Dual WAN router, update bind9 behind NAT with current connection

Printable View

10-13-2010
gtr33m

Dual WAN router, update bind9 behind NAT with current connection

Hi,

I've got a dual WAN router (linksys RV082) with 2 static ip addresses.

I have a variety of serves behind the router, including web, mail, and my own bind9 dns hosting a bunch of my own domains. They router has NAT enabled and uses port forwarding to direct to the correct servers internally.

My domains have 2 mx records and 2 ns records, one for each of my static IP addresses, but which in reality point to the same servers. so MX1 and MX2 point to the same mail server and NS1 and NS2 point to the same name server, though through 2 different public IPs.

My problem and question revolves around my bind9 name server when my primary internet connection is down. Because of the 2 mx and ns records, I am able to reach the mail server and dns server ok, but the ip address that the name server resolves for any server is the primary one, which is down. So even though I have backup internet connection, you can't reach my web server without using the ip address.

What I am after is a script or method, perhaps using nsupdate and ddclient, which will dynamically update some ns records on my dns server whenever the primary connection is down, and conversely when it comes back up.

The linksys box is a linux based box, but I'm not sure that it allows much querying. It does have a dyndns.org feature, which I have activated, but each WAN port registers to a seperate dyndns.org domain, so WAN1 is mydomain.dyndns.biz and WAN2 is mydomain2.dyndns.biz.

The other idea would be a script to check a site like whatismyip.com to get my puplic ip address and update accordingly.

Not sure how to accomplish this, any help would be appreciated.

Thanks,

Mark
10-15-2010
maciejgalkiewicz

Are you sure that bind returns only one IP address for mail server? In my opinion resolvers should get both addresses and if the first one fails the mail client uses the other one.
10-17-2010
gtr33m

No it gets both for the mail server, and the backup for mail works fine, it's other protocols like www and ftp that I'm trying to resolve.

Somone on the ubuntu forums, suggested multiple A records for the same host which does seem to work, the problem is the delay. I would guess that a client web browser tries the first address, waits for a timeout, then tries the second.

Like I said, this does work, but depending on the timeout, it can take quite a while. I was thinking that there would be a script that could check regularly for connection and update the records accordingly.
10-18-2010
maciejgalkiewicz

For http traffic use load balancer (haproxy). I assume that for ftp there is something similar. It actually does not solve your problems:/ If the timeout is not acceptable I don' have better ideas. Try multiple DNS records as they said on the other forum.
10-18-2010
Kloschüssel

There are two to three possible solutions:

1 - multiple IPs in your DNS records (won't work 100% as the client always has the option to decide which server he wants to use)
2 - rent a external gateway server that does load balancing or change the route when one connection fails; you would hide both your internet connections transparently

"Fake solutions" are:

tinkering with DNS records like updating your dns records locally. why is this no solution? dns requests are cached by ISPs, endusers and several other authorities; when you change the DNS record it can take up to 24hours until everyone on the whole world got the updated record. the same problem applies to dynamic dns solutions. even though the downtime there is much less because they give dns resolution requests a much smaller timeouts such that the client that once requested an IP is informed to cache that IP only for a small amount of time.

if you really want to change the dns records on your server, you also need to manipulate the dns timeout. then the downtime of your service is exactly the timeout time. which would be the "solution" number 3.
10-19-2010
gtr33m

I'll have a look at both haproxy and tinkering with my DNS records. The timeout doesn't worry my overly, I can set it to quite a low interval with no real negative side affects that I can see.

Out site is not high traffic or high load, mostly email and internal stuff. FTP is inconsequential, I'm probably the only person that uses it and I have both IP addresses.

Thanks for the advice.

Regards,

Mark
10-19-2010
Kloschüssel

I'm glad we were able to help you.

Just remember that you have to test services where you can suffer from data-loss due to network failure (i.e. e-mail is such a critical service).

greetings,
d.
10-20-2010
gtr33m

Had a look at HAProxy, and it's overkill for what I'm trying to accomplish.

My traffice is very low, I just want something as a failover for when one of the internet connections is down.

Mail works fine as is. MX1 and MX2 point to the same server with the 2 different IP addresses and never has any issues.