[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 588
  • Last Modified:

DNS Static Entries for Emergencies

My users need access to several 3rd-party Internet sites, even when DNS fails.  Some of these domains have very low DNS TTL's (<60 seconds), generally to facilitate a redundancy scheme.  

Let's use Amazon for a test-case (15 second TTL).  Normally, I would like to use whatever IP Amazon gives me, but when upstream DNS fails and cache expires 15 seconds latter, I cannot get to Amazon so I would like to go to a known IP for Amazon that I have previously looked-up.  We forward DNS requests through an upstream hierarchy for security purposes so I have little control of that architecture or maintenance outages.  I've had 2 this week.

For sites with TTL's of one day (standard), DNS caching protects against most DNS outages. I would like to be able to configure static address mappings to sites that only get used ONLY if upstream DNS fails (i.e. server failure response).  I would prefer to manage this centrally on the DNS Server rather than having to use local hosts files and change the resolution order (host file AFTER DNS lookup).   Overriding the TTL's would could make cache persistent long enough to weather most outages, but seems pretty complicated to me.

Here is a concise scenario:
100 Clients use my DNS Server
My W2008 DNS Server forwards Amazon requests upstream
When DNS stops successfully returning an IP for amazon.com,  I want "72.21.194.212" to be used.
I don't want to maintain 100 host files and chain the resolution order on 100 hosts if there is a more centrally managed way.  Obviously automation (GPO etc) could ease the process if I have to do it.

Any ideas?
0
RandomCoolGuy
Asked:
RandomCoolGuy
4 Solutions
 
MaheshArchitectCommented:
Generally, if you want redundancy in case of forwarders, you should define multiple public DNS servers IP on forwarders tab if you have
If 1st server in the forwarders list get failed / timed out, DNS will forward it query to next forwarders IP

The order of the IP addresses listed as forwarders on a DNS server determines the sequence in which the IP addresses are used. After the DNS server forwards the query to the forwarder with the first IP address, it waits a short period for an answer from that forwarder (according to the DNS server's time out setting) before resuming the forwarding operation with the next IP address. It continues this process until it receives an affirmative answer from a forwarder.
http://technet.microsoft.com/en-us/library/cc757172(v=ws.10).aspx
0
 
Natty GregIn Theory (IT)Commented:
build a cache server easy to to do with pf-sense, they will have access to these websites all the. the cache server will update these sites periodically
0
 
dan_blagutCommented:
Hello

If you have only somes sites on this list you can use hosts file (c:\windows\system32\drivers\etc\hosts). You can modify that file by script.
here how http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23790188.html

Dan
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
RandomCoolGuyAuthor Commented:
I'm evaluate the answers so far.  

The forwarder information while useful, doesn't really address the point of a static stand-in although it does address the use of the first forwarder preferentially when it is responsive.  

The pfsense caching is not useful if it honors TTL and setting up a network firewall has downsides.  The project site is pretty vague on detailing features.  

The scripting options for the host-file work around are under-developed.  They would essentially put the same entries in over and over (>>hosts).  I am planning on scripting changes to local host files if I can't put the static "stand-in" addresses on the server in a relatively straight-forward manner.  

Thank you for the submissions.
0
 
skullnobrainsCommented:
i assume you're not allowed to use other dns servers.

one idea could be to stick a small dns caching server that can ignore dns ttls. for example maradns has a min_ttl setting that will force all entries in the cache to be cached for at least so long. this is not perfect, as when the dns works, some queries will not be resolved (answered from cache) while they should. this should not be much of a problem, though unless you use a really long setting.

one idea could be to stick a small cache and allow it to failover to some known-to-work dns server (4.2.2.1-6, opendns, google...) only when your "normal" dns is out of order. this might be acceptable to your hierarchy. if not, you can forward queries to a secondary server that has that set of addresses hardcoded (dnsmasq is a good choice for such uses as it can read a hosts table which should be reasonably easy to maintain)

you can also use dnsmasq alone, and rewrite the hosts file periodically with a small script that will pull the proper addresses from the dns. if multiple addresses are found in the hosts file for the same ip, dnsmasq will present them in round robin fashion. this approach will be easy to setup and should not be too intrusive either

there are many other ways to achieve your exact goal or something similar, but unfortunately i do not know of a more simple one. it would definitely be a nice feature to have in a dns cache the capability to keep in cache entries for longer than the ttl and answer with the cached value when the upstream server is dead
0
 
RandomCoolGuyAuthor Commented:
skullnobrains has the answer that best addresses the questions.  The key is the minimum TLL override setting.  I have found that SimpleDNS is probably the easiest to set up for this purpose in a Windows environment and also has the option of reading from a hosts file.  It costs < $100.  AnalogX has a neat client side DNS proxy that makes simultaneous requests to multiple DNS's and uses the first successful response back.  It also has a minimum TTL override and is free.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now