something like a "manual" fail-over on the client side. If you have no way to tell them this is not an option.

Sorry, but I am out of ideas for an automated fail-over solution without significant investment in network equipment.
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 

Author Comment

by:GCIT_Manager
ID: 23701555
Thanks for the idea. Unfortunately we do not have a method to contact them in a DR scenario.

One option I'm contemplating is setting up a rule in our DR firewall (which is always up) and having it redirect back to the primary site. I'm not sure if this is possible.










0
 
LVL 2

Expert Comment

by:sstops
ID: 23701725
This could work if you can redirect to an IP-address and you do not need the host header. If you redirect to the URL it will redirect to itself because there is DNS cache on the client.

So if your application is http://app.yourdomain.com and your primary site IP is 10.0.0.1 the redirecton on the secondary site has to be to to http://10.0.0.1 and not again to the domain name.

Or if you want to avoid having an IP address as URL you create two records app.yourdomain.com and app2.yourdomain.com have app.yourdomain.com to your two sites and app2.yourdomain.com just to the primary site. The redirection on the secondary site will go to app2.yourdomain.com. This way you can make sure your circumvent local caches.
0
 

Author Comment

by:GCIT_Manager
ID: 23701779
I just confirmed that I can create a VIP (external IP) on our firewall that points to the primary site A record and it worked.

We don't want the IP in the URl. does your strategy work if the user goes to either www.ourdomain.com or just domain.com?
0
 

Author Comment

by:GCIT_Manager
ID: 23701873
sstops:

I don't get your example. Can you provide an example with make believe IP addresses?

Our users can't be told to try two different URLs. And we have no website running in the DR site.

Also, can't the firewall only do IP redirection, not URL redirection?

Thanks!
0
 
LVL 2

Accepted Solution

by:
sstops earned 2000 total points
ID: 23701960
Sorry for causing the confusion.

So you want to hide the IP address and I think the following should do the trick.
Primary site: 10.10.0.1
DR site: 10.11.0.1

My solution in this case would look like this:
Your user's enter http://app.your-domain.com

DNS records should look like this:
app.your-domain.com   points to 10.10.0.1 and 10.11.0.1
app2.your-domain.com   points to  10.10.0.1

DR firewall redirects to http://app2.your-domain.com

The solution is purely cosmetic in comparison to an IP redirection but in this respect it should do the trick.

If you don't need to mask the IP-Address you can of course do the redirection using the primary site's IP address.

There is one more limitation to the solution with doing a redirection at the DR site. If the firewall or line goes down 50% of the request will fail. On the other hand you have the same problem if the firewall or line at the primary site fails and you are not able to reverse the process to overcome failure.
0
 

Author Comment

by:GCIT_Manager
ID: 23701993
Do you mean if the DR firewall goes down those who happened to go there won't now go the primary site due to A record redundancy?

I also have to see if our FW even supports URL redirection. Isn't it just seeing an IP request by the time it gets there?
0
 
LVL 2

Expert Comment

by:sstops
ID: 23702160
Yes if the DR firewall goes down it might cause this problem.

Once the firewall redirected it will show up in the address bar of the browser.
0
 

Author Comment

by:GCIT_Manager
ID: 23702393
I got Register.com to change the TTL to 15 minutes. As long as users half way around the world really do start going to the new IP address within 15 minutes this should be fine. I'm pretty sure our client wouldn't accept the risk that 50% of the users could be out of luck, especially if it's only because of a backup firewall going down.

But if 15 minutes was not acceptable your solution would work. Thanks!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question