From owner-freebsd-questions@FreeBSD.ORG Sun Apr 29 13:13:02 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 666A116A403 for ; Sun, 29 Apr 2007 13:13:02 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.187.76.162]) by mx1.freebsd.org (Postfix) with ESMTP id C273413C43E for ; Sun, 29 Apr 2007 13:13:01 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.14.1/8.14.1) with ESMTP id l3TDCgqw027072; Sun, 29 Apr 2007 14:12:43 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: smtp.infracaninophile.co.uk from=m.seaman@infracaninophile.co.uk; sender-id=permerror; spf=permerror X-SenderID: Sendmail Sender-ID Filter v0.2.14 smtp.infracaninophile.co.uk l3TDCgqw027072 Message-ID: <463499CA.2040709@infracaninophile.co.uk> Date: Sun, 29 Apr 2007 14:12:42 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: freebsd References: <000301c78a3e$0e804040$0637a8c0@Enigma> In-Reply-To: <000301c78a3e$0e804040$0637a8c0@Enigma> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Sun, 29 Apr 2007 14:12:53 +0100 (BST) X-Virus-Scanned: ClamAV 0.90.2/3179/Sun Apr 29 11:28:45 2007 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00, DKIM_POLICY_TESTING, DK_POLICY_SIGNSOME,NO_RELAYS autolearn=ham version=3.1.8 X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on happy-idiot-talk.infracaninophile.co.uk Cc: FreeBSD Questions Subject: Re: Load balacing DNS X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Apr 2007 13:13:02 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 freebsd wrote: > I need to setup 2 DNS server and I would like these to be visible as a > single IP address. > Using CARP I'm able to obtain failover capabilities, but I need load > balancing also. Any ideas other than putting another server in front of > my machines? > The DNS ip address will be hardcoded in some hundreads of devices and I > cannot use a secondary dns... Given that you're running DNS which is primarily a UDP thing and not stateful, then you can stick the public IP of your DNS on a firewall gateway box running pf, and have as many servers behind it as you need to cover the load, and use the 'round-robin' feature of the rdr command in pf to distribute incoming queries over your servers. You'll also need to use NAT so the return packets end up with the correct source address on them. See: http://www.openbsd.org/faq/pf/pools.html Note that this only gives you load balance statistically -- based on the number of packets rather than the actual load on the servers. Also, it does not provide any sort of high-availability features: if one of your back-end servers goes down, the firewall will still pump packets to it even though there's nothing there to respond. You can use CARP or wackamole to ensure that the IPs in question are always configured on a machine that can answer. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGNJnK8Mjk52CukIwRCETfAJ9YXz0GNQQxfo0tq578+cMM6try3wCfX0Ih QaCfz+Toev2LqEqamJwS0h4= =x7BA -----END PGP SIGNATURE-----