Dns failover

Dear experts,

I have the following scenario.

One dedicated server (hosting) for my domain and dns , and in my company I have two internet lines, both with fixed ip's.

Both lines are conected to my draytek 2820 in failover mode.

Now, I need to have dns in failover mode to.
Like:
webmail.mydomain.com connect to my primary ip address, but if the primary ip address go down, the webmail.mydomain.com connect to my secondary ip address.

How can I do this?

Work with low ttl's in my domain server ?

Best regards and happy new year to all experts
LVL 9
abolinhasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kent WSr. Network / Systems AdminCommented:
I use DNSMadeEasy for this and other failover.  You have to use their name servers, but it does exactly what you need, and can cascade fail up to 5 IP levels deep.
Very inexpensive, so much so that you pay annually.
Been using it for about 6 years now for a multi-mil corporation network DR failover, works great.

They allow you to set very log TTL, I use 90 secs, and have had no issues with them being accepted by servers globally.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
expert_tanmayCommented:
There are two ways you can do this
1. Most DNS will provide what's called a "Round Robin" if you assign multiple A records to the one name in the zone.

What it would do then, is the first request comes through would receive 1.2.3.4, the next would receive 2.3.4.5, so on and so forth. However, by design, your local machine will cache its DNS resolution, and will usually use the same IP address over and over, until it expires (Time To Live, TTL). So keep a low TTL.

2. This is using the NS records. If NS1 for webmail.mydomain.com is the primary machine itself and NS2 for webmail.mydomain.com is the secondary machine. In this scenario if primary webmail.mydomain.com fails NS1 also will go down hence all request will be made to NS2.

Happy new year and Cheers..
Kent WSr. Network / Systems AdminCommented:
No 1 Won't work for Failover. Two A records for a host name doesn't automatically use the second if first fails.  You just get a timeout.  Been there.  Tried that.  It alternates with each query, but those getting the failed host first just time out.

No 2 won't work for Failover without manual intervention, the DNS server has to be down (not the hosts, which is what you normally want to failover).  Unless you did something funky like setup NS1 / NS2 at the alternate sites (opposite the one it's serving IPs for), but still, the same boat...there's nothing causing a client to not query the secondary DNS, which will give the failover IPs, so it would need to be up and answering at both IPs during "normal" operation.  That may fit in this case, but still a bit clumpy. Since the Draytek is in failover mode, I don't believe it actively serves from both connections at the same time, it simply brings up the other interface if the primary fails (heartbeat style).

You also want to make sure the DNS server is not on the network you are planning for failover from.  I've had clients come to me in the middle of doing this setup, only to realize their DNS would be down if their primary link failed, also ;)

Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

expert_tanmayCommented:
Let me explain the second point again.
NS1 entry for webmail.mydomain.com points to primary webmail.mydomain.com and NS2 entry for webmail.mydomain.com points to secondary webmail.mydomain.com

Thus to resolve webmail.mydomain.com primary webmail.mydomain.com will always resolve to IP of primary webmail.mydomain.com. If primary webmail.mydomain.com fails the query will be automatically be forwarded to the server pointed by NS2 which is secondary webmail.mydomain.com and will always resolve to the IP of secondary webmail.mydomain.com

Kent WSr. Network / Systems AdminCommented:
I do understand that theory, unfortunately, there is no guarantee that, while everything is "normal", a client won't query NS2 and get the failover IP.  I have up to 5 name servers, and they all take hits at all times of the day, not just if the first listed is down.  Now, if both connections are up, and it's serving from both, that would work, but the NS would have to be serving from behinds the same connections, NS1 on the primary, NS2 on the secondary circuit.  Otherwise, NS is still going to answer with the "down" IP if it's reachable.  That, or you need some way to take NS1 out when the primary goes down, simply so it doesn't answer with the downed IP.

So yes, that would work, but only is NS1 failed when the primary link goes down, so that NS2 would then answer with the failover IP.  Otherwise, NS1 is going to answer with the down IP.

But, for 20-40 bucks a year, you can have enterprise class hosted DNS failover that automatically checks, alerts, fails over (5 levels deep), and self-heals (or not, if you choose). I definitely recommend that.
expert_tanmayCommented:
How do you think webmail.mydomain.com will resolve if the DNS server pointed by NS1 is down?
Chris DentPowerShell DeveloperCommented:

It's a bit messy; given that there's only one (DNS) server you'd have to configure two different instances of BIND (or some other DNS server) on the same system (each listening on a different IP). You can't get around the requirement of running two different zones to furnish clients with situational answers and Views cannot be used in this instance.

Chris
expert_tanmayCommented:
What I mentioned for point 1 "Round Robin" if you assign multiple A records to the one name in the zone it will time out if the resolved IP is of the failed server. So this method won't work..

How ever I would recommend to keep the "Round Robin" i.e. assign multiple A records to the one name in the zone. When every thing is working fine means when both primary and secondary are up and running nothing to worry. Let us say if the primary server goes down the IP address of the primary server is aliased on the secondary server and vice-verse i.e. if the secondary server goes down the IP of the secondary server is aliased to the primary server. This can be achieved with Linux HA using heartbeat..

Regards
Chris DentPowerShell DeveloperCommented:

Onsite HA will not protect against connection failure (except when you opt for different DNS servers giving out different answers). That just puts you back to square one, running two different name servers.

To be honest, I would favour hosting DNS elsewhere with monitoring, much like the services mentioned by mugojava. It's about as good as you'll get for this type of connection.

The best approach would be full connection fault tolerance (i.e. no second IP), and that's only going to happen on the ISP / hosting level unless you wish to apply for your own IP block and manage BGP for your AS on your network border.

Chris
expert_tanmayCommented:
Let me clarify the question again. May be I have not understood it.
abolinhas has a dedicated server and dns server.
He has two internet lines with fixed IP's coming to his office location conected to draytek 2820 in failover mode.

In other words say you have ip's 1.1.1.1 and 2.2.2.2 both connected in failover mode. Your ip 1.1.1.1 is your dns and dedicated hosting server. Now if your ip 1.1.1.1 fails outside world should connect to your domain with ip 2.2.2.2

Is my understanding correct?
Chris DentPowerShell DeveloperCommented:

That's also my understanding of the scenario.

Chris
expert_tanmayCommented:
In that case if NS1 points to dns server 1.1.1.1 and NS2 points to dns server 2.2.2.2. say ip 1.1.1.1 fails obviously dns at 1.1.1.1 will also is not reachable. The query is then forwarded to dns server 2.2.2.2 which will resolve the server address as 2.2.2.2.
Chris DentPowerShell DeveloperCommented:

Absolutely. But you need 2 DNS servers (because you need two distinct zones). It may be possible to run those on the same hardware, if the software permits that.

Chris
abolinhasAuthor Commented:
Let me explain better my scenario.

One hosting server (dedicated with cpanel e bind) for my domain and dns, on this server I have two NS and varius A records.

In my company I have two internet lines connected to my draytek.
In my company I have a internal mail server to with webmail.

Now I want create a failover for this A record webmail.mydomain.com.
This A record point to my internal mail server.

So, if the primary internet line goes down, the A record will point automatically to my secondary internet line.

Is better now ?
Chris DentPowerShell DeveloperCommented:
DNS and the service you wish to provide fault tolerance for are on different servers?

If so, it makes the option with spinning up different name servers very difficult to implement as they would have to run in your office, not on the hosted server.

The best bet is to monitor the web service / connection status, and ammend DNS accordingly (scripts, and very low TTLs). You can do that yourself if you like, or you can pay someone to do it for you (as mugojava suggested).

Shifting services around like this isn't something that comes easily, the next step up is full connection redundancy. Either with a single ISP who can provide fault tolerance, or by obtaining your own IP block, and setting up BGP. Neither is cheap or easy, but it removes your reliance on changing IP addresses.

Chris
abolinhasAuthor Commented:
@ Chris-Dent - DNS and the service you wish to provide fault tolerance for are on different servers?
Yes

My primary address is 1.1.1.1 and my secondary ip is 2.2.2.2

So if I configure this scenario on my dns server, he will work ?


Type | Domain                            | IP          | TTL
A      | webmail.mydomain.com  | 1.1.1.1  | 600
A      | webmail.mydomain.com  | 2.2.2.2  | 300

Best regards
expert_tanmayCommented:
Absolutely right abolinhas
You have to have the following

Type | domain                           | ip
NS1  | webmail.mydomain.com | 1.1.1.1
NS2  | webmail.mydomain.com | 2.2.2.2

On dns 1.1.1.1
Type | Domain                            | IP          | TTL
A      | webmail.mydomain.com  | 1.1.1.1  | 300

On dns 2.2.2.2
Type | Domain                            | IP          | TTL
A      | webmail.mydomain.com  | 2.2.2.2  | 300

regards
expert_tanmayCommented:
NS1 and NS2 must be defined by your ISP
Chris DentPowerShell DeveloperCommented:
> So if I configure this scenario on my dns server, he will work ?

No. That's round robin, the DNS server hands out answers in rotating order. DNS doesn't care about the service state.

expert_tanmay's option will work if you can get two instances of DNS installed on webmail itself (or something else on your network if you're using PAT).

NS1 and NS2 are defined by you, not your ISP, they have nothing at all to do with this. You might create this in the parent:

wm-ns1.mydomain.com.  IN A  1.1.1.1
wm-ns2.mydomain.com.  IN A  2.2.2.2

Along with the delegation in the parent zone:

webmail.mydomain.com.  IN NS  wm-ns1.mydomain.com.
webmail.mydomain.com.  IN NS  wm-ns2.mydomain.com.

If you don't fancy that then set up something to monitor the site (TCP 80 / 443) and have that modify or even replace the zone file should something fail (reloading DNS afterwards).

Chris
abolinhasAuthor Commented:
The NS is the fixed ip of my dedicated hosting server.

@ Chris-Dent: - expert_tanmay's option will work if you can get two instances of DNS installed on webmail itself (or something else on your network if you're using PAT).
Yes, I have pats to my mail server
Kent WSr. Network / Systems AdminCommented:
Trust me, go the best, and easiest route.  Go to DNSMadeEasy.  Sign up for the small business, and buy a dns failover record instance.  About 30 bucks a year, and it just works.
You'll spend twice that much in electricity to run a server for one month.
Any other way is really going to be cluged together.
Chris DentPowerShell DeveloperCommented:
> Yes, I have pats to my mail server

You need a name server running on each of the connections there as well.

To be blunt, if you don't understand DNS particularly well you're far better going with mugojava's suggestion. Whichever company you choose will be able to help you through it.

Setting up name servers in the manner suggested needs you to understand how to setup and run a DNS service, and a little of how delegation works.

Chris
abolinhasAuthor Commented:
I ask try dnsmadeeasy was expert_tanmay's suggest

Just to share, I find this failover service to:
https://web.easydns.com/DNS_pro.php

Thanks all of you.
.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.