RandomCoolGuy
asked on
DNS Static Entries for Emergencies
My users need access to several 3rd-party Internet sites, even when DNS fails. Some of these domains have very low DNS TTL's (<60 seconds), generally to facilitate a redundancy scheme.
Let's use Amazon for a test-case (15 second TTL). Normally, I would like to use whatever IP Amazon gives me, but when upstream DNS fails and cache expires 15 seconds latter, I cannot get to Amazon so I would like to go to a known IP for Amazon that I have previously looked-up. We forward DNS requests through an upstream hierarchy for security purposes so I have little control of that architecture or maintenance outages. I've had 2 this week.
For sites with TTL's of one day (standard), DNS caching protects against most DNS outages. I would like to be able to configure static address mappings to sites that only get used ONLY if upstream DNS fails (i.e. server failure response). I would prefer to manage this centrally on the DNS Server rather than having to use local hosts files and change the resolution order (host file AFTER DNS lookup). Overriding the TTL's would could make cache persistent long enough to weather most outages, but seems pretty complicated to me.
Here is a concise scenario:
Any ideas?
Let's use Amazon for a test-case (15 second TTL). Normally, I would like to use whatever IP Amazon gives me, but when upstream DNS fails and cache expires 15 seconds latter, I cannot get to Amazon so I would like to go to a known IP for Amazon that I have previously looked-up. We forward DNS requests through an upstream hierarchy for security purposes so I have little control of that architecture or maintenance outages. I've had 2 this week.
For sites with TTL's of one day (standard), DNS caching protects against most DNS outages. I would like to be able to configure static address mappings to sites that only get used ONLY if upstream DNS fails (i.e. server failure response). I would prefer to manage this centrally on the DNS Server rather than having to use local hosts files and change the resolution order (host file AFTER DNS lookup). Overriding the TTL's would could make cache persistent long enough to weather most outages, but seems pretty complicated to me.
Here is a concise scenario:
100 Clients use my DNS Server
My W2008 DNS Server forwards Amazon requests upstream
When DNS stops successfully returning an IP for amazon.com, I want "72.21.194.212" to be used.
I don't want to maintain 100 host files and chain the resolution order on 100 hosts if there is a more centrally managed way. Obviously automation (GPO etc) could ease the process if I have to do it.
My W2008 DNS Server forwards Amazon requests upstream
When DNS stops successfully returning an IP for amazon.com, I want "72.21.194.212" to be used.
I don't want to maintain 100 host files and chain the resolution order on 100 hosts if there is a more centrally managed way. Obviously automation (GPO etc) could ease the process if I have to do it.
Any ideas?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
skullnobrains has the answer that best addresses the questions. The key is the minimum TLL override setting. I have found that SimpleDNS is probably the easiest to set up for this purpose in a Windows environment and also has the option of reading from a hosts file. It costs < $100. AnalogX has a neat client side DNS proxy that makes simultaneous requests to multiple DNS's and uses the first successful response back. It also has a minimum TTL override and is free.
ASKER
The forwarder information while useful, doesn't really address the point of a static stand-in although it does address the use of the first forwarder preferentially when it is responsive.
The pfsense caching is not useful if it honors TTL and setting up a network firewall has downsides. The project site is pretty vague on detailing features.
The scripting options for the host-file work around are under-developed. They would essentially put the same entries in over and over (>>hosts). I am planning on scripting changes to local host files if I can't put the static "stand-in" addresses on the server in a relatively straight-forward manner.
Thank you for the submissions.