How to configure DNS for WAN failover

[iLinkTech]

Hi,

We host our own mail and provide our external users access via web mail. Our DNS records for the mail system are hosted by our ISP. External users are able to type "mail.domainname.com" to access their email.

We recently added a 2nd WAN connection from a different provider in order to have some failover when the primary WAN link goes down. What we would like is to be able to have our DNS records modified to enable failover to the 2nd WAN link's IP address if mail from an external domain is sent to our domain. We would also like to enable failover for our webmail users so they can use the same URL to access the web mail if the primary WAN link is down.

I asked our ISP if they could do this; they said that they could configure our records in such a manner to where external mail would failover but webmail users would have to use a different URL like "mail2.domainname.com". This isn't going to work overly well for my users - anyone have any suggestions? I've seen some articles on round-robin DNS which seem to contradict the tech at the ISP but I'm looking for other opinions, experiences, etc before I call them on it.

Thanks...

 

[hercj]

If you look at what google, yahoo, etc. do for dns. You will find that they have multiple address listings for one domain eg:

http://www.google.com

nslookup

http://www.google.com

Non-authoritative answer:
Name:

http://www.l.google.com

Addresses: 64.233.161.147, 64.233.161.99, 64.233.161.104
Aliases:

http://www.google.com

As I understand it it is not that hard to do this.

 

[iLinkTech]

I figured that you could do it - I'm wondering if it matters that our 2nd WAN link is on a different subnet...

Thanks for the example - I'll be calling them back with this information to see what they have to say...

 

[hercj]

It should not matter. The DNS resolution happens before any routing. If you want to learn more about DNS you will find thess websites useful

http://www.zytrax.com/books/dns/

http://www.howtoforge.com/traditional_dns_howto

 

[shadedecho]

you have two issues at play as you identified...

one is the routing of email traffic (smtp-based, on port 25, for instance)... this is the where having multiple MX records, with various priority levels, is useful. You should have one (or more) MX records in your DNS at your ISP which point to the mail server via the WAN1 connection. In the event that it(they) fail(s), the lower priority MX records will be used, and mail will get delivered via the settings for the WAN2 connection. This should safely guarantee that email coming from outside-in always gets routed to the mail server. Your ISP's DNS should allow you to set up multiple MX records... assign lower numbers (5,10,etc) to the WAN1 related MX records, and something like 20 or 30 to the ones for WAN2.

the secondary issue you have at play, which is a little more difficult to solve, is what happens to external users who type in your webmail HTTP URL address when WAN1 is down. Again, you can enter in multiple A records for webmail.mydomain.com. But the default behavior will likely be a dumb round-robin approach, meaning it will not intelligently fail-over, it will be that some requests to the DNS will respond with WAN1 based info and some will respond with WAN2 based info. This is most likely NOT what you want in this case.

unforuntately, i rather doubt that your ISP would let you install intelligent web load-balancing stuff on their servers.

you could perhaps have some sort of script written inside of a custom DNS server instance which checked the WAN(1 or 2) connection to make sure it was alive first, before responding with that particular set of A records.

Or you could have dynamic DNS (DNS with really short timeouts) setup on the ISP server, and a script (perl, etc) which polled it's WAN connection to you every minute, 5 minutes, 10 minutes, whatever, and if it was down, simply disabled (temporarily) the appropriate A records, and then re-enabled them once the WAN1 link comes back up. This complexity can go on ad infinitum and is probably a can of worms you are best to leave alone.

another way you could use dynamic DNS to solve this problem would be to have an external DDNS system, like ZoneEdit or DynDNS, which took care of resolving information for your webmail URL (and probably the MX records too!). You would then have a client program inside your company (on or behind the firewall) which was checking the WAN1 and WAN2 connections... if WAN1 goes down, it could, using the still alive WAN2 link, contact the dynamic DNS system and update the records so that subsequent external DNS requests will all be served WAN2 related info. this approach has the added benefit of being independent of your ISP, so more redundant/fail-safe.

Of course, the most obvious thing I feel I need to point out about this whole situation is that the assumption is that your ISP's DNS server stays up even though their WAN1 link to you goes down. Obviously, this can happen, but it's more likely their DNS will go down too, in which case none of what we discussed, except for my last note about external dynamic DNS, is even relevant.

 

[skotman]

ewallig, check out

http://www.astrocorp.com.

They sell a device that does exactly what your looking for. I have it at several of my client sites. Just point your authoritative DNS to it and configure accordingly.

If WAN1 goes down, this device will see that and start advertising the IP WAN2.

Scott Heath

http://www.scottspad.com

AIM: orange7288
SprintPCS ReadyLink? IM ME