A Record priority in DNS

[Stevehewitt]

Hi Guys,

We recently launched a new remote access system (SSL VPN) to our sales team which has been working well. However our leased line went down which meant the service wasn't avaliable.

We have a backup ADSL circuit on the firewall in front of our remote access system to provide redundancy for our site-to-site VPN. This worked pretty well, however the issue is that the DNS A record for the remote access system is pointing to the leased line interface, not the ADSL backup circuit.

As such I'm pondering the best way to have a failover DNS record in the event of another leased line failure. Similar to priorities for MX records.

I've been looking at DNS round-robin but I only really want traffic to go over the ADSL interface in the event of our leased line going down...

Any suggestions? Only perfect solution is to have a new A record (e.g. backupconnection.domain.com) pointing to the ADSL interface but as it's a SSL system I need a new cert which isn't ideal. Also requires end-users to do something too....

Anyone else got suggestions? E.g. if the client browsers to

https://remotesystem.domain.com/,

it resolves to 0.0.0.0 yet the client can't connect, it will somehow try an alternative IP instead.... (ideally pulled from DNS)

Cheers,



Steve.

"They have the internet on computers now!" - Homer Simpson

 

[North323]

your suggestion is the only way i know how

 

[gdvissch]

Steve,
another possibility would be to use a low TTL value on the DNS A record, and when needed change the IP address to the one of the backup line...
Of course this requires some manual work when the primary line fails.
A working solution could be built around some dynamic DNS service (Dyndns, No-ip, etc...)
The TTL of records in these services is very low (1 minute or so).
I was thinking you could install the dynamic dns agent on one of the PC's or servers in your network. It would detect when your external IP changes (the IP facing the internet, i.e. when the backup line comes up). The client would then update the DNS record to the address of the backup line and that's it. No extra certs needed, dynamic and fairly simple to implement...

G.

 

[pompeychimes]

Use a public IP address that isn't bound to a physical router interface. Then let BGP handle the failover.

 

[Grenage]

I would consider using HSRP; it's designed for this kind of problem.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer

 

[Grenage]

As he presses submit too soon...

You'll obviously need to tie in some dynamic routing with it!

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer

 

[burtsbees]

This is a similar problem I had with HSRP and load balancing with NAT. I ended up NATting to a loopback address and putting floating static routes in the edge router as well as the ISP router connecting to the edge (lab). Worked like a charm.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Stevehewitt]

Cheers for all the replies guys. HSPR isn't an option as the ISP connections I'll be using will be leased lines from 2 different ISP's. (Redundancy reasons...)

I think I'm going to chicken out and create a new A record in DNS for one of the IP Addy's on the backup circuit. (backupwebsite.domain.com) If there's an outage the guys will simply have to type in different URL to access the remote system.

Cheers again,


Steve.

"They have the internet on computers now!" - Homer Simpson